I suppose this depends on what platform the defaults are optimized for. If it's Apache then this change wouldn't make sense given it doesn't support HTTP/3. However, if defaults should also cater to NGINX, it might be worth adding as it's on the milestones for support in the next 5 months:
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to ModSecurity Core Rule Set project, rsomme...@cloudflare.com
Possibly a little early to have this by default because we don't know what values will be used by implementations.
You'd hope it would be nice and simple and "HTTP/3" but in the past Apache started with HTTP/2.0 and then changed to HTTP/2 - which is why both were added to the default config. Ideally we'd avoid this duplication this time and only add what's needed. It could be HTTP/3, h3, QUIC or some other thing!
Also these are just the default set up values - they are expected to be changed to the particular environment they are run in - the default should just be what works for most and I don't think most will be running HTTP/3 and the CRS just yet. CDNs are rolling this out - but have the expertise to tweak this even if they are using the CRS, and they will likely have back end connections as HTTP/2 (or even HTTP/1.1) for a while where CRS might be used by individual implementers. Apache and IIS have no plans on this so no rush there. Nginx is further ahead on this so will be interesting to see what they pass through to ModSecurity as the protocol.
So I'd say hold off for now. Saying that I wouldn't object to adding HTTP/3 if someone really wanted to.
Thanks,
Barry
Christian Folini
unread,
Oct 15, 2020, 4:34:47 PM10/15/20
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Barry Pollard, ModSecurity Core Rule Set project, rsomme...@cloudflare.com
On Tue, Oct 13, 2020 at 04:52:46AM -0700, 'Barry Pollard' via ModSecurity Core Rule Set project wrote:
> So I'd say hold off for now. Saying that I wouldn't object to adding HTTP/3
> if someone really wanted to.
I agree with Barry. Besides, the next CRS major release is many moons away.
So there is time to wait and see.