I’ve been having difficulties getting mod security to inspect the request inside a <location>. It looks like Phase 2 is not being reached for urls that require authentication.
We are using an authentication handler that (unfortunately) must respond with a 307 redirect to another server.
When I disable the problematic authentication handler mod security works very well.
I am thinking that when I enable the authentication handler the redirect response bypasses the fixup handler and thus mod security Phase 2.
Is there a way around this problem? Could Phase 2 rules be executed earlier in the apache request cycle? Perhaps at the header parsing phase?