Apache ModSecurity: another rule with the same id error

Question

I am trying to set up an Apache server with the ModSecurity Rule set inside a Docker container. I followed a few tutorials (this, this and this) to build a secure Apache server. But I am unable to make the server work with the rule set.

I get this error:

AH00526: Syntax error on line 855 of /etc/httpd/modsecurity.d/crs-setup.conf:
ModSecurity: Found another rule with the same id

I searched for the error and according to the answers on this page the fault lies in including the same rules twice. But as far as I can see, I am not including the same rules twice and I wonder if the error lies elsewhere.

My project file structure is the following:

.
├── conf
│   └── httpd.conf
├── Dockerfile
├── index.html
├── modsecurity.d
│   ├── crs-setup.conf
│   ├── modsecurity.conf
│   └── rules

The httpd.conf file is the default config file used for an Apache server and the modsecurity configurations are inserted via commands in the Dockerfile.

The Dockerfile has the following configuration

FROM centos:7

RUN yum -y update && \
    yum -y install less which tree httpd mod_security && \
    yum clean all

COPY index.html /var/www/html/

#COPY conf/ /etc/httpd/conf/
COPY modsecurity.d/crs-setup.conf /etc/httpd/modsecurity.d/
COPY modsecurity.d/modsecurity.conf /etc/httpd/modsecurity.d/
COPY modsecurity.d/rules/* /etc/httpd/modsecurity.d/rules/

RUN echo "ServerName localhost" >> /etc/httpd/conf/httpd.conf
RUN echo "<IfModule security2_module>" >> /etc/httpd/conf/httpd.conf
RUN echo "  Include modsecurity.d/crs-setup.conf" >> /etc/httpd/conf/httpd.conf
RUN echo "  Include modsecurity.d/rules/*.conf" >> /etc/httpd/conf/httpd.conf
RUN echo "  SecRuleEngine On" >> /etc/httpd/conf/httpd.conf
RUN echo "</IfModule>" >> /etc/httpd/conf/httpd.conf

EXPOSE 80

CMD ["/usr/sbin/httpd", "-D", "FOREGROUND"]

index.html is just a basic hello file:

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8" lang="en">
  </head>
  <body>
    <h1>Hello there</h1>
  </body>
</html>

crs-setup.conf has the following content (excluding all the comments)

SecRuleEngine On
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
SecCollectionTimeout 600
SecAction \
 "id:900990,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_setup_version=310"

modsecurity.conf has only these two lines

SecRequestBodyAccess On
SecStatusEngine On

rules is a directory which contains the ModSecurity rule set.

I also placed the project files on github if anyone wants to have a look at the whole setup.

Answer 1

I found out why I got the error. The ModSecurity configuration file was misnamed and the rule files had been placed in the wrong directory.

The ModSecurity file was modsecurity.conf, when in fact it should have been mod_security.conf, notice the underscore (source). The rule files should have been placed in a folder called activated_rules(source).

In my working configuration I now have the following folder structure:

.
├── conf
│   └── httpd.conf
├── Dockerfile
├── index.html
└── modsecurity.d
    ├── crs-setup.conf
    ├── mod_security.conf
    └── activated_rules

The Dockerfile is as follows

FROM centos:7

RUN yum -y update && \
    yum -y install less which tree httpd mod_security && \
    yum clean all

COPY index.html /var/www/html/

RUN echo "ServerName localhost" >> /etc/httpd/conf/httpd.conf
RUN echo "<IfModule security2_module>" >> /etc/httpd/conf/httpd.conf
RUN echo "Include modsecurity.d/crs-setup.conf" >> /etc/httpd/conf/httpd.conf
RUN echo "Include modsecurity.d/activated_rules/*.conf" >> /etc/httpd/conf/httpd.conf
RUN echo "</IfModule>" >> /etc/httpd/conf/httpd.conf


COPY modsecurity.d/crs-setup.conf     /etc/httpd/modsecurity.d/
COPY modsecurity.d/mod_security.conf  /etc/httpd/conf.d/
COPY modsecurity.d/rules/*            /etc/httpd/modsecurity.d/activated_rules/

EXPOSE 80

CMD ["/usr/sbin/httpd", "-D", "FOREGROUND"]