Mod_Security: dependency incompatibility with Apache httpd 2.4.x

[rcbarnett-zz]

MODSEC-356: Hello, mod_security developers.

First of all, thank you for working on mod_security.
To help with on this freely available software is really a labor of love.
It's great to have mod_security between my web servers and the hackers out there.

On a new installation, I am having an issue installing mod_security 2.6.7.
My internet research indicates that I will have the same issue trying to install mod_security 2.7.1.

I'm running CentOS 6.3 x86-64. I'm trying to use RPMs, because it the recommended approach for building software on CentOS.
Here is my system type:

[root@localhost APACHE]# uname -a
Linux localhost.localdomain 2.6.32-279.11.1.el6.x86_64 #1 SMP Tue Oct 16 15:57:10 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost APACHE]# cat /etc/issue
CentOS release 6.3 (Final)
Kernel \r on an \m

[root@localhost APACHE]#

I've done an rpmbuild of Apache httpd 2.4.3, and then installed Apache httpd 2.4.3.
When I try to install mod_security 2.6.7 RPM (from the EPEL repository), I get an error:

[root@localhost APACHE]# yum --enablerepo=c6-testing install mod_security.x86_64
Loaded plugins: fastestmirror, priorities, refresh-packagekit, security
Loading mirror speeds from cached hostfile

• base: mirror.web-ster.com
• epel: mirrors.xmission.com
• extras: centos.sonn.com
• updates: centos.mirror.sea.rackd.net
  200 packages excluded due to repository priority protections
  Setting up Install Process
  Resolving Dependencies
  --> Running transaction check
  ---> Package mod_security.x86_64 0:2.6.7-2.el6 will be installed
  --> Processing Dependency: httpd-mmn = 20051115 for package: mod_security-2.6.7-2.el6.x86_64
  --> Finished Dependency Resolution
  Error: Package: mod_security-2.6.7-2.el6.x86_64 (epel)
  Requires: httpd-mmn = 20051115
  Installed: httpd-2.4.3-1.x86_64 (installed)
  httpd-mmn = 20120211
  Available: httpd-2.2.15-15.el6.centos.1.x86_64 (base)
  httpd-mmn = 20051115
  You could try using --skip-broken to work around the problem
  You could try running: rpm -Va --nofiles --nodigest
  [root@localhost APACHE]#

When I do internet research about it, it seems that, if I want the older version of httpd-mmn (for mod_security 2.6.7 compatibility),
I will have to downgrade Apache httpd to version 2.2.x. Then, it would be compatible with mod_security 2.6.7.

When I look at the package specs for mod_security 2.7.1, it looks like 2.7.1 will also be incompatible with Apache httpd 2.4.x.

Bottom line:

In order to install mod_security 2.6.7 or 2.7.x, you need to have Apache 2.2.x or lower.
As far as I can tell, Apache httpd 2.4.x will not work.

Caveat: I am not a Linux guru. Did I miss something, or do something wrong?

Jeff Kayser
Jibe Consulting, Inc.
jeff.kayser@jibeconsulting.com
Cell: 503-901-5021

[rcbarnett-zz]

Original reporter: jeffkayser

[rcbarnett-zz]

bpinto: Hello Jeff,

The 2.7.x series of ModSecurity must be compatible with Apache 2.4.x. Currently there are some users running ModSecurity 2.7 with Apache24. So you should run it without issues.

I'm not the guy behind the Linux distro packages, so if you really want to install it from packages you should talk with the maintainers.
I would suggest you install ModSecurity from source. Please download the 2.7.1 tarball and try to compile it.

Let me know if you have any issues.

Thanks

[gaia]

Updating this thread: what is the currrent status of latest Apache with latest ModSec as of early 2015? Do they work together nicely now?

[zimmerle]

Hi @gaia, sure! it should work without any problem

[GinSiuCheng]

What is the current status for ModSec for Apache 2.4.18? I'm running on Amazon Linux to get the latest version of Apache and PHP installed (2.4.18 and 5.5.30) but can't get ModSec to install
Error: httpd24 conflicts with httpd-2.2.31-1.7.amzn1.x86_64
Error: httpd24-tools conflicts with httpd-tools-2.2.31-1.7.amzn1.x86_64

[csanders-git]

This is an amazon specific problem with how they've laid out their yum repo's. Their default package for apache is httpd (which is 2.2) the mod_security package that is offered via this repo is designed for http 2.2. You can use the rpm provided by fedora or compile it yourself.

Although this is a pain, this is just how Amazon has decided to provide their packages. Note that we do not package ModSecurity ourselves but you may contact whomever packaged it and ask them to build a ModSecurity for apache 2.4 and put it in the amazon repo's. You're probably better just compiling it yourself - it's simple enough.

[ozbigcat]

This is old thread, but perhaps some still got the problem.

Yes, indeed it is amazon specific problem, but they have good solution as well. Just use:
sudo yum install mod24_security

It should do the trick.

[csanders-git]

perfect @xtanda, although the naming scheme is odd it seems to solve the problem nicely. It should be noted that this is a somewhat outdated version 2.8.0, but it can still run CRS, so that's a win in my column

[ozbigcat]

yes , indeed... hopefully 2.9 get into the repo soon.. :-)