• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Which ModSecurity version is used in Obsidian?

# plesk version
Product version: Plesk Obsidian 18.0.27.0
OS version: CentOS 7.6.1810 x86_64

# rpm -qi mod_security
Name : mod_security
Version : 2.9.3


Yes, we are planning ModSecurity 3.x support, work is ongoing. But there are problems with stability and current rulesets, so there is no ETA yet.
 
As far as I know, ModSecurity 3.x has become stable recently. Judging by the number of votes on UserVoice and the dynamics of voting, it cannot be called too much in demand. Tell me please, why you need this particular 3.x version? What advantages do you see for yourself in this version?
 
# plesk version
Product version: Plesk Obsidian 18.0.27.0
OS version: CentOS 7.6.1810 x86_64

# rpm -qi mod_security
Name : mod_security
Version : 2.9.3
Plesk Obsidian 18.0.28 today:
Bash:
# rpm -qi mod_security
Name        : mod_security
Epoch       : 1
Version     : 2.9.1

Not sure why rolling back from 2.9.3 to 2.9.1
 
Bash:
# rpm -qi mod_security | grep Vendor
#
Empty.
 
Plesk staff, when will you support libmodsecurity aka modsecurity v3 ? Repeating earlier comment: "Modsecurity v3 - or actually libmodsecurity - is essential to run nginx without apache on plesk servers with imunify360." Please advise. Your roadmap will have fundamental impact on decisions to fully embrace Plesk or to ditch it entirely.
 
As far as I know, ModSecurity 3.x has become stable recently ...

Plesk Obsidian 18.0.28 today ...

Which version is ModSecurity in Obsidian? In Onyx its version 2.9.1. For Obsidian ...

Plesk staff, when will you support libmodsecurity aka modsecurity v3 ...


Hi dear "IgorG", "Hextrator", "Azurel", "Satoshi Nakamoto",

Please consider implementing Mod Security v3.x.x (aka libmodsecurity) for NGINX and Apache in the next Plesk update.

I have created a feature request on the Official Plesk User Voice page.

Anyone interested in this feature is free to vote, the more we are the better
;)

At the moment any Plesk user if he wants to use Mod Security (official version supported by Plesk) is forced to use it as a web server:
  • Apache
or
  • Apache + NGINX
Any Plesk user who wants to use only NGINX as a web server and without using Apache at the moment cannot use Mod Security because Plesk does not currently support it for NGINX exclusively web servers.

Here are some of the advantages of Mod Security v3.x.x (aka libmodsecurity and these advantages apply to any type of webserver, Apache, NGINX, IIS, etc., etc.,) compared to the now old and obsolete Mod Security v2.x.x as reported on the official GitHub page relating to SpyderLabs - Mod Security available at this link SpiderLabs/ModSecurity for anyone who wants to deepen the subject.

"Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. In general, it provides the capability to load/interpret rules written in the ModSecurity SecRules format and apply them to HTTP content provided by your application via Connectors.

If you are looking for ModSecurity for Apache (aka ModSecurity v2.x), it is still under maintenence and available: here.

What is the difference between this project and the old ModSecurity (v2.x.x) ?
  • All Apache dependences have been removed
  • Higher performance
  • New features
  • New architecture
Libmodsecurity is a complete rewrite of the ModSecurity platform. When it was first devised the ModSecurity project started as just an Apache module. Over time the project has been extended, due to popular demand, to support other platforms including (but not limited to) Nginx and IIS. In order to provide for the growing demand for additional platform support, it has became necessary to remove the Apache dependencies underlying this project, making it more platform independent.

As a result of this goal we have rearchitected Libmodsecurity such that it is no longer dependent on the Apache web server (both at compilation and during runtime). One side effect of this is that across all platforms users can expect increased performance. Additionally, we have taken this opprotunity to lay the groundwork for some new features that users have been long seeking. For example we are looking to nativly support auditlogs in the JSON format, along with a host of other functionality in future versions.

It is no longer just a module.
The 'ModSecurity' branch no longer contains the traditional module logic (for Nginx, Apache, and IIS) that has traditionally been packaged all together. Instead, this branch only contains the library portion (libmodsecurity) for this project. This library is consumed by what we have termed 'Connectors' these connectors will interface with your webserver and provide the library with a common format that it undersands. Each of these connectors is maintained as a seperate GitHub project. For instance, the Nginx connector is supplied by the ModSecurity-nginx project (SpiderLabs/ModSecurity-nginx).

Keeping these connectors seperated allows each project to be have different release cycles, issues and development trees. Addtionally, it means that when you install ModSecurity v3 you only get exactly what you need, no extras you won't be using."

Thanks in advance for the support.
 
Last edited:
As far as I know, ModSecurity 3.x has become stable recently. Judging by the number of votes on UserVoice and the dynamics of voting, it cannot be called too much in demand. Tell me please, why you need this particular 3.x version? What advantages do you see for yourself in this version?
ModSecurity +3 support new GeoIP2 MMDB format.
 

Added the support for ModSecurity 3 to nginx. ModSecurity 2.9 + Apache remains for now the recommended option. To switch to ModSecurity 3 + nginx, go to “Tools&Settings” > “Web Application firewall”.
  • Switching to ModSecurity 3 may hinder your existing applications. We strongly recommend trying ModSecurity 3 out on a test server before switching your production environment to that version.
  • At the moment you can only choose the OWASP ruleset in the Plesk UI for ModSecurity 3. You can download the Comodo ruleset and upload it to Plesk as a custom ruleset. We plan to make it possible to enable the Comodo ruleset for ModSecurity 3 directly from the Plesk UI in Plesk Obsidian 18.0.33.
  • You can disable switching to ModSecurity 3 by adding the following lines to the panel.ini file:
    [modSecurity] webServer.nginx = Off
 
Back
Top