In Outlook Web Access, it is possible for some files or directories that both the GET and SUBSCRIBE methods are used. However, we can't create two LocationMatch blocks in the ModSecurity configuration for the same directory or file. That is because the first LocationMatch block will always match and if the used method does not comply with the rule the request is rejected. So this means that the second LocationMatch block that contains the correct method will never be looked at. It is possible to create one "big" rule that accepts both GET and SUBSCRIBE methods, but then you also have to specify all possible headers and other options which originally never will be used against the file or directory when one of the two methods is used. But ModSecurity is then configured to accept those options, which doesn't seem appropiate when using whitelisting/positive security model.
Perhaps there is simple way to work around this, but we did not find the solution yet. Does someone know how to handle this scenario using the positive security model in ModSecurity?
We are using ModSecurity 2.1.0 with Apache 2.2.4 on a Linux distribution.
Rick Hoppe