Anyone ideas on this ?

On Wed, Nov 20, 2013 at 10:21 AM, Thomas Eckert <> wrote:
Trying to figure this out, hopefully someone can point me in the right direction.

Apache 2.4.3
mod_security 2.7.3
owasp crs 2.2.7

I'm seeing 'phase:1' rules - e.g. owasp crs proto violations - being applied to incoming client traffic before apache's core decides which vhost to send that traffic to. Given the fact those rules are actually included in a vhost, this does not make sense to me. There are no rule definitions/includes anywhere but in the vhosts.

Looking at the code the phase:1 rules seem to be performed on Apache's post_request hook, which means the before mentioned rules are really applied before apache decides on which vhost to use.

Easy to reproduce: use two vhosts, one with proto violations from owasp crs enabled and one vhost without any mod_security rules. Connect to the second, do 'GET ..' and see the proto violations rules kick in.

In another module, I need to be able to do some vhost-based logic *before* the rules kick in. That logic needs the vhost information to work and that's simply not possible on the post_request hook.

How is 'phase:1' supposed to work in regards to vhosts ? Is the above described behaviour 'as-wanted' and if so why ?