Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to CRS v4.4.0 #23

Closed
vcarus opened this issue Jun 27, 2024 · 4 comments · Fixed by #24
Closed

Upgrade to CRS v4.4.0 #23

vcarus opened this issue Jun 27, 2024 · 4 comments · Fixed by #24

Comments

@vcarus
Copy link

vcarus commented Jun 27, 2024

Hello,

With the recent release of CRS v 4.4.0, I'm considering upgrading.
As a newcomer to Coraza, I have a couple of questions:

  1. Build Process: When using load_owasp_crs in the Caddyfile, is it necessary to rebuild Caddy each time?

  2. Version Update: Should the Coraza version be updated simultaneously in the go.mod file? Currently, it's set to:

https://github.com/corazawaf/coraza-caddy/blob/58105a779bc45b80228b2466b6f24c12625e00a2/go.mod#L7

Any guidance on these matters would be greatly appreciated. Thank you for your time and assistance.
@skrlance
Copy link

Seems like the developer never gonna update to latest available version, now or in the future!

@M4tteoP M4tteoP mentioned this issue Jul 17, 2024
Merged
@M4tteoP
Copy link
Member

M4tteoP commented Jul 17, 2024
edited
Loading

Hey @vcarus!

Build Process: When using load_owasp_crs in the Caddyfile, is it necessary to rebuild Caddy each time?

load_owasp_crs will load the CRS version based on what you have in your go.mod file. So I would say that the rebuild is needed to embed the updated rules. That being said, load_owasp_crs is just a handy way for straightforward setups, nothing stops you from using the Include directive to load rules from your filesystem (E.g. you directly download the rules from https://github.com/coreruleset/coreruleset and you point them). If you wish to stick with the load_owasp_crs way, I just opened the PR to ship CRS v4.4: #24

Version Update: Should the Coraza version be updated simultaneously in the go.mod file? Currently, it's set to:

The link is pointing to coraza-coreruleset, which is this repository. It is correct, as mentioned above, to update to a specific version of the CRS relying on this library you have to update that dependency line.

Coraza version is the engine version and is the line below (E.g. github.com/corazawaf/coraza/v3 v3.1.0). We are currently at v3.2.1, it has been updated in master last week via corazawaf/coraza-caddy#159.

Cheers

@jcchavezs
Copy link
Member

Thanks for opening this, I see this coming more often so probably we need a way to let users pass their own CRS. In the meantime you can load them from your FS.

@M4tteoP
Copy link
Member

M4tteoP commented Jul 25, 2024

FYI both CRS v4.4.0 and v4.5.0 versions have been tagged and released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat:updates to CRS 4.4.0 M4tteoP/coraza-coreruleset
4 participants
@jcchavezs @vcarus @M4tteoP @skrlance