ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
A small discussion happened on the Slack #project-modsecurity from OWASP where I pointed out that, with TW changing ownership to OWASP of modsecurity, the domain name might need to be transmitted so that the SecStatusEngine option (https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secstatusengine), if this is still used, is still working as expected.
@dune73 mentioned that this domain will be still in the hands of TW until Summer 2024, and that TW is not having their status engine in operation for quite some time.
That being said, we all pretty much agree that:
TW status engine will not come back.
This is now disabled by default, so very little people are going to turn it on.
This option will not be useful anymore, and will just pollute (if enabled) the DNS.
Functionally, it does not bring anything to the end user.
This is where I'm proposing removal of this option from v2, while knowing this operation should be carefully considered so that no configuration gets broken.
Probably we could first warn about this option being deprecated, following by removing the actual logic while keeping the warning, and finally removing this option altogether from the parsing logic and the documentations.
A small discussion happened on the Slack #project-modsecurity from OWASP where I pointed out that, with TW changing ownership to OWASP of modsecurity, the domain name might need to be transmitted so that the SecStatusEngine option (https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secstatusengine), if this is still used, is still working as expected.
According to @fzipi, this option should be disabled since a long time ago. This has been done in the default config 2 months ago by @airween (https://github.com/owasp-modsecurity/ModSecurity/commit/f850932f83d47a68137ab207e6db0f217152c707).
@dune73 mentioned that this domain will be still in the hands of TW until Summer 2024, and that TW is not having their status engine in operation for quite some time.
That being said, we all pretty much agree that:
This is where I'm proposing removal of this option from v2, while knowing this operation should be carefully considered so that no configuration gets broken.
Probably we could first warn about this option being deprecated, following by removing the actual logic while keeping the warning, and finally removing this option altogether from the parsing logic and the documentations.