Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 726614 - www-servers/nginx - Use modsecurity v3 to drop dependency on Apache
Summary: www-servers/nginx - Use modsecurity v3 to drop dependency on Apache
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Thomas Deutschmann
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-01 07:57 UTC by Sven Schwyn (svoop)
Modified: 2020-06-28 19:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Schwyn (svoop) 2020-06-01 07:57:57 UTC
When installing Nginx with USE flag "security", the old modsecurity is emerged which requires a full install of Apache in order to fulfill dependencies.

However, there's an Apache-independent new version dubbed modescurity v3 available now from the same makers. This is taken from the README:

> The old version uses ModSecurity standalone, which is a wrapper for Apache
> internals to link ModSecurity to nginx. This current version is closer to
> nginx, consuming the new libmodsecurity which is no longer dependent on 
> Apache. As a result, this current version has less dependencies, fewer bugs, 
> and is faster. In addition, some new functionality is also provided - such 
> as the possibility of use of global rules configuration with per 
> directory/location customizations (e.g. SecRuleRemoveById).

https://github.com/SpiderLabs/ModSecurity-nginx

A hard switch would break existing installs, maybe better to either:

* Introduce a new USE flag such as "security_standalone" for modsecurity v3.
* Migrate the current USE flag to "security_legacy" for modsecurity <v3.


Reproducible: Always