首页 > 代码库 > ningx配置ModSecurity重启出现兼容性问题:ModSecurity: Loaded PCRE do not match with compiled!的解决方法

ningx配置ModSecurity重启出现兼容性问题:ModSecurity: Loaded PCRE do not match with compiled!的解决方法

nginx开启错误日志,然后重启nginx,出现如下信息:

2016/12/03 09:40:38 [notice] 18858#0: ModSecurity for nginx (STABLE)/2.9.1 (http://www.modsecurity.org/) configured.
2016/12/03 09:40:38 [notice] 18858#0: ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
2016/12/03 09:40:38 [notice] 18858#0: ModSecurity: PCRE compiled version="8.39 "; loaded version="8.32 2012-11-30"
2016/12/03 09:40:38 [warn] 18858#0: ModSecurity: Loaded PCRE do not match with compiled!
2016/12/03 09:40:38 [notice] 18858#0: ModSecurity: LIBXML compiled version="2.9.1"
2016/12/03 09:40:38 [notice] 18858#0: ModSecurity: StatusEngine call: "2.9.1,nginx,1.4.8/1.4.8,8.39/8.32 2012-11-30,(null),2.9.1,1041d4bc04a4b99eb3aab2c7d5ad7bbeb72f7b5b"
2016/12/03 09:40:38 [notice] 18858#0: ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/

注意红色字体部分就是兼容性的错误提示:

要求PCRE的软件版本是8.39,系统加载的是软件版本是8.32,所以更新PCRE软件版本到8.39即可解决这个问题。

那么问题来了

通过/usr/local/nginx/sbin/nginx -V 查看nginx的编译参数,PCRE的软件版本是8.39

nginx version: nginx/1.10.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.2j  26 Sep 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --without-http_memcached_module --user=www --group=www --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.0.2j --with-zlib=/usr/local/src/zlib-1.2.8 --with-pcre=/usr/local/src/pcre-8.39 --add-module=/usr/local/src/modsecurity-2.9.1/nginx/modsecurity

也就是说在安装nginx的时候已经安装pcre8.39软件版本了,但是看系统上的pcre软件版本却不是8.39,还是系统本身自带的软件版本8.32,具体查看如下:

# rpm -qa | grep pcre
pcre-devel-8.32-15.el7_2.1.x86_64
pcre-8.32-15.el7_2.1.x86_64

# pcre-config --version
8.32

解决方法:

1、查看系统安装的pcre软件

#rpm -qa | grep pcre
pcre-devel-8.32-15.el7_2.1.x86_64
pcre-8.32-15.el7_2.1.x86_64

2、忽略软件依赖性卸载pcre软件
#rpm -e --nodeps pcre-8.32-15.el7_2.1.x86_64
#rpm -e --nodeps pcre-devel-8.32-15.el7_2.1.x86_64

3、下载pcre.39源码进行安装

wget http://ftp.exim.llorien.org/pcre/pcre-8.39.tar.gz

tar zxvf pcre-8.39.tar.gz

cd pcre-8.39

./configure --enable-utf8(后面会说到这个)

make && make install

然后重启nginx,则不会出现ModSecurity兼容性显示,nginx错误日志如下显示:

2016/12/03 10:09:50 [notice] 28116#0: ModSecurity for nginx (STABLE)/2.9.1 (http://www.modsecurity.org/) configured.
2016/12/03 10:09:50 [notice] 28116#0: ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
2016/12/03 10:09:50 [notice] 28116#0: ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
2016/12/03 10:09:50 [notice] 28116#0: ModSecurity: LIBXML compiled version="2.9.1"
2016/12/03 10:09:50 [notice] 28116#0: ModSecurity: StatusEngine call: "2.9.1,nginx,1.4.8/1.4.8,8.39/8.39 2016-06-14,(null),2.9.1,1041d4bc04a4b99eb3aab2c7d5ad7bbeb72f7b5b"
2016/12/03 10:09:50 [notice] 28116#0: ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/

查看pcre软件版本:

#rpm -qa | grep pcre (不是通过rpm方式安装的,所以这个命令查看不到)
#pcre-config --version (查看到软件版本是8.39)
8.39

#pcretest -C (换个命令查看还是8.39)
PCRE version 8.39 2016-06-14
Compiled with
  8-bit support
  No UTF-8 support (不支持utf-8)
  No Unicode properties support
  No just-in-time compiler support
  Newline sequence is LF
  \R matches all Unicode newlines
  Internal link size = 2
  POSIX malloc threshold = 10
  Parentheses nest limit = 250
  Default match limit = 10000000
  Default recursion depth limit = 10000000
  Match recursion uses stack

注意:看到pcre不支持utf-8,需要在安装编译pcre是加上参数,--enable-utf8,最终如下:./configure --enable-utf8

 

ningx配置ModSecurity重启出现兼容性问题:ModSecurity: Loaded PCRE do not match with compiled!的解决方法