From: developer@three-point-five.dev   
      
   Package: libnginx-mod-http-modsecurity   
   Version: 1.0.3-2+b2   
      
   I was testing out a simple install of ModSecurity with NGINX in a Debian 13   
   container (Docker debian:13). After installing `libnginx-mod-htt   
   -modsecurity`, I removed the default /etc/nginx/sites-enabled/default file and   
   added the /etc/nginx/sites-enabled/   
   default-modsecurity.conf file, uncommenting the `modsecurity on;` and   
   `modsecurity_rules_file /etc/nginx/modsecurity_includes.conf;` directives.   
   Then I editted the /etc/nginx/modsecurity_includes.conf file by uncommenting   
   the `include /usr/share/   
   modsecurity-crs/owasp-crs.load` directive. Then, starting nginx gets this   
   error:   
      
   2026/02/14 22:50:24 [emerg] 3594#3594: "modsecurity_rules_file" directive   
   Rules error. File: /usr/share/modsecurity-crs/owasp-crs.load. Line: 6. Column:   
   81. Invalid input:  IncludeOptional /etc/modsecurity/crs/REQUEST   
   900-EXCLUSION-RULES-BEFORE-CRS.conf    
   in /etc/nginx/sites-enabled/default-modsecurity.conf:51   
      
   It is simple enough to fix by changing `IncludeOptional` in /usr   
   share/modsecurity-crs/owasp-crs.load to just `Include`. I understand that file   
   belongs to the `modsecurity-crs` but I believe that is shared between the   
   Nginx and Apache configurations so I    
   wasn't sure which page to package to file the bug with. I'm not sure if it   
   makes sense to update that file in the `modsecurity-crs` package to just use   
   include since that would work for both webservers, or if this package should   
   provide a separate file    
   that works out of the box with the Nginx configuration.   
      
   Best Regards,   
   Robert Gingras   
   developer@three-point-five.dev   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)