ModSecurity-apache icon indicating copy to clipboard operation
ModSecurity-apache copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

Future plans?

Open sorin-costea opened this issue 3 years ago • 5 comments

Now that the last functional commit is years back and the few pull requests are just hanging, does this mean the Apache v3 port has fallen out of grace? Is everybody using nginx?

sorin-costea avatar Mar 24 '21 13:03 sorin-costea

I've come to the conclusion that ModSecurity-Apache isn't ready for production use. Its behaviour is different to ModSecurity 2.9.3 and seems to not work 100% yet. I feel like https://github.com/SpiderLabs/ModSecurity-apache/issues/77#issuecomment-714460096 sums it up perfectly, it's not ready for a release, no matter how many guides on the internet seem to suggest it is. I look forward to development continuing and a stable release being made in the future, for now, I'm stuck with ModSecurity 2.9.3 if I want to use it with Apache.

timwsuqld avatar Jun 01 '21 02:06 timwsuqld

Yes, me too. In fact, I am stucking at much of false-positive @ v2.9.3 and suffer debug. In 3 years, can not know status of Modsecurity v3 @ apache, on-going/hibernate/discontinue?? I assume it was discontinue :( I will give up Modsecurity nearly :(

Neko-Chang-Taiwan avatar Jun 07 '21 06:06 Neko-Chang-Taiwan

Apologies to those in the community feeling vexed about slow/no responses in this repo's issues. (Personally, since joining the team, it simply didn't occur to me to register for notifications for this repo.)

The citation in the second posting here is accurate. ModSecurity-Apache is not considered production-ready. Much of the functionality works correctly but enough does not, so v2.9.x is still the recommended choice for use with Apache HTTP Server.

Note that just because ModSecurity v2.9.x has a lower number does not mean that it is less good than libModSecurity (aka v3).

@Neko-Chang-Taiwan : I'm not sure what problems you are experiencing with v2.9. I couldn't find any open issues in the ModSecurity issue. Keep in mind that many types of false positives have more to do with the rules you are using as opposed to what the engine is doing. If there is a something the ModSecurity engine is doing that you believe is incorrect, or you believe could benefit from an enhancement, feel free to raise it on the ModSecurity repo.

martinhsv avatar Aug 12 '21 20:08 martinhsv

It's been a while since last update on this project and the note says it's not ready for production use. Do you know if there are any plans for a production release?

iplparm avatar Sep 13 '23 14:09 iplparm

@iplparm ,

There are no current plans for additional work on this connector over the coming months.

The recommended version for use with Apache continues to be ModSecurity v2.9.x.

martinhsv avatar Sep 20 '23 15:09 martinhsv