What the best way to update CRS and reload spoa ?

[mcarbonneaux]

there a way to update CRS and reload spoa without impact on haproxy using it ?

[mcarbonneaux]

i've thinked to use git-sync and use the change hook to force reload, but how to force reload on spoa ?

[GMartinez-Sisti]

From what I know, all requests are sent to modsecurity and have a timeout to reply otherwise are allowed by default. This means you probably don’t need to reload SPOA as nothing changes in there.

[mcarbonneaux]

but the CRS are loaded at start of mod_sercurity sopa ?!

[GMartinez-Sisti]

Yes. Hot reload was added to modsecurity on 3.1.1 here, this project uses v2x so you need to restart/kill the container to reload it.

I use this with a custom helm chart that adds checksum annotations for the config, so whenever the rules change all the modsecurity pods are automatically replaced by new ones on a deployment rollout. On this setup modsecurity is a Sidecar for haproxy so all the haproxies are also recycled along with it. If you configure pod disruption budgets and deployment rollout thresholds you shouldn’t have any downtime on update.

[mcarbonneaux]

ok mod_security himself had the posibility to reload in v3 !
how to update mod_security-spoa to v3 ?
in that way if the mod_security-spoa use the v3, i can use volume or git-sync to retreave the la CRS, while be relaoded automaticly !?

[GMartinez-Sisti]

If you manage to make modsecurity v3 working you can submit a PR. In theory that should work.