docs(known-issues): document early blocking

[fzipi]

what

• document early blocking problems as known issues

Fixes #221

[cloudflare-workers-and-pages]

Deploying crs-documentation with    Cloudflare Pages

Latest commit:	9f10c39
Status:	✅  Deploy successful!
Preview URL:	https://ca8ecd58.documentation-km5.pages.dev
Branch Preview URL:	https://chore-add-early-blocking-doc.documentation-km5.pages.dev

View logs

[theseion]

I think this is the wrong way around. @airween? Didn't the issue say they used --disable-request-early?

[airween]

Yes, @theseion is right. I think we should suggest don't use --disable-request-early flag.

[fzipi]

Ugh. Is it just the name, or the behavior completely changes? Can you point me to the docs?

[airween]

I just found this one:

Starting with ModSecurity 2.7.0 there are a few important configuration options

3. --enable-request-early - On ModSecurity 2.6 phase one has been moved to phase 2 hook, if you want to play around it use this option.

But in configure.ac, the logic is in opposite direction:

  if test "$enableval" != "no"; then
    request_early="-DREQUEST_EARLY"
    MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $request_early"
  else
    request_early=
  fi
],
[
  request_early='-DREQUEST_EARLY'

The logic:

• if the user passes this option, and the value is not no (which equals with --disable-request-early, then feature will be turned ON
• if the user does not pass this option, then the build script assumes it's necessary and will be turned ON

[Xhoenix]

Any updates on this?

[Xhoenix]

Ping @coreruleset/core-developers

[Copilot]

Pull request overview

This PR documents the --enable-request-early ModSecurity compilation flag in the CRS known issues section, addressing issue #221. The documentation explains why this flag should remain disabled by default and describes the risks associated with enabling it. Additionally, the PR reorganizes the existing known issues with improved formatting using emojis for better visual structure.

Changes:

• Added comprehensive documentation for ModSecurity's --enable-request-early flag including motivation, technical details, risks, and recommendations
• Reorganized existing known issues into categorized sections (Apache, ModSecurity, Debian, CRS + ModSecurity, libmodsecurity3)
• Enhanced visual structure with emoji icons for improved readability

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The formatting inside the code block is inconsistent. Line 72 ends with a backtick that doesn't match the opening backticks on line 70. The backtick at the end of line 72 should be removed - it appears to be a stray character that would cause the code block to render incorrectly.

Suggested change

	Action 'configtest' failed.`
	Action 'configtest' failed.

[Copilot]

The example configuration commands suggest compiling ModSecurity with the --enable-request-early flag. However, this documentation is for the CRS (Core Rule Set), not ModSecurity itself. Users reading CRS documentation would typically install pre-compiled ModSecurity packages. Consider clarifying that this flag must be set when compiling ModSecurity from source, and that users need to check with their package maintainer or compile ModSecurity themselves to enable this flag. The current wording could confuse users who are only installing/configuring CRS.

[Copilot]

Inconsistent punctuation within the bullet points. Line 84 ends with a period after the code block, while line 89 does not. For consistency across the documentation, either all bullet point sentences should end with periods or none should. Review the entire section to ensure consistent punctuation style.

Suggested change

	:warning: Please do not use such an older version of ModSecurity. Upgrade to the latest and greatest.
	:warning: Please do not use such an older version of ModSecurity. Upgrade to the latest and greatest..