Hello,
ModSecurity Core Rule Set Developer on Duty here.
ModSecurity v2 remains the reference implementation for CRS.
ModSecurity v3 (on Nginx) fails many of the test cases from the CRS
test suite, owing to bugs, inconsistencies, and implementation gaps.
As of today, using the latest stable release of the go-ftw testing
tool, the latest CRS container images, and the CRS v4.0/dev branch,
the situation is as follows:
* Apache + ModSecurity v2:
run 3517 total tests in 59.605616827s
skipped 4 tests
All tests successful!
* Nginx + ModSecurity v3:
run 3517 total tests in 51.392467496s
skipped 4 tests
61 test(s) failed to run
Note that some of the Nginx + libModSecurity failures are due to
differences in the behaviour of Nginx compared to Apache, so not all
of the test failures are due to engine differences.
You may find the information and explanations on the CRS documentation
page about WAF engine options to be of interest:
https://coreruleset.org/docs/deployment/engine_integration_options/
Thanks,
Andrew Howe
--
Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 /
+44 (0)330 380 1064