blog: CRS migration series part 7 — engine-specific notes

[fzipi]

what

Adds Part 7 — the final post — of the CRS 3.3 → 4.25 LTS migration series.

• Covers the CRS 4 engine support matrix (ModSecurity v2/v3, Coraza)
• Documents explicitly unsupported configurations
• Notes Lua plugin requirements per engine
• Coraza migration considerations
• New Docker image tagging scheme, including LTS tags

content/blog/2026-05-11-migrating-from-crs-3-to-crs-4-part-7-engines.md plus its header image.

why

Closes out the migration series by covering the engine layer, which the previous six posts (config, plugins, anomaly scoring, rule changes, tuning) did not address. Readers running on different WAF engines need to know what CRS 4 supports and how Docker-based deployments change.

refs

• Series start: Part 1 — overview (blog: CRS migration series part 1 — overview #488)
• Part 6 (blog: crs migration part 6 #507)

Summary by CodeRabbit

• Documentation
  • Added a new part to the CRS 3 → CRS 4 migration guide focused on engine-specific notes, including support matrices, unsupported combinations, and engine guidance for ModSecurity v2, ModSecurity v3 (with Nginx), and Coraza.
  • Updated the capability plugins table to clarify that antivirus-plugin requires Lua.

[cloudflare-workers-and-pages]

Deploying website with    Cloudflare Pages

Latest commit:	5fc8f9a
Status:	✅  Deploy successful!
Preview URL:	https://7b06838b.website-1u6.pages.dev
Branch Preview URL:	https://blog-crs-migration-part-7.website-1u6.pages.dev

View logs

[coderabbitai]

Warning

Review limit reached

@fzipi, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 36 minutes and 58 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4fead557-16b8-4d16-88ce-ad9bec775892

📥 Commits

Reviewing files that changed from the base of the PR and between 4ee541e and 5fc8f9a.

📒 Files selected for processing (1)

• content/blog/2026-05-11-migrating-from-crs-3-to-crs-4-part-7-engines.md

📝 Walkthrough

Walkthrough

A minor clarification to plugin documentation adds Lua requirement notes to the antivirus-plugin entry. A comprehensive new blog post (Part 7) documents CRS 4 engine support, per-engine migration guidance for ModSecurity v2/v3 and Coraza, official Docker image usage and configuration, plugin installation via derived images, and concludes the migration series with LTS support window information.

Changes

CRS Migration Documentation Updates

Layer / File(s)	Summary
Antivirus plugin Lua requirement clarification content/blog/2026-04-13-migrating-from-crs-3-to-crs-4-part-3-plugins.md	The antivirus-plugin capability table entry is updated to explicitly note that it requires Lua.
Engine support matrix and Part 7 introduction content/blog/2026-05-11-migrating-from-crs-3-to-crs-4-part-7-engines.md	Post front matter (author, date, tags, slug) and introductory scope text introduce Part 7 and present the CRS 4 supported and unsupported engine combination matrix.
Per-engine migration notes content/blog/2026-05-11-migrating-from-crs-3-to-crs-4-part-7-engines.md	Three sections document CRS 4 behavior for ModSecurity v2 (plugin include ordering, Lua compilation requirements, SecCollectionTimeout removal, version 2.9.x requirement), ModSecurity v3/Nginx (connector caveats, absent v2 directives, WebAppID support, Lua build verification), and Coraza (recommended for new deployments, no WebAppID, RE2 regex backend, Lua plugin compatibility constraints).
Docker image guidance and series recap content/blog/2026-05-11-migrating-from-crs-3-to-crs-4-part-7-engines.md	Documents official Docker image names and tag semantics (including LTS pinning and experimental variants), environment variable configuration of crs-setup.conf, derived-image plugin installation workflow, CRS v4.25.0 LTS support window statement, and related-pages metadata.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• franbuehler
• theseion

Poem

🐇 Hop hop, the engines align,
ModSec and Coraza, all in a line!
Docker tags pinned, Lua checked with care,
The migration series completes with flair.
A rabbit rejoices — the docs are there! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding Part 7 of the CRS migration blog series focused on engine-specific notes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch blog/crs-migration-part-7

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

content/blog/2026-05-11-migrating-from-crs-3-to-crs-4-part-7-engines.md (1)

103-103: ⚡ Quick win

Standardize regex terminology for consistency.

The sentence mixes regexp (the Go package name) and "regex" (informal term). Use consistent terminology throughout.

💡 Proposed fix: standardize to "regular expression" or "regex"

-**RE2/Hyperscan.** Coraza can be built with RE2 or Go's native `regexp` package. CRS 4's RE2 compatibility (covered in Part 5) means that CRS rules work correctly regardless of which regex backend Coraza uses.
+**RE2/Hyperscan.** Coraza can be built with RE2 or Go's native `regexp` package. CRS 4's RE2 compatibility (covered in Part 5) means that CRS rules work correctly regardless of which regular expression backend Coraza uses.

Alternatively, use "regex" consistently if informal terminology is preferred.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/blog/2026-05-11-migrating-from-crs-3-to-crs-4-part-7-engines.md` at
line 103, The sentence inconsistently uses "regexp" (the Go package name) and
"regex" (informal terminology) which creates confusion. Standardize the
terminology by choosing either "regular expression" or "regex" and applying it
consistently throughout the sentence. Replace the informal "regex" references
with your chosen standard terminology, while keeping "regexp" only when
specifically referring to the Go package name in code context. Ensure any
similar inconsistencies in related sentences are also corrected.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@content/blog/2026-05-11-migrating-from-crs-3-to-crs-4-part-7-engines.md`:
- Line 103: The sentence inconsistently uses "regexp" (the Go package name) and
"regex" (informal terminology) which creates confusion. Standardize the
terminology by choosing either "regular expression" or "regex" and applying it
consistently throughout the sentence. Replace the informal "regex" references
with your chosen standard terminology, while keeping "regexp" only when
specifically referring to the Go package name in code context. Ensure any
similar inconsistencies in related sentences are also corrected.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e62b3556-6525-46f0-ab8f-e8226667e547

📥 Commits

Reviewing files that changed from the base of the PR and between aa8e64d and ca7e08b.

⛔ Files ignored due to path filters (1)

• static/images/2026/04/pexels-brett-sayles-4508751.jpg is excluded by !**/*.jpg

📒 Files selected for processing (1)

• content/blog/2026-05-11-migrating-from-crs-3-to-crs-4-part-7-engines.md