Building ModSecurity Dynamic Module: Should I use ./configure --with-pcre2 for libmodsecurity and Nginx Connector?

[Danrancan]

I am building the Modsecurity module dynamically against Nginx v1.27.2 Mainline, on Ubuntu 22.04. The Ubuntu 22.04 instructions HERE: say to use the configure flag --with-pcre2.

Are these old Instructions?

1. Should I be using the --with-pcre2 configure flag when building LibModsecurity v3.0.13 from https://github.com/owasp-modsecurity/ModSecurity ?

2. Secondly, should I be using the --with-pcre2 configure flag when building Modsecurity v3.0.13 from https://github.com/owasp-modsecurity/ModSecurity ?

3. Lastly, should I be using the --with-pcre2 configure flag when building the Modsecurity Connector Module v1.0.3 from https://github.com/owasp-modsecurity/ModSecurity-nginx ?

I just want to be sure where and when I should be using the --with-pcre2 flags when attempting to build the module dynamically on Ubunut 22.04.

Thanks for the help.

[airween]

Hi @Danrancan,

I am building the Modsecurity module dynamically against Nginx v1.27.2 Mainline, on Ubuntu 22.04. The Ubuntu 22.04 instructions HERE: say to use the configure flag --with-pcre2.

Are these old Instructions?

A bit old, but the --with-pcre2 suggestion is valid.

1. Should I be using the `--with-pcre2` configure flag when building LibModsecurity v3.0.13 from https://github.com/owasp-modsecurity/ModSecurity ?

2. Secondly, should I be using the `--with-pcre2` configure flag when building Modsecurity v3.0.13 from https://github.com/owasp-modsecurity/ModSecurity ?

These sources are the same from same repository. ModSecurity v3.0.13 = libmodsecurity3 v.3.0.13.

And yes, the newest versions of Nginx prefers PCRE2, therefore it's much better if connector also uses PCRE2, and well, it's better if the library uses that too.

Anyway, (old) PCRE (PCRE3) is not supported since long time, so we highly recommended to use PCRE2 where it's possible.

(There could be some special cases, for eg. if the server (and the system itself) uses the old PCRE, then it's the better choice.)

3. Lastly, should I be using the `--with-pcre2` configure flag when building the Modsecurity Connector Module v1.0.3 from https://github.com/owasp-modsecurity/ModSecurity-nginx ?

yes.

I just want to be sure where and when I should be using the --with-pcre2 flags when attempting to build the module dynamically on Ubunut 22.04.

If Nginx uses PCRE2, then you should use the flag --with-pcre2 both for library and for the connector. Otherwise use the old PCRE.

[Danrancan]

If Nginx uses PCRE2, then you should use the flag --with-pcre2 both for library and for the connector. Otherwise use the old PCRE.

Thanks for the clarafication. For reference, I am building the module dynamically according to this guide.

I have download Nginx from source, and ModSecurity-nginx. Here are my steps for the connector Module:

git clone https://github.com/owasp-modsecurity/ModSecurity-nginx.git /usr/local/src/ModSecurity-nginx/
cd /usr/local/src/ModSecurity-nginx

However, there is no configure file in the ModSecurity-nginx directory.
So I can't use:

./build.sh
./configure --with-pcre2

Like I can in the libmodsecurity3's ModSecurity.git directory.

Therefore, I tried navigating to my Nginx Source Directory in /usr/local/src/nginx-1.27.2and ran the following command:

sudo ./configure --add-dynamic-module=/usr/local/src/ModSecurity-nginx --with-pcre2 --with-compat

which returned the following:

./configure: error: invalid option "--with-pcre2"

Where exactly do I put the --with-pcre2 flag when building the Nginx Connecter module dynamically from source?

[airween]

Hi @Danrancan,

sorry, that was my mistake: Nginx uses PCRE2 by default since 1.21.5 - see official CHANGES.

And it seems now there is a chance if you want to force it to use the old PCRE: --with-pcre.

Connector uses the same PCRE version as Nginx. You should take care only the library.

Sorry again.