Alright, I managed to get OWASP CRS working properly and confirmed it’s just a CyberPanel UI bug.
Fresh CyberPanel installs don’t ship with the owasp-crs folder at all, so the toggle will never stay enabled. You have to create it manually.
Here’s what I did:
sudo mkdir -p /usr/local/lsws/conf/modsec/owasp-crs
cd /usr/local/lsws/conf/modsec/owasp-crs
sudo wget https://github.com/coreruleset/coreruleset/archive/refs/heads/v3.3/master.zip -O crs.zip
sudo apt install unzip
sudo unzip crs.zip
sudo mv coreruleset-*/ rules
# Fix permissions so LSWS can read it
sudo chown -R lsadm:lsadm /usr/local/lsws/conf/modsec/owasp-crs
# Add CRS include lines
sudo nano /usr/local/lsws/conf/modsec/rules.conf
Add these at the bottom if they aren’t already there:
Include /usr/local/lsws/conf/modsec/owasp-crs/crs-setup.conf
Include /usr/local/lsws/conf/modsec/owasp-crs/rules/*.conf
Then restart:
sudo systemctl restart lsws
OWASP CRS loads fine after that (confirmed in the logs), even though the CyberPanel toggle still flips back to OFF. That part is definitely a UI bug and should be fixed by CP team.
Quick test (you should get blocked if CRS is working):
Visit something like:
https://your-domain.com/?test=<script>alert(1)</script>
OWASP will block it even though the toggle still turns OFF.
So CRS works, the UI toggle is the bug.