search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.23k stars 1.61k forks source link

Disabling mlogc breaks standalone build #900

Closed quanah closed 7 years ago

quanah commented 9 years ago

If --disable-mlogc and --enable-standalone-module are passed to configure, the result is not buildable, with the following error:

Making all in standalone
make[2]: Entering directory `/home/build/p4/zimbra/main/ThirdParty/modsecurity/zimbra-modsecurity/rpm/BUILD/modsecurity-2.9.0/standalone'
/bin/sh ../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I../apache2    -DVERSION_NGINX -I/opt/zimbra/common/include -I/opt/zimbra/common/include -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL -I/opt/zimbra/common/include/libxml2 -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500  -DREQUEST_EARLY          -DWITH_REMOTE_RULES  -O0 -g  -MT ../apache2/standalone_la-acmp.lo -MD -MP -MF ../apache2/.deps/standalone_la-acmp.Tpo -c -o ../apache2/standalone_la-acmp.lo `test -f '../apache2/acmp.c' || echo './'`../apache2/acmp.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../apache2 -DVERSION_NGINX -I/opt/zimbra/common/include -I/opt/zimbra/common/include -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL -I/opt/zimbra/common/include/libxml2 -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500 -DREQUEST_EARLY -DWITH_REMOTE_RULES -O0 -g -MT ../apache2/standalone_la-acmp.lo -MD -MP -MF ../apache2/.deps/standalone_la-acmp.Tpo -c ../apache2/acmp.c  -fPIC -DPIC -o ../apache2/.libs/standalone_la-acmp.o
In file included from ../apache2/acmp.c:17:0:
../apache2/acmp.h:18:17: fatal error: apr.h: No such file or directory
 #include <apr.h>
                 ^
compilation terminated.
make[2]: *** [../apache2/standalone_la-acmp.lo] Error 1
make[2]: Leaving directory `/home/build/p4/zimbra/main/ThirdParty/modsecurity/zimbra-modsecurity/rpm/BUILD/modsecurity-2.9.0/standalone'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/build/p4/zimbra/main/ThirdParty/modsecurity/zimbra-modsecurity/rpm/BUILD/modsecurity-2.9.0'

If I remove the --disable-mlogc option, it compiles just fine.

quanah commented 9 years ago

Disabling mlogc while enabling standalone comes directly from the mod security wiki on building with nginx:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX

zimmerle commented 9 years ago

Hi @quanah,

Are you able to compile ModSecurity without disable the mlogc? It seems ModSecurity is trying to find apr.h which is needed even without the mlogc.

quanah commented 9 years ago

@zimmerle I already noted that w/o disabling mlogc, the build succeeds. It's the last line in my original comment.

zimmerle commented 9 years ago

Do you mind to share your config.log ?

You can use gist for that: https://gist.github.com/

quanah commented 9 years ago

Sorry for the delay, I had an upcoming vacation to prepare for and then take. ;)

https://gist.github.com/quanah/7d43487c8f3f1582cd05

quanah commented 9 years ago

Playing with the options to configure, if --disable-mlogc is added, then configure is unable to find apr & apr-util.

With --disable-mlogc specified:

checking for libcurl config script... /opt/zimbra/common/bin/curl-config ./configure: line 13855: test: : integer expression expected ./configure: line 13858: test: : integer expression expected ./configure: line 13861: test: : integer expression expected checking if libcurl is at least v... yes, 7.40.0 checking if libcurl is linked with gnutls... no configure: using curl v7.40.0 configure: looking for Apache module support via DSO through APXS configure: found apxs at /opt/zimbra/common/bin/apxs configure: checking httpd version configure: httpd is recent enough checking for libpcre config script... /usr/bin/pcre-config configure: using pcre v7.8 checking for libxml2 config script... /opt/zimbra/common/bin/xml2-config checking if libxml2 is at least v2.6.29... yes, 2.9.2 configure: using libxml2 v2.9.2 checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for liblua config script... no checking for lua install... no configure: optional lua library not found checking for libyajl config script... no checking for yajl install... no configure: optional yajl library not found checking for ssdeep path... no configure: optional ssdeep library not found configure: WARNING: APR util was not compiled with crypto support. SecRemoteRule will not support the parameter 'crypto' checking that generated files are newer than configure... done configure: creating ./config.status

Without specifying --disable-mlogc:

checking for libcurl config script... /opt/zimbra/common/bin/curl-config ./configure: line 13855: test: : integer expression expected ./configure: line 13858: test: : integer expression expected ./configure: line 13861: test: : integer expression expected checking if libcurl is at least v... yes, 7.40.0 checking if libcurl is linked with gnutls... no configure: using curl v7.40.0 configure: looking for Apache module support via DSO through APXS configure: found apxs at /opt/zimbra/common/bin/apxs configure: checking httpd version configure: httpd is recent enough checking for libpcre config script... /usr/bin/pcre-config configure: using pcre v7.8 checking for libapr config script... /opt/zimbra/common/bin/apr-1-config configure: using apr v1.5.1 checking for libapu config script... /opt/zimbra/common/bin/apu-1-config configure: using apu v1.5.4 checking for libxml2 config script... /opt/zimbra/common/bin/xml2-config checking if libxml2 is at least v2.6.29... yes, 2.9.2 configure: using libxml2 v2.9.2 checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for liblua config script... no checking for lua install... no configure: optional lua library not found checking for libyajl config script... no checking for yajl install... no configure: optional yajl library not found checking for ssdeep path... no configure: optional ssdeep library not found checking that generated files are newer than configure... done configure: creating ./config.status

quanah commented 9 years ago

ok, tracked this down to disabling apache2 and mlogc. Although it appears that apache2 is required for building this out with nginx? doc is not clear on that.

uxbod commented 9 years ago

Hence https://github.com/SpiderLabs/ModSecurity/tree/libmodsecurity for an agnostic webserver library.

quanah commented 9 years ago

@uxbod I'm not exactly sure what that comment means. The directions for building on nginx are to build standalone. Standalone should be without apache2 and without mlogc. However, if you specify such a thing, building modsecurity breaks. That seems to be a quite valid bug.

quanah commented 9 years ago

@uxbod ah, after reading through the description, I see your point. However, given that it's not advised to use libmodsecurity at this time, it doesn't help much. ;) It would be nice to see this fixed in the 2.9 branch until 3.x is ready.

blaksec commented 7 years ago

@quanah - were you able to get past this issue?

quanah commented 7 years ago

@gchorny I no longer work for Zimbra, so it's not on my radar to address. I've no idea if it remains pertinent to Zimbra's plans for the future.

zimmerle commented 7 years ago

Standalone build depends on Apache. Disabling mlogc also disables Apache therefore breaks the build. For complete Apache independence please check on libModSecurity. Check #661 for further information.

nginx connector that no longer needs the Standalone versions - https://github.com/SpiderLabs/ModSecurity-nginx