Where is lua?

[jimlongo]

[root@vps]# lua -v
Lua 5.1.4 Copyright (C) 1994-2008 Lua.org, PUC-Rio

I'm trying to enable the 2nd line in modsec2.conf
#LoadFile /opt/lua/lib/liblua.so

That file doesn't exist.

Here's what I have

/opt/lua/lib/lua/5.1/    (empty directory)
/usr/lib/lua/5.1/          (empty directory)
/usr/share/lua/5.1/     (empty directory) 

binary files at
/opt/lua/lib/liblua.a
/usr/bin/lua
/opt/lua/bin/lua
/opt/lua/bin/lua.c

tried all of them, and shouldn't it be this one?

[root@vps]# which lua
/usr/bin/lua

but still if I put this in modsec2.conf
LoadFile /usr/bin/lua
Apache won't restart.

Thanks.

 

[cPanelMichael]

Hello

Please let us know the specific OS that's installed on this system:

cat /etc/redhat-release

Also, what specific error message is output when Apache fails to start?

Thank you.

 

[jimlongo]

Thanks for the reply.

[root@vps ~]# cat /etc/redhat-release 
CentOS release 5.10 (Final)

If I try LoadFile /usr/bin/lua in modsec2.conf I get the following error when trying to restart apache from CL

[root@vps ~]# service httpd restart
httpd: Syntax error on line 39 of /usr/local/apache/conf/httpd.conf: Syntax error on line 5 of /usr/local/apache/conf/modsec2.conf: Cannot load /usr/bin/lua into server: /usr/bin/lua: cannot dynamically load executable

If I try to restart Apache through the WHM interface I get

Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.

If apache restart reported success but it failed soon after, it may be caused by oddities with mod_ssl.

You should run /usr/local/cpanel/scripts/ssl_crt_status as part of your troubleshooting process. Pass it --help for more details.

Also be sure to examine apache's various log files.
Apache Restart Output:

Log:
[Wed Nov 20 17:33:50.629847 2013] [:error] [pid 5594] [client 5.10.83.43:53701] File does not exist: /home/wfc/public_html/wfc_robin_duke.html
[Wed Nov 20 17:58:17.476523 2013] [:error] [pid 19479] [client 37.72.190.141:34417] File does not exist: /home/wanless/public_html/forums/profile.php, referer: http://wanlesstennis.com/forums/viewtopic.php?f=11&t=1164
[Wed Nov 20 17:58:23.451212 2013] [:error] [pid 5574] [client 37.72.190.141:35934] File does not exist: /home/wanless/public_html/forums/profile.php, referer: http://wanlesstennis.com/forums/viewtopic.php?f=11&t=1164
[Wed Nov 20 18:32:55.967657 2013] [:error] [pid 16363] [client 147.255.173.248:18047] File does not exist: /home/wanless/public_html/forums/profile.php, referer: http://wanlesstennis.com/forums/viewforum.php?f=18
[Wed Nov 20 18:32:56.593914 2013] [:error] [pid 15799] [client 147.255.173.248:18147] File does not exist: /home/wanless/public_html/forums/profile.php, referer: http://wanlesstennis.com/forums/viewforum.php?f=18
[Wed Nov 20 18:40:58.148293 2013] [cgi:error] [pid 12144] [client 94.23.233.204:59308] AH01215: configuration file not found: [default] at send_a_message.pl line 104.
[Wed Nov 20 19:23:35.752205 2013] [access_compat:error] [pid 28142] [client 192.99.0.179:37216] AH01797: client denied by server configuration: /home/rdiv/public_html/
[Wed Nov 20 19:23:38.595696 2013] [access_compat:error] [pid 5594] [client 192.99.0.179:37386] AH01797: client denied by server configuration: /home/rdiv/public_html/403.html
[Wed Nov 20 19:23:40.391813 2013] [access_compat:error] [pid 15799] [client 192.99.0.179:37545] AH01797: client denied by server configuration: /home/rdiv/public_html/wp-login.php
[Wed Nov 20 19:23:40.393152 2013] [access_compat:error] [pid 15799] [client 192.99.0.179:37545] AH01797: client denied by server configuration: /home/rdiv/public_html/403.html
[Wed Nov 20 19:58:13.608579 2013] [mpm_prefork:notice] [pid 5570] AH00169: caught SIGTERM, shutting down

 

[cPanelMichael]

Feel free to open a support ticket so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[jimlongo]

Ticket# 4401941

 

[cPanelMichael]

To update, I would like to add some aditional information from our Mod_Security documentation:

ModSecurity version 2.5 adds support for rule scripting via lua. Lua is known to have difficulties building. Lua build failures will not cause an Apache build to halt, but errors will appear in the build log upon build failure, and lua support will not be enabled. If you wish to use lua in your custom ruleset, you should carefully read about the proper usage of lua and ensure that the lua build was a success.

Some things to watch out for when you use lua:

ModSecurity marks it as "Experimental," use at your own risk.
Lua syntax or permission errors will result in Apache not being able to start.
Apache must be able to read the lua file.
Lua script changes require an Apache restart to take effect.

Lua scripts should be stored in /usr/local/apache/conf in a sub directory such as /usr/local/apache/conf/modsec-lua. Storing scripts in this location will ensure that they are available whenever Apache configurations are tested or when Apache is restarted. It will also keep them intact through EasyApache builds.

ALERT! Warning: If you fail to store lua scripts in /usr/local/apache/conf then Apache cannot build. This could result in a broken ModSecurity configuration.

Thank you.

 

[jimlongo]

Well I guess I'll give up on that.
I couldn't build lua 5.2.2 on my platform. CentOS 5.1
I tried all the recommendations in their readme.
And it keeps coming back with build errors.

 

[jimlongo]

In case it helps anyone. I found that there are 2 resources available which might help.

1. Centos has a yum installer for lua 5.1.4 Did not try this, but I've been told it works.
$ yum install lua lua-devel

2. The problem for me is not that lua wouldn't compile.
make and make install will both work.
What you need to do is create the dynamic shared library and object.

Following the instructions on this page worked for me.
Lua-5.2.2

==install the patch from that page

patch -Np1 -i ../lua-5.2.2-shared_library-2.patch &&
sed -i '/#define LUA_ROOT/s:/usr/local/:/usr/:' src/luaconf.h &&
make linux

==install lua in /usr/local/apache/conf per cpanel requirement

make INSTALL_TOP=/usr/local/apache/conf/modsec_lua TO_LIB="liblua.so liblua.so.5.2 liblua.so.5.2.1" \ INSTALL_DATA="cp -d" INSTALL_MAN=/usr/local/apache/conf/modsec_lua/share/man/man1 install &&
mkdir -pv /usr/local/apache/conf/modsec_lua/share/doc/lua-5.2.2 &&
cp -v doc/*.{html,css,gif,png} /usr/local/apache/conf/modsec_lua/share/doc/lua-5.2.2

 

[dfcs]

This is an old thread, but I thought I'd respond anyways in case someone else needs help with it.

Your main issue is described in this error:

"Syntax error on line 5 of /usr/local/apache/conf/modsec2.conf: Cannot load /usr/bin/lua into server: /usr/bin/lua: cannot dynamically load executable"

You're trying to use "LoadFile" against an ELF executable. http://httpd.apache.org/docs/2.2/mod/mod_so.html#loadfile says the correct usage would be to use object files or libraries.

However, I believe the line in modsec2.conf is incorrect:

#LoadFile /opt/lua/lib/liblua.so

I'm just guessing by the filename, but that looks like the main LUA shared object file.
While Apache modules are shared objects (.so files), not all shared objects are Apache modules.

On my system there is a /usr/lib64/liblua-5.1.so, but it doesn't contain any of the strings you would see in an Apache module file.

What you're probably looking for (and modsec2.conf should have been looking for) is the Apache module mod_lua. See http://httpd.apache.org/docs/trunk/mod/mod_lua.html for more information.

http://www.modlua.org/gs/installing has information for compiling/installing mod_lua, which should be done after a `yum install lua-devel`.

I guess it's possible that whoever created that "#LoadFile /opt/lua/lib/liblua.so" line did have their mod_lua shared object in that location, it's just a little unusual (and confusing).