Preface to the Second Edition

I was an early adopter of ModSecurity. I first came across it in about 2005 and was immediately intrigued. Here was a tool that could help me improve my life, indirectly, by improving the security of the systems I manage. I started to use it, although you could say it grew on me slowly over time. You see, I’m a medievalist who landed in web server security when my application for a job at an open air museum was declined. In parallel with the new job, I was also running one of the better known reenactment companies, recreating medieval life for a museum audience. I got married, we started a family, we purchased a historical house (with all the strings attached), and though ModSecurity became more and more important to me over the years, it remained a day job because evenings and weekends were already occupied.

I slowly started to teach Apache and ModSecurity courses, I published blog posts and tutorials on the use of ModSecurity, and, last year, the day job started to expand into evenings and weekends when I became involved with the OWASP ModSecurity Core Rule Set project. I joined a very active team and became invested in the development of the Core Rules Paranoia Mode and Sampling Mode, two core features of the Core Rule Set 3.0 release.

When Ivan asked me to write this new edition of ModSecurity Handbook, it felt like a culmination of my work with ModSecurity! This work allowed me to explore features and areas I hadn’t used before. It gave me a better view of ModSecurity and—shhh, don’t tell anyone—I am probably the person who profited most from it.

I started with an overhaul of the reference section of the book. About one-third of it is brand-new, because many new features were added to ModSecurity in the six years since the first edition of this book was published. Another significant effort was adding more detail throughout and many examples to better explain what each feature did. This is especially visible with the transformations that now come with handy “before” and “after” examples, which provide much-needed clarity about exactly how data is changed. The idea behind this expansion was to describe the usage of the software in a consistent way and to give people who know the online reference substantial value when they buy the book.

The prose part of the book saw fewer updates: some additions to most chapters, small fixes here and there, rewordings, and removing legacy explanations or historical information (e.g., new features in version 2.5.12). All in all, I blew away the dust from that part of the book. This is not true for Chapter 10, Performance, which was updated with substantial new data obtained from many different test runs in multiple scenarios. This allowed me to assess performance anew, and I was able to show that the performance of ModSecurity transformations now is not quite how it was when the first edition was written (now it’s better!).

You don’t write a book on your own, and you don’t get into a position to write a technical book on your own, either. Many people contributed in their own way to my work, and I can only name a few of them here. Let their names stand in for many more people like them. First and foremost, my thanks belong to my company of many years, netnea in Berne, Switzerland. Netnea’s decision to hire a PhD (me, still hot from the press and hitherto specialized in German mysticism) allowed me to start on this adventure in the first place.

Jelena Girić-Ristić from Feisty Duck, this book’s publisher, accompanied me from the moment I accepted this project, and her good spirit kept me working during days when gray clouds covered the sky. Ivan, who wrote the first edition of this book, acted as a technical editor this time around and offered his guiding hand to help achieve clarity when explaining complex topics. Osama Elnaggar, Walter Hop, Marco Pizzoli, and Chaim Sanders reviewed the manuscript and pointed out shortcomings that I had overlooked. Finally, Melinda Rankin came in as copyeditor when they were done and gave the manuscript a most welcome polish.

My marvelous wife Saara is the rare sort of a pastor running a Linux desktop and helping her techie husband configure his mobile phone. She put up with me when I grew grumpy or felt lost with all this book writing, and she cheered me up with her understanding. Our two boys had to put up with me as well, and I feel sorry for all the playing and fun that we missed out on in recent months.

But in the end, what really made this book possible was my experience working with Apache and ModSecurity over the years, in turn possible thanks to my customers, who trusted my growing knowledge and who placed their security projects into my hands. I can’t name them all, of course, but I will name Swiss Post, my most important customer. The management at Swiss Post allowed me and the engineering team to invest into a carefully designed reverse proxy platform we are all very proud of. This success was of primordial importance to this book. Other customers bring new challenges with every project, and they all teach me new concepts and new ways to run Apache and ModSecurity. It’s a great adventure every day.