It's been noted before that the HowToForge paper on installing ModSecurity is old. @Jesse Norell provided a HowTo in 2017. Last year, when asked "Is there any module that performs the configuration of ModSecutiry in IspConfig", @till said "No". And to "do I need to manually set the ModSecurity settings to option?" @till said "No. You can also modify the vhost master template, if you want to enable it for all sites or you enable it globally for the whole server in apache2.conf". I'm happy to use docs outside of HowToForge, of course, and to modify templates and conf files. I just don't want to do anything that creates a conflict with ISPConfig. Can anyone help us to understand if there are any specific concerns, possible conflicts, issues to handle, or other anomalies involved with ModSecurity (Apache/Nginx) in a ISPConfig environment? If you have ModSecurity installed in a current environment, your experience can help the rest of us. Thanks!
From an nginx user point of view, I do not use it since the fact is nginx doesn't adopted modsecurity will make those who want it have to recompile nginx with it and that is troublesome to maintain. Various other methods (server and site certs, DHparam, TLSv1.3 and stapling) already made sites and web server secured so far, making modsecurity just an another extra bonus. I haven't crossed any cases of breach due to not using modsecurity in an nginx server yet, so, if there is any, please enlighten us all.
