ModSecurity-apache icon indicating copy to clipboard operation
ModSecurity-apache copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

Plans for production readyness?

Open friesoft opened this issue 1 year ago • 1 comments
trafficstars

Hi,

as modsecurity is now an OWASP project: are there any plans for ongoing/improved modsecurity apache httpd support?

Will you continue to support modsecurity 2 or will this Modsecurity-apache module be developed for production readyness in combination with modsecurity 3?

Thanks!

friesoft avatar Jan 31 '24 15:01 friesoft

Thanks for writing in.

We are working based on a preliminary project plan developed in Dec 2023 and Jan 2024.

The project plan proposes to keep v2 productive and supported at least on the short- to mid-term level. Long-term perspective is up to the new community to decide.

Stabilizing the v3 Apache connector is a high priority for the new devs. In fact there are more problems than only an Apache connector for v3, but it's probably one of the biggest ones.

If you are interested to be part of this adventure, then please join our Slack: It's channel #project-modsecurity on the OWASP Slack.

dune73 avatar Feb 02 '24 15:02 dune73

Is there any update on this?

The GitHub repo itself gives me the impression that apache2 support is not receiving any attention and if you want to use V3 with recent rules you are required to switch to NGiNX? I personally don't mind, but I have some projects where I have to convince people then to switch to NGiNX :)

RBloemers avatar Sep 17 '25 19:09 RBloemers

Hi @RBloemers,

Is there any update on this?

unfortunately no, nothing.

if you want to use V3 with recent rules you are required to switch to NGiNX?

we can say yes, but let me ask this question from a different aspect: do you want to use ModSecurity V3 or do you want to use ModSecurity WAF?

We try to maintain both versions: mod_security2 for Apache and libmodsecurity3 with Nginx connector. Everyone can decide which HTTP server need for their goal, and can choose any of them.

When we (OWASP) started maintaining the project, we agreed that finishing the Apache connector is important, but not a priority. In the meantime, we agreed to take care of both engines. Therefore we still care them, including security issues and fixes, new features and bugs. This year (2025) we released 4 versions of mod_security2 Apache module, and (only) one version of libmodsecurity (but the year is not ended yet :)).

but I have some projects where I have to convince people then to switch to NGiNX :)

Please don't do that - convince them to use mod_security2. The plan was that if we finish the Apache connector for libmodsecurity3, then we finish the support of mod_security2. Until that the support is provided.

BTW: I use both of them (in production environment) :).

airween avatar Sep 18 '25 08:09 airween