Variables created using setvar in ModSecurity rules are being automatically deleted after 1 minute, even without explicitly setting expirevar. This occurs when trying to implement custom rules for login attempt tracking without using CRS.
Steps to reproduce
Use the official OWASP ModSecurity CRS Docker image (owasp/modsecurity-crs:4.7.0-nginx-202410090410)
Override /etc/nginx/templates/modsecurity.d/setup.conf.template with custom configuration:
Comment out CRS includes:
# Include /etc/modsecurity.d/owasp-crs/crs-setup.conf
# Include /etc/modsecurity.d/owasp-crs/rules/*.conf
Add custom rule file:
Include /opt/on_pre_llm/extra_lockout_rule.conf
Implement custom rule for tracking login attempts:
Describe the bug
Variables created using
setvar
in ModSecurity rules are being automatically deleted after 1 minute, even without explicitly settingexpirevar
. This occurs when trying to implement custom rules for login attempt tracking without using CRS.Steps to reproduce
/etc/nginx/templates/modsecurity.d/setup.conf.template
with custom configuration:Expected behaviour
IP.failed_attempts
andIP.is_locked
variables should persist indefinitely until explicitly clearedActual behaviour
expirevar
is explicitly set in the rulesAdditional context
Your Environment