I've been having difficulties getting mod security to inspect the request inside a <location>. It looks like Phase 2 is not being reached for urls that require authentication.
We are using an authentication handler that (unfortunately) must respond with a 307 redirect to another server.
When I disable the problematic authentication handler mod security works very well.
I am thinking that when I enable the authentication handler the redirect response bypasses the fixup handler and thus mod security Phase 2.
Is there a way around this problem? Could Phase 2 rules be executed earlier in the apache request cycle? Perhaps at the header parsing phase?
IMPORTANT NOTICE REGARDING THIS ELECTRONIC MESSAGE:
This message is intended for the use of the person to whom it is addressed and may contain information that is privileged, confidential, and protected from disclosure under applicable law. If you are not the intended recipient, your use of this message for any purpose is strictly prohibited. If you have received this communication in error, please delete the message and notify the sender so that we may correct our records.