I have an https website with modsecurity.
It also has a virtual host that listens to the http port and redirects to the https website, with a simple rule:
RewriteEngine On
RewriteRule ^(.*)$ https://${server_name}$1 [last,redirect=308]
modsecurity does not seem to be working on the http site, so for example, any requests by script kiddies looking for PHP vulns are redirected. Is there a way to configure Apache so that it applies the modsecurity rules before the redirection?
This was fixed by changing the phase for the rules, e.g.
SecRule REQUEST_URI "\.(conf|ini)\b" "id:2000403,phase:1,log,deny,status:403"