mod_security2 rules

Kevin Foo chflags at
Fri Jan 25 03:29:11 PST 2008

Dear Marcelo,

The problem I faced was not upgrade of mod_security to mod_security2 issue.
It was mod_security 2.1.4 overwrote my rule files of 2.1.3. These rule files
were modification of default mod_security2 core rules.

>From file "mod_security2/README" :-
To activate the rules for your web server installation:

  1) You may want to edit and customize modsecurity_crs_10_config.conf.
     Additionally you may want to edit modsecurity_crs_30_http_policy.conf
     which enforces an application specific HTTP protocol usage.

For instance, I edited modsecurity_crs_10_config.conf and so on to activate
mod_security on apache and further modified the rules to suit my needs. When
upgraded mod_security from 2.1.3 to 2.1.4 with portupgrade, all these files
were replaced to the default core rules. Should the ports take more care
when comes to upgrading configuration files? Some ports append configuration
with suffix i.e. myconf.conf.default to avoid such problem.

It is just a minor bug and I don't think this worth for a PR. Thus, I email
instead. Anyway, thanks for your effort in maintaining ports.

Kevin Foo

On Jan 25, 2008 6:18 PM, Marcelo Araujo <araujobsdport at> wrote:

> Hey dear Kevin,
> The change to version 2 of mod_security is a dramatic change, because
> exist a need to completely rewrite their obsolete rules for ability to
> use the new syntax.
> I search but not find in UPDATE files any references about this, I
> believe I forgot this.
> Thanks about the alert, I will take the providences!
> Best Regards,
> --
> Marcelo Araujo            (__)
> araujo at     \\\'',)
>   \/  \ ^
> Power To Server.         .\. /_)

More information about the freebsd-ports mailing list