You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A small discussion happened on the Slack #project-modsecurity from OWASP where I pointed out that, with TW changing ownership to OWASP of modsecurity, the domain name might need to be transmitted so that the SecStatusEngine option (https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secstatusengine), if this is still used, is still working as expected.
According to @fzipi, this option should be disabled since a long time ago. This has been done in the default config 2 months ago by @airween (f850932).
@dune73 mentioned that this domain will be still in the hands of TW until Summer 2024, and that TW is not having their status engine in operation for quite some time.
That being said, we all pretty much agree that:
TW status engine will not come back.
This is now disabled by default, so very little people are going to turn it on.
This option will not be useful anymore, and will just pollute (if enabled) the DNS.
Functionally, it does not bring anything to the end user.
This is where I'm proposing removal of this option from v2, while knowing this operation should be carefully considered so that no configuration gets broken.
Probably we could first warn about this option being deprecated, following by removing the actual logic while keeping the warning, and finally removing this option altogether from the parsing logic and the documentations.
The text was updated successfully, but these errors were encountered:
A small discussion happened on the Slack #project-modsecurity from OWASP where I pointed out that, with TW changing ownership to OWASP of modsecurity, the domain name might need to be transmitted so that the SecStatusEngine option (https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secstatusengine), if this is still used, is still working as expected.
According to @fzipi, this option should be disabled since a long time ago. This has been done in the default config 2 months ago by @airween (f850932).
@dune73 mentioned that this domain will be still in the hands of TW until Summer 2024, and that TW is not having their status engine in operation for quite some time.
That being said, we all pretty much agree that:
This is where I'm proposing removal of this option from v2, while knowing this operation should be carefully considered so that no configuration gets broken.
Probably we could first warn about this option being deprecated, following by removing the actual logic while keeping the warning, and finally removing this option altogether from the parsing logic and the documentations.
The text was updated successfully, but these errors were encountered: