ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard
verified publisher icon owasp-modsecurity

ModSecurity 3 - Windows Apache/Nginx Connector

Open gianks opened this issue 5 years ago • 8 comments

Hi all, it's been a while since the last update i could find on this topic. We are facing the need to provide ModSecurity v3 in Windows environment. Currently using IIS with 2.9.4.

What's the current status? Is it plausible to compile and use it with Apache or Nginx on Windows to your knowledge?

Thanks!

gianks avatar Dec 18 '20 12:12 gianks

Hi @gianks

That is good to hear. We are aiming not only to have it working for Nginx / Apache on windows but also IIS.

It is feasible to have v3 compiled on Windows using the VS build tools. However, some modifications are needed to be done. As we develop the code or review contributions, we make it easy to extend to the Windows platform.

Some example of things that demands changes are -

https://github.com/SpiderLabs/ModSecurity/blob/f18595f42830f2f0ac27362a8b31120e3dfb850c/src/collection/backend/in_memory-per_process.cc#L42

Or even headers that need to be well selected - https://github.com/SpiderLabs/ModSecurity/blob/f18595f42830f2f0ac27362a8b31120e3dfb850c/src/operators/rbl.h#L19-L23

Not to forget that we miss the compilation scripts for VS. Overall, it is possible to compile, but it will demand a little effort.

Count on us to help you during this process ;)

zimmerle avatar Dec 18 '20 15:12 zimmerle

Hi, we are working on it although some issues are slowing down the ops. Is there any problem in using cygwin or mingw to compile modsecurity? Would this cause troubles with the connectors?

gianks avatar Dec 22 '20 01:12 gianks

@gianks not that I heard about. Please do share your experience on that process, it will be vary valuable.

zimmerle avatar Dec 22 '20 11:12 zimmerle

@gianks any progress so far?

zimmerle avatar Jan 12 '21 12:01 zimmerle

I'm using nginx for Windows, but not IIS. Any tutorial or docs that I could take a look so I could set it up with nginx for Windows? Thanks

fahmiegerton avatar Apr 05 '21 16:04 fahmiegerton

Hi @gianks

That is good to hear. We are aiming not only to have it working for Nginx / Apache on windows but also IIS.

It is feasible to have v3 compiled on Windows using the VS build tools. However, some modifications are needed to be done. As we develop the code or review contributions, we make it easy to extend to the Windows platform.

Some example of things that demands changes are -

https://github.com/SpiderLabs/ModSecurity/blob/f18595f42830f2f0ac27362a8b31120e3dfb850c/src/collection/backend/in_memory-per_process.cc#L42

Or even headers that need to be well selected -

https://github.com/SpiderLabs/ModSecurity/blob/f18595f42830f2f0ac27362a8b31120e3dfb850c/src/operators/rbl.h#L19-L23

Not to forget that we miss the compilation scripts for VS. Overall, it is possible to compile, but it will demand a little effort.

Count on us to help you during this process ;)

How do I configure ModSecurity for Nginx on Windows ?

Pirson97 avatar Oct 15 '21 10:10 Pirson97

Can we assume that IIs support has now been abandoned, and that all our hopes of v3 on IIs was just a dream. It seems like all the WAF project's are being abandoned!

perlsol avatar Nov 08 '21 16:11 perlsol

I think with any open source project they have to prioritize the development work and frankly the number of sites using ModSecurity with IIS is tiny compared to Apache and Nginx (on Linux). I myself created a basic WAF for ASP.NET Core at https://github.com/mguinness/KestrelWAF in lieu of a working IIS solution.

mguinness avatar Nov 08 '21 17:11 mguinness