Re: [mod-security-users] ICAP-Interface / Apache independency
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2009-01-26 20:24:03
|
Florian S. wrote: > Hi everyone, > > I read a lot of the new modularity in modsec 2.x and approaches of > including it in other environments than apache. But I am not aware of > any productive solutions to directly include it into other webservers. ModSecurity is currently tied to Apache. With ModSecurity 3, I plan on decoupling this so that it can be ported to other applications. Apache would still be the primary target, however. > I am now thinking of starting a project that allows the usage of > mod-security with eg. ICAP. > > The first step would be reducing dependencies to apache, APR etc, so > that I am able to build it as a standalone program with easy I/O. After > that, the modsec-ICAP-server would not be much effort. You would not be able to remove APR ties without a full rewrite. However, I have done much of the work in spliting out the Apache httpd dependencies already. However there is still a lot of work to do. See this branch of code: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/experimental/3.0-testing/ > > My first approaches would result in some dirty code-hacks, what is not > very satisfying. I agree. > My Questions: > - Does that make sense? Yes. > - Is there any community that would be interested in that? I am sure there would. But better to make the interface to ModSecurity generic enough to support pretty much any app. > - How to reduce dependencies? The biggest tie is the configuration mechanism. The Apache httpd server is used to configure ModSecurity, so the config mechanism needs to be re-written. The other big tie is that Apache httpd does the HTTP parsing, so ModSecurity must parse the HTTP, or we must rely on whatever hosts ModSecurity to do the HTTP parsing (the later was planned for ModSecurity 3). > - Is there a suitable interface in the code? No. But one is being planned for ModSecurity 3. If you have ideas into the interface, please send me a note. > > > Regards, > Florian > Thanks for your interest. -B -- Brian Rectanus Breach Security |