How to use OWASP CRS?

[FalcoGer]

How does one use the owasp crs with this mod? It seems like all the rule configurations have been removed in exchange for a simple modsecurity_rules_file /path/to/rules.conf.

In the old version one would use an Include statement to simply load /opt/modsecurity-crs/setup-crs.conf before loading all rules in /opt/modsecurity-crs/rules/*.conf or something of the sort, and it would basically concatenate the rule files in alphabetical order.

Can this still be done with modsecurity_rules_file? Does it accept wildcards? Can I specify it multiple times to load rules without overwriting the file previously loaded? Do I have to do something special, like including the rules from within a root rule file? If so, then how, because setup-crs.conf doesn't do that and it was handled by the previous apache module via Include or IncludeOptional.

[martinhsv]

Hello @FalcoGer ,

Please note that this connector is not considered suitable for production. For use with Apache HTTP Server, ModSecurity v2.9.x is recommended.

With ModSecurity v2 with Apache, installation can typically be done from repo with little manual effort required. There are a number of installation guides readily available online for that combination.