Checking my spec file revealls
  ./configure --with-apxs=/usr/apache/bin/apxs
That's all there is build wise. I haven't checked mod_security's build system to see what the deafult is but judging from your reply it's 'off'.

On Tue, Nov 26, 2013 at 3:52 PM, Ryan Barnett <> wrote:
You might want to review a current, somewhat similar thread on the OWASP ModSecurity CRS list - 

What might be happening here is a mismatched between which hook your phase:1 rules are running in (post-read-request vs. fixup).  If you look at your config.log file when you compiled ModSecurity, did you you use the "--enable-request-early" configuration flag?  If so, you might want to remove that and recompile.  In your setup, if you want Apache scope context (including Vhost containers), you might need to have phase:1 actually run within the fixup phase.

For most installs, users want to globally apply the HTTP Protocol Enforcement rules in the Apache core context and then optionally apply rules/exceptions to Vhosts.

Hope this info helps.

Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

From: Thomas Eckert <>
Reply-To: "" <>
Date: Wednesday, November 20, 2013 4:21 AM
To: "" <>
Subject: [mod-security-users] phase 1 rules and vhost decision

Trying to figure this out, hopefully someone can point me in the right direction.

Apache 2.4.3
mod_security 2.7.3
owasp crs 2.2.7

I'm seeing 'phase:1' rules - e.g. owasp crs proto violations - being applied to incoming client traffic before apache's core decides which vhost to send that traffic to. Given the fact those rules are actually included in a vhost, this does not make sense to me. There are no rule definitions/includes anywhere but in the vhosts.

Looking at the code the phase:1 rules seem to be performed on Apache's post_request hook, which means the before mentioned rules are really applied before apache decides on which vhost to use.

Easy to reproduce: use two vhosts, one with proto violations from owasp crs enabled and one vhost without any mod_security rules. Connect to the second, do 'GET ..' and see the proto violations rules kick in.

In another module, I need to be able to do some vhost-based logic *before* the rules kick in. That logic needs the vhost information to work and that's simply not possible on the post_request hook.

How is 'phase:1' supposed to work in regards to vhosts ? Is the above described behaviour 'as-wanted' and if so why ?

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: