What the best way to update CRS and reload spoa ?
mcarbonneaux opened this issue · 6 comments
there a way to update CRS and reload spoa without impact on haproxy using it ?
i've thinked to use git-sync and use the change hook to force reload, but how to force reload on spoa ?
From what I know, all requests are sent to modsecurity and have a timeout to reply otherwise are allowed by default. This means you probably don’t need to reload SPOA as nothing changes in there.
but the CRS are loaded at start of mod_sercurity sopa ?!
Yes. Hot reload was added to modsecurity on 3.1.1 here, this project uses v2x so you need to restart/kill the container to reload it.
I use this with a custom helm chart that adds checksum annotations for the config, so whenever the rules change all the modsecurity pods are automatically replaced by new ones on a deployment rollout. On this setup modsecurity is a Sidecar for haproxy so all the haproxies are also recycled along with it. If you configure pod disruption budgets and deployment rollout thresholds you shouldn’t have any downtime on update.
ok mod_security himself had the posibility to reload in v3 !
how to update mod_security-spoa to v3 ?
in that way if the mod_security-spoa use the v3, i can use volume or git-sync to retreave the la CRS, while be relaoded automaticly !?
If you manage to make modsecurity v3 working you can submit a PR. In theory that should work.