Apache site that redirects to https version of site is not applying modsecurity rules

Question

I have an https website with modsecurity.

It also has a virtual host that listens to the http port and redirects to the https website, with a simple rule:

RewriteEngine On
RewriteRule ^(.*)$ https://${server_name}$1 [last,redirect=308]

modsecurity does not seem to be working on the http site, so for example, any requests by script kiddies looking for PHP vulns are redirected. Is there a way to configure Apache so that it applies the modsecurity rules before the redirection?

score 0 · Accepted Answer · answered Sep 08 '20 at 14:28

This was fixed by changing the phase for the rules, e.g.

SecRule REQUEST_URI "\.(conf|ini)\b" "id:2000403,phase:1,log,deny,status:403"

See also https://serverfault.com/questions/930676/modsecurity-secrule-based-on-original-browser-url-not-internal-rewrite-index-p

Apache site that redirects to https version of site is not applying modsecurity rules

1 Answers1