search

owasp-modsecurity / ModSecurity-apache

ModSecurity v3 Apache Connector
Apache License 2.0
87 stars 51 forks source link

Future plans? #80

Open sorin-costea opened 3 years ago

sorin-costea commented 3 years ago

Now that the last functional commit is years back and the few pull requests are just hanging, does this mean the Apache v3 port has fallen out of grace? Is everybody using nginx?

timwsuqld commented 3 years ago

I've come to the conclusion that ModSecurity-Apache isn't ready for production use. Its behaviour is different to ModSecurity 2.9.3 and seems to not work 100% yet. I feel like https://github.com/SpiderLabs/ModSecurity-apache/issues/77#issuecomment-714460096 sums it up perfectly, it's not ready for a release, no matter how many guides on the internet seem to suggest it is. I look forward to development continuing and a stable release being made in the future, for now, I'm stuck with ModSecurity 2.9.3 if I want to use it with Apache.

Neko-Chang-Taiwan commented 3 years ago

Yes, me too. In fact, I am stucking at much of false-positive @ v2.9.3 and suffer debug. In 3 years, can not know status of Modsecurity v3 @ apache, on-going/hibernate/discontinue?? I assume it was discontinue :( I will give up Modsecurity nearly :(

martinhsv commented 3 years ago

Apologies to those in the community feeling vexed about slow/no responses in this repo's issues. (Personally, since joining the team, it simply didn't occur to me to register for notifications for this repo.)

The citation in the second posting here is accurate. ModSecurity-Apache is not considered production-ready. Much of the functionality works correctly but enough does not, so v2.9.x is still the recommended choice for use with Apache HTTP Server.

Note that just because ModSecurity v2.9.x has a lower number does not mean that it is less good than libModSecurity (aka v3).

@Neko-Chang-Taiwan : I'm not sure what problems you are experiencing with v2.9. I couldn't find any open issues in the ModSecurity issue. Keep in mind that many types of false positives have more to do with the rules you are using as opposed to what the engine is doing. If there is a something the ModSecurity engine is doing that you believe is incorrect, or you believe could benefit from an enhancement, feel free to raise it on the ModSecurity repo.

iplparm commented 11 months ago

It's been a while since last update on this project and the note says it's not ready for production use. Do you know if there are any plans for a production release?

martinhsv commented 11 months ago

@iplparm ,

There are no current plans for additional work on this connector over the coming months.

The recommended version for use with Apache continues to be ModSecurity v2.9.x.