ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard
verified publisher icon owasp-modsecurity

Readme instructions for IIS installation

Open tbremard opened this issue 8 months ago • 6 comments

Hello, by downloading last release "modsecurity-v3.0.14.tar.gz" user is completly lost to install module on IIS .

is there any binary somewhere ? the decoupling with adaptor might be great technology , but having no clear instruction to emulate "msi" installer for windows iis is a big critical issue for new user of this mod.

Please review your readme and at least cover an adress with steps to folow for each end web server

tbremard avatar May 05 '25 12:05 tbremard

Hi @tbremard,

user is completly lost to install module on IIS .

modsecurity-v3.0.14.tar.gz means the library, namely libmodsecurity3. This is a WAF engine and it needs a connector to all kind of web servers for users want to use it.

Currently there is only one supported (and stable) connector: for Nginx. We don't have connector for IIS yet.

is there any binary somewhere ?

No, we don't want to provide binary solution. The reason is simple: there are so many available build options, eg. you can choose which REGEX engine want to use, you can choose which collection backend want to use, and so on.

So we can't decide users which one want to use, therefore we can't provide any binary package.

the decoupling with adaptor might be great technology , but having no clear instruction to emulate "msi" installer for windows iis is a big critical issue for new user of this mod.

As I wrote, there is no "msi" installer. If anyone wants to use on Windows, just read the instructions. But again: this will help to install only the engine, there is no IIS connector.

Please review your readme and at least cover an adress with steps to folow for each end web server

Please explain which part do we have to modify. The library's readme does not contain any info about connectors.

Nginx-connector contains a step-by-step description, how to build module for Nginx.

airween avatar May 05 '25 12:05 airween

Thank you,

" Currently there is only one supported (and stable) connector: for Nginx. We don't have connector for IIS yet"

==> so indeed putting this inside readme would be great as by reading your doc it looks every server is now supported on version 3.x. it looks like "if you need insallation on IIS , you should install v2.x"

Regards

Thierry Brémard @.***

Le lun. 5 mai 2025 à 14:51, Ervin Hegedus @.***> a écrit :

airween left a comment (owasp-modsecurity/ModSecurity#3370) https://github.com/owasp-modsecurity/ModSecurity/issues/3370#issuecomment-2850895698

Hi @tbremard https://github.com/tbremard,

user is completly lost to install module on IIS .

modsecurity-v3.0.14.tar.gz means the library, namely libmodsecurity3. This is a WAF engine and it needs a connector to all kind of web servers for users want to use it.

Currently there is only one supported (and stable) connector: for Nginx. We don't have connector for IIS yet.

is there any binary somewhere ?

No, we don't want to provide binary solution. The reason is simple: there are so many available build options, eg. you can choose which REGEX engine want to use, you can choose which collection backend want to use, and so on.

So we can't decide users which one want to use, therefore we can't provide any binary package.

the decoupling with adaptor might be great technology , but having no clear instruction to emulate "msi" installer for windows iis is a big critical issue for new user of this mod.

As I wrote, there is no "msi" installer. If anyone wants to use on Windows, just read the instructions https://github.com/owasp-modsecurity/ModSecurity?tab=readme-ov-file#windows. But again: this will help to install only the engine, there is no IIS connector.

Please review your readme and at least cover an adress with steps to folow for each end web server

Please explain which part do we have to modify. The library's readme does not contain any info about connectors.

Nginx-connector contains a step-by-step description https://github.com/owasp-modsecurity/ModSecurity-nginx?tab=readme-ov-file#compilation, how to build module for Nginx.

— Reply to this email directly, view it on GitHub https://github.com/owasp-modsecurity/ModSecurity/issues/3370#issuecomment-2850895698, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIULZZBMELV27KLOT5WXO73245NE3AVCNFSM6AAAAAB4OQBNSSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQNJQHA4TKNRZHA . You are receiving this because you were mentioned.Message ID: @.***>

tbremard avatar May 05 '25 12:05 tbremard

==> so indeed putting this inside readme would be great as by reading your doc it looks every server is now supported on version 3.x.

sorry, where the doc says "every server is now supported on version 3.x"? If there is, we must remove it immediately.

it looks like "if you need insallation on IIS , you should install v2.x"

IIS is a webserver, which runs on Windows. That's a connector question.

But this library can be used on Windows too - if you have an own webserver, you can use this library. If you have an IIS connector (which is not an open source code), then you can also use the library.

(I don't want to argue just would like to clarify the definitions - and of course, I will change the doc if it necessary)

airween avatar May 05 '25 13:05 airween

I mean. I am told modsecurity must be installed and historically handled by iis. The fact that you now segregate adaptors raise issue in unaware user lost on integration. By not writing potential issues currently on iis let user understand that logically support on iis exists

Le lun. 5 mai 2025 à 15:11, Ervin Hegedus @.***> a écrit :

airween left a comment (owasp-modsecurity/ModSecurity#3370) https://github.com/owasp-modsecurity/ModSecurity/issues/3370#issuecomment-2850962355

==> so indeed putting this inside readme would be great as by reading your doc it looks every server is now supported on version 3.x.

sorry, where the doc says "every server is now supported on version 3.x"? If there is, we must remove it immediately.

it looks like "if you need insallation on IIS , you should install v2.x"

IIS is a webserver, which runs on Windows. That's a connector question.

But this library can be used on Windows too - if you have an own webserver, you can use this library. If you have an IIS connector (which is not an open source code), then you can also use the library.

(I don't want to argue just would like to clarify the definitions - and of course, I will change the doc if it necessary)

— Reply to this email directly, view it on GitHub https://github.com/owasp-modsecurity/ModSecurity/issues/3370#issuecomment-2850962355, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIULZZBAABSM5Y67CUAXXET245PPHAVCNFSM6AAAAAB4OQBNSSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQNJQHE3DEMZVGU . You are receiving this because you were mentioned.Message ID: @.***>

tbremard avatar May 05 '25 13:05 tbremard

I mean. I am told modsecurity must be installed and historically handled by iis. The fact that you now segregate adaptors raise issue in unaware user lost on integration. By not writing potential issues currently on iis let user understand that logically support on iis exists

README.md is part of the source, anyone can send a PR which helps to clarify the concept.

Honestly, I really don't know how can we make it more usable.

airween avatar May 05 '25 13:05 airween

Is there anything that we can do here?

airween avatar May 17 '25 13:05 airween