search

owasp-modsecurity / ModSecurity-apache

ModSecurity v3 Apache Connector
Apache License 2.0
88 stars 51 forks source link

Debianization #58

Closed szepeviktor closed 4 years ago

szepeviktor commented 5 years ago

Hello!

Do you know something about packaging for Debian? AFAIK only v2 is packaged although lib v3 is available but that cannot be used directly in Apache 2.4.x Thanks.

szepeviktor commented 5 years ago

@inittab Could you help?

inittab commented 5 years ago

Hi, either @airween or myself will eventually look at it, yes. Since Debian Buster is frozen now and no new packages will make it past testing, I'm taking a break on packaging new stuff. Regards, Alberto

airween commented 5 years ago

The Apache connector is not production ready, please do not use it.

zimmerle commented 5 years ago

@airween is correct. please do not generate a package for it as it is not yet ready for production. That may lead the user to think that it is ready and it is not.

airween commented 5 years ago

@szepeviktor, @inittab note, that there is the package ready Nginx version:

https://salsa.debian.org/airween-guest/nginx/tree/modsecurity

and I've asked the Nginx maintainers to add this patch, but no aswer till 3 months... :(

ericloveacp commented 5 years ago

When will the modsecurity-apache connector be ready for production? I was able to do this build on Ubuntu 16.04 as follows with no problem:

This will downloads the ModSecurity-apache connector into the /opt directory from GitHub repo at https://github.com/SpiderLabs/ModSecurity-apache. The ModSecurity-apache connector will be build after apache2 is configured to use the connector.

cd /opt && \ git clone https://github.com/SpiderLabs/ModSecurity-apache.git

Configure Apache2 to use the ModSecurity-apache connector.

cd /opt/httpd-2.4.39 && \ ./configure --with-libmodsecurity=/opt/ModSecurity-apache \ --enable-cgi \ --enable-info \ --enable-speling \ --enable-usertrack \ --enable-deflate \ --enable-ssl \ --enable-proxy \ --enable-proxy-connect \ --enable-proxy-ftp \ --enable-expires \ --enable-headers \ --enable-proxy-http \ --enable-rewrite \ --enable-so \ --enable-proxy-balancer \ --with-included-apr

Build Apache2 with the ModSecurity-apache connector.

sh /opt/ModSecurity-apache/autogen.sh && \ cd /opt/httpd-2.4.39 && \ ./configure && \ make && make install

szepeviktor commented 5 years ago

@ericloveacp Could you enclose your output in tripple backticks? ```

it will look nice
airween commented 5 years ago

When will the modsecurity-apache connector be ready for production?

sorry, don't know :)

I was able to do this build on Ubuntu 16.04 as follows with no problem:

yes, but after this:

sh /opt/ModSecurity-apache/autogen.sh && cd /opt/httpd-2.4.39 && ./configure && make && make install

type: make test

and - perhaps - you can see the problem (I don't know, which commits are in the master branch).

The request body handling isn't completed yet.

ericloveacp commented 5 years ago

I performed the make test when I did build. I did not see any errors. But when I build another dev environment, I will do test and put the output here. But I can see the modsecurity-apache connector running and the version in logs after restarting apache as follows:

grep ModSecurity-Apache error_log [Thu Jun 27 11:58:49.123977 2019] [:notice] [pid 31980:tid 139632326576000] ModSecurity: ModSecurity-Apache v0.1.1-beta configured. [Thu Jun 27 12:00:32.535170 2019] [:notice] [pid 32087:tid 140393527097216] ModSecurity: ModSecurity-Apache v0.1.1-beta configured. [Fri Jun 28 11:14:23.538484 2019] [:notice] [pid 12685:tid 140345924384640] ModSecurity: ModSecurity-Apache v0.1.1-beta configured. [Fri Jun 28 11:42:58.240207 2019] [:notice] [pid 13061:tid 140414344103808] ModSecurity: ModSecurity-Apache v0.1.1-beta configured. [Fri Jun 28 13:14:04.382257 2019] [:notice] [pid 14411:tid 139807209174912] ModSecurity: ModSecurity-Apache v0.1.1-beta configured. [Fri Jun 28 13:16:49.681327 2019] [:notice] [pid 14532:tid 140411336214400] ModSecurity: ModSecurity-Apache v0.1.1-beta configured. [Mon Jul 01 14:49:10.265871 2019] [:notice] [pid 21486:tid 140149394323328] ModSecurity: ModSecurity-Apache v0.1.1-beta configured.

It would be nice to get an eta on when the modsecurity-apache connector will be ready for production. A lot of us want to take advantage of using ModSecurity v3 (libmodsecurity) for apache2. Can't really do this without the modsecurity-apache connector.

zimmerle commented 5 years ago

The apache connector is still experimental. We are currently short in effort to make it production-ready.

airween commented 5 years ago

Hi @ericloveacp, yes, the code successfully build, and everything works as well - seemingly. But when you start to run the tests (eg. CRS test - here), then you will see the errors. And some errors occur by Apache connector (wrong request handling) not by libmodsecurity3.

Here is the last version of the code, I think this contains the most less error (less than the other versions :)). With this version, the most regression tests of CRS will passed, but the connector own test will failed.

Please note, that it doesn't matter, what you see in apache logs (above), that's so far from the real state.

zimmerle commented 5 years ago

Important to mention that the link posted by @airween is not the latest version of this project, but the latest version of what he is working with. The code for this project is not in the state to be put in production.

airween commented 5 years ago

Important to mention that the link posted by @airween is not the latest version of this project, but the latest version of what he is working with. The code for this project is not in the state to be put in production.

Sure, of course - sorry for the ambiguous post :)

ericloveacp commented 5 years ago

Ok, I understand. But the updated ModSecurity v3 (libmodsecurity) along with using it with different connectors is evolutionary and a game changer. Been waiting for something like this for a very longtime. It would be nice to put some resources behind the modsecurity-apache connector since the majority of us are using apach2.

zimmerle commented 5 years ago

@ericloveacp without a doubt. Thank you for recognizing the work that we have been doing atop of libModSecurity; I appreciate. I wish we had the effort to make this project happen. However, as of now, we do not have. At least, not to delivery with the excellent quality that our users deserve.

ericloveacp commented 5 years ago

Many thanks to you and team!!!! The work that you all are doing is desperately needed more than ever before. I guess I have no other choice but to revert back to older version of ModSecurity until I am able to use ModSecurity v3 with modsecurity-apache connector. But the wait is well worth it. Hopefully we get this sooner than later. :)

HOSTED-POWER commented 5 years ago

Any chance Debian packages for nginx could be made available? :) We'd like to use the v3 with nginx, but cannot find it in the default repo. Extending it with custom compile isn't very update proof as far as I remember previous tests.

zimmerle commented 5 years ago

Hi, @HOSTED-POWER

Unfortunately, we don't have the necessary effort to maintain packages for any distribution. But, v3 library is already available on debian. With the library installed, you need the nginx connector.

HOSTED-POWER commented 5 years ago

I see it, but why don't they maintain the nginx as well there, that would be perfect :/

Is it hard to get it in their repo? Never tried it, but It's something we could do some effort for otherwise :)

airween commented 5 years ago

Note: I'm a Debian Maintainer, and I tried to add the ModSecurity3 module to Debian's nginx - but I never got any answer from the developer. That was in December of 2018, and there was an another try from @moschlar here, but as I know he also didn't get any answer.

Also note, that here is a non-up-to-date repository: https://salsa.debian.org/airween-guest/nginx/tree/modsecurity

what can helps to you to lead, how can you build an own package. Before you start it, please upgrade all components.

Summary: it's not clear what's the statement of Debian about the nginx modules: it would be part of any package(s), eg nginx-extra, or all extra modules will be a unique module, eg. libnginx-mod-security3.

HOSTED-POWER commented 5 years ago

Wow that would be terrific, we're wanting this modsec nginx module supported for ages on Debian.

Anything we can do to get this going? :)

HOSTED-POWER commented 5 years ago

Any update perhaps? Something we could help with somehow?

airween commented 5 years ago

I'm afraid you (and me) can't help :).

I think the best thing what you can do now is just prepare a package for yourself, and distribute it on your servers.

HOSTED-POWER commented 4 years ago

@airween why can't you help?

Just asking to understand, is there no way to get it into the debian packages now? It would have been so great to support it out of the box :| :)

airween commented 4 years ago

is there no way to get it into the debian packages now?

No, there isn't - for now. Debian has a very strict restrictions how to apply a new package into the system. These restrictions does not allow that we put a new package or component for the released versions, only the bugfixes allowed.

If we could make the package now, then that would be a part of the version Sid (Still In Developing), and a bit later the testing (Debian Bullseye - the next stable) version, and when it will freeze and release as stable (like now the Debian Buster), then (and only then) you could install it. But then you will only get the current upstream version. Then the next version of ModSecurity or Nginx connector will available in the next version, and so on...

I think if you're using ModSecurity and Nginx in a self-managed production environment, then the best choose is that you make an own building system (with a good testing framework), fetch the updates from the upstream repositories (ModSecurity and Nginx) regurarly, and keep up-to-date all of your components.

HOSTED-POWER commented 4 years ago

I was expecting something like that and indeed that's pretty logical if you think about it, thanks a lot for all explanations!!

Maybe we need to get it into the future versions indeed before it's too late :)

(In the meanwhile I think we will indeed create some packages for ourselves)

szepeviktor commented 4 years ago

Debian has a very strict restrictions

I do love Debian policies.

Many packages use the -backports mechanism for new versions. e.g. https://packages.debian.org/buster-backports/iptables-persistent

airween commented 4 years ago

Yes, I know the -backports solution, but the adoption is not trivial.

drzraf commented 4 years ago

@inittab : I guess the next step is to open a libapache2-mod-security3 at https://salsa.debian.org/ in order to maintain a /debian/ directory... or is this something which is going to be bundled inside this very repository?

zimmerle commented 4 years ago

@drzraf ModSecurity v3 connector for Apache is not yet ready for production. A lot of work needs to be done in order for it to be released. Let's wait for a stable release afterward we can think in a package. I am going to close this issue. Let's have it re-open whenever we have a release for this project.