Looking at the code the phase:1 rules seem to be performed on Apache's post_request hook, which means the before mentioned rules are really applied before apache decides on which vhost to use.Trying to figure this out, hopefully someone can point me in the right direction.
Apache 2.4.3mod_security 2.7.3
owasp crs 2.2.7I'm seeing 'phase:1' rules - e.g. owasp crs proto violations - being applied to incoming client traffic before apache's core decides which vhost to send that traffic to. Given the fact those rules are actually included in a vhost, this does not make sense to me. There are no rule definitions/includes anywhere but in the vhosts.
Easy to reproduce: use two vhosts, one with proto violations from owasp crs enabled and one vhost without any mod_security rules. Connect to the second, do 'GET ..' and see the proto violations rules kick in.
In another module, I need to be able to do some vhost-based logic *before* the rules kick in. That logic needs the vhost information to work and that's simply not possible on the post_request hook.How is 'phase:1' supposed to work in regards to vhosts ? Is the above described behaviour 'as-wanted' and if so why ?