After the upgrade to 21.2.8 mod-security is not working properly and normal login to OC Web page fails in HTTP error 403
Moreover the modsecurity_crs_10_setup.conf file is no longer present but there is the crs-setup.conf instead.
Why? What to do?
Release : 21.2.8
Component :
For the 403 error, be sure to update the conf files with the earlier changes
see Third-Party Software License Acknowledgements
In general, you can update by unzipping our new release over your older one, and updating the crs-setup.conf
file with any new settings. However, CRS 3.0 is a major rewrite, incompatible with CRS 2.x. Key setup variables have changed their name, and new features have been introduced. Your former modsecurity_crs_10_
file is thus no longer usable. We recommend you to start with a fresh crs-setup.conf
file from scratch.
Most rule IDs have been changed to reorganize them into logical sections. This means that if you have written custom configuration with exclusion rules (e.g. SecRuleRemoveById
, SecRu
, ctl:
or ctl:
) you must renumber the rule numbers in that configuration. You can do this using the supplied utility util/id_renumbering/
or find the changes in util/id_renumbering/
.
However, a key feature of the CRS 3 is the reduction of false positives in the default installation, and many of your old exclusion rules may no longer be necessary. Therefore, it is a good option to start fresh without your old exclusion rules.
If you are experienced in writing exclusion rules for CRS 2.x, it may be worthwhile to try running CRS 3 in Paranoia Level 2 (PL2). This is a stricter mode, which blocks additional attack patterns, but brings a higher number of false positives — in many situations the false positives will be comparable with CRS 2.x. This paranoia level however will bring you a higher protection level than CRS 2.x or a CRS 3 default install, so it can be worth the investment.
Spectrum modsecurity_crs_10_setup.conf was having rule id 900001 to 900021, these ids are removed in v3.3.2, and uncommented the rules (having new rule ids) which were part of modsecurity_crs_10_setup.conf.