Intermittent nginx startup failure on modsecurity_rules_remote with libnginx-mod-http-modsecurity 1.0.3 / libmodsecurity 3.0.12 on Ubuntu

[fc12-burger]

Hi guys, seeking assistance, if anyone face this issue, and if anyone face the same issue, and if there is any solution to this.

Environment
OS: Ubuntu 24.04.4 LTS (Noble Numbat)
Nginx: nginx/1.24.0 (Ubuntu)
ModSecurity library: libmodsecurity3t64 3.0.12-1.1build2
Nginx ModSecurity module: libnginx-mod-http-modsecurity 1.0.3-1build3
CRS package installed: modsecurity-crs 3.3.5-2

Problem
nginx sometimes fails to start at the modsecurity_rules_remote directive:

[emerg] "modsecurity_rules_remote" directive in /etc/nginx/nginx.conf:16 nginx: configuration file /etc/nginx/nginx.conf test failed

However, manual restart nginx later without any config changes succeeds:

ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/7/1055)

Nginx Journactl log

Apr 22 03:09:50 web-server systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Apr 22 03:09:53 web-server nginx[866]: 2026/04/22 03:09:50 [notice] 866#866: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/7/1055)
Apr 22 03:09:54 web-server nginx[1099]: 2026/04/22 03:09:53 [notice] 1099#1099: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/7/1055)
Apr 22 03:09:54 web-server systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server.
Apr 23 06:33:27 web-server systemd[1]: Stopping nginx.service - A high performance web server and a reverse proxy server...
Apr 23 06:33:27 web-server systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Apr 23 06:33:27 web-server nginx[50420]: 2026/04/23 06:33:27 [emerg] 50420#50420: "modsecurity_rules_remote" directive in /etc/nginx/nginx.conf:16
Apr 23 06:33:27 web-server nginx[50420]: nginx: configuration file /etc/nginx/nginx.conf test failed
Apr 23 06:33:27 web-server systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Apr 23 06:33:27 web-server systemd[1]: nginx.service: Failed with result 'exit-code'.
Apr 23 06:33:27 web-server systemd[1]: Failed to start nginx.service - A high performance web server and a reverse proxy server.
Apr 23 06:39:47 web-server systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Apr 23 06:39:49 web-server nginx[55800]: 2026/04/23 06:39:47 [notice] 55800#55800: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/7/1055)
Apr 23 06:39:50 web-server nginx[55804]: 2026/04/23 06:39:49 [notice] 55804#55804: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/7/1055)
Apr 23 06:39:50 web-server systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server

Line 16 in nginx.conf

14 modsecurity on;
15 modsecurity_rules_file /etc/nginx/modsecurity.conf;
16 modsecurity_rules_remote SECKEY https://rules.malware.expert/download.php?rules=generic;
17 modsecurity_rules 'Include /etc/nginx/modsec/custom-whitelist-blacklist.conf';
18 server_tokens off;

I tried setting SecRemoteRulesFailAction Warn in /etc/nginx/modsecurity.conf based on #109 but nginx startup failure still occurred.**

SecRuleEngine On
SecRemoteRulesFailAction Warn

Question: Is this expected behavior specifically for modsecurity_rules_remote in the nginx connector, and is there any connector-side supported way to avoid hard startup failure on transient remote rule retrieval issues?

Thanks!

[airween]

Hi @fc12-burger,

sorry for the late reply.

Is this expected behavior specifically for modsecurity_rules_remote in the nginx connector

No, I'm not sure this is not a normal behavior. I assume you've a network connection issue, or a remote rule syntax problem.

Could you turn on the debug.log with highest level?