jimlongo

Well-Known Member
Mar 20, 2008
242
20
68
[[email protected]]# lua -v
Lua 5.1.4 Copyright (C) 1994-2008 Lua.org, PUC-Rio

I'm trying to enable the 2nd line in modsec2.conf
#LoadFile /opt/lua/lib/liblua.so

That file doesn't exist.

Here's what I have
Code:
/opt/lua/lib/lua/5.1/    (empty directory)
/usr/lib/lua/5.1/          (empty directory)
/usr/share/lua/5.1/     (empty directory) 

binary files at
/opt/lua/lib/liblua.a
/usr/bin/lua
/opt/lua/bin/lua
/opt/lua/bin/lua.c

tried all of them, and shouldn't it be this one?
Code:
[[email protected]]# which lua
/usr/bin/lua
but still if I put this in modsec2.conf
LoadFile /usr/bin/lua
Apache won't restart.

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

Please let us know the specific OS that's installed on this system:

Code:
cat /etc/redhat-release
Also, what specific error message is output when Apache fails to start?

Thank you.
 

jimlongo

Well-Known Member
Mar 20, 2008
242
20
68
Thanks for the reply.

Code:
[[email protected] ~]# cat /etc/redhat-release 
CentOS release 5.10 (Final)
If I try LoadFile /usr/bin/lua in modsec2.conf I get the following error when trying to restart apache from CL

Code:
[[email protected] ~]# service httpd restart
httpd: Syntax error on line 39 of /usr/local/apache/conf/httpd.conf: Syntax error on line 5 of /usr/local/apache/conf/modsec2.conf: Cannot load /usr/bin/lua into server: /usr/bin/lua: cannot dynamically load executable
If I try to restart Apache through the WHM interface I get
Code:
Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.

If apache restart reported success but it failed soon after, it may be caused by oddities with mod_ssl.

You should run /usr/local/cpanel/scripts/ssl_crt_status as part of your troubleshooting process. Pass it --help for more details.

Also be sure to examine apache's various log files.
Apache Restart Output:

Log:
[Wed Nov 20 17:33:50.629847 2013] [:error] [pid 5594] [client 5.10.83.43:53701] File does not exist: /home/wfc/public_html/wfc_robin_duke.html
[Wed Nov 20 17:58:17.476523 2013] [:error] [pid 19479] [client 37.72.190.141:34417] File does not exist: /home/wanless/public_html/forums/profile.php, referer: http://wanlesstennis.com/forums/viewtopic.php?f=11&t=1164
[Wed Nov 20 17:58:23.451212 2013] [:error] [pid 5574] [client 37.72.190.141:35934] File does not exist: /home/wanless/public_html/forums/profile.php, referer: http://wanlesstennis.com/forums/viewtopic.php?f=11&t=1164
[Wed Nov 20 18:32:55.967657 2013] [:error] [pid 16363] [client 147.255.173.248:18047] File does not exist: /home/wanless/public_html/forums/profile.php, referer: http://wanlesstennis.com/forums/viewforum.php?f=18
[Wed Nov 20 18:32:56.593914 2013] [:error] [pid 15799] [client 147.255.173.248:18147] File does not exist: /home/wanless/public_html/forums/profile.php, referer: http://wanlesstennis.com/forums/viewforum.php?f=18
[Wed Nov 20 18:40:58.148293 2013] [cgi:error] [pid 12144] [client 94.23.233.204:59308] AH01215: configuration file not found: [default] at send_a_message.pl line 104.
[Wed Nov 20 19:23:35.752205 2013] [access_compat:error] [pid 28142] [client 192.99.0.179:37216] AH01797: client denied by server configuration: /home/rdiv/public_html/
[Wed Nov 20 19:23:38.595696 2013] [access_compat:error] [pid 5594] [client 192.99.0.179:37386] AH01797: client denied by server configuration: /home/rdiv/public_html/403.html
[Wed Nov 20 19:23:40.391813 2013] [access_compat:error] [pid 15799] [client 192.99.0.179:37545] AH01797: client denied by server configuration: /home/rdiv/public_html/wp-login.php
[Wed Nov 20 19:23:40.393152 2013] [access_compat:error] [pid 15799] [client 192.99.0.179:37545] AH01797: client denied by server configuration: /home/rdiv/public_html/403.html
[Wed Nov 20 19:58:13.608579 2013] [mpm_prefork:notice] [pid 5570] AH00169: caught SIGTERM, shutting down
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Feel free to open a support ticket so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
To update, I would like to add some aditional information from our Mod_Security documentation:

ModSecurity version 2.5 adds support for rule scripting via lua. Lua is known to have difficulties building. Lua build failures will not cause an Apache build to halt, but errors will appear in the build log upon build failure, and lua support will not be enabled. If you wish to use lua in your custom ruleset, you should carefully read about the proper usage of lua and ensure that the lua build was a success.

Some things to watch out for when you use lua:

ModSecurity marks it as "Experimental," use at your own risk.
Lua syntax or permission errors will result in Apache not being able to start.
Apache must be able to read the lua file.
Lua script changes require an Apache restart to take effect.

Lua scripts should be stored in /usr/local/apache/conf in a sub directory such as /usr/local/apache/conf/modsec-lua. Storing scripts in this location will ensure that they are available whenever Apache configurations are tested or when Apache is restarted. It will also keep them intact through EasyApache builds.

ALERT! Warning: If you fail to store lua scripts in /usr/local/apache/conf then Apache cannot build. This could result in a broken ModSecurity configuration.
Thank you.
 

jimlongo

Well-Known Member
Mar 20, 2008
242
20
68
Well I guess I'll give up on that.
I couldn't build lua 5.2.2 on my platform. CentOS 5.1
I tried all the recommendations in their readme.
And it keeps coming back with build errors.
 

jimlongo

Well-Known Member
Mar 20, 2008
242
20
68
In case it helps anyone. I found that there are 2 resources available which might help.

1. Centos has a yum installer for lua 5.1.4 Did not try this, but I've been told it works.
$ yum install lua lua-devel

2. The problem for me is not that lua wouldn't compile.
make and make install will both work.
What you need to do is create the dynamic shared library and object.

Following the instructions on this page worked for me.
Lua-5.2.2

==install the patch from that page
Code:
patch -Np1 -i ../lua-5.2.2-shared_library-2.patch &&
sed -i '/#define LUA_ROOT/s:/usr/local/:/usr/:' src/luaconf.h &&
make linux
==install lua in /usr/local/apache/conf per cpanel requirement
Code:
make INSTALL_TOP=/usr/local/apache/conf/modsec_lua TO_LIB="liblua.so liblua.so.5.2 liblua.so.5.2.1" \ INSTALL_DATA="cp -d" INSTALL_MAN=/usr/local/apache/conf/modsec_lua/share/man/man1 install &&
mkdir -pv /usr/local/apache/conf/modsec_lua/share/doc/lua-5.2.2 &&
cp -v doc/*.{html,css,gif,png} /usr/local/apache/conf/modsec_lua/share/doc/lua-5.2.2
 

dfcs

Registered
Jun 11, 2015
3
0
1
USA
cPanel Access Level
DataCenter Provider
This is an old thread, but I thought I'd respond anyways in case someone else needs help with it.

Your main issue is described in this error:

"Syntax error on line 5 of /usr/local/apache/conf/modsec2.conf: Cannot load /usr/bin/lua into server: /usr/bin/lua: cannot dynamically load executable"

You're trying to use "LoadFile" against an ELF executable. http://httpd.apache.org/docs/2.2/mod/mod_so.html#loadfile says the correct usage would be to use object files or libraries.

However, I believe the line in modsec2.conf is incorrect:

#LoadFile /opt/lua/lib/liblua.so

I'm just guessing by the filename, but that looks like the main LUA shared object file.
While Apache modules are shared objects (.so files), not all shared objects are Apache modules.

On my system there is a /usr/lib64/liblua-5.1.so, but it doesn't contain any of the strings you would see in an Apache module file.

What you're probably looking for (and modsec2.conf should have been looking for) is the Apache module mod_lua. See http://httpd.apache.org/docs/trunk/mod/mod_lua.html for more information.

http://www.modlua.org/gs/installing has information for compiling/installing mod_lua, which should be done after a `yum install lua-devel`.

I guess it's possible that whoever created that "#LoadFile /opt/lua/lib/liblua.so" line did have their mod_lua shared object in that location, it's just a little unusual (and confusing).