Im trying to create a simple modsecurity regex rule that stops processing the rules when a match is found and just returns status 200 on a POST request so that it doesnt continue and get blocked by another CRS rule later in the chain.
Heres my rule:
SecRule REQUEST_URI "@rx ^(?i)/cgi-bin/myPHPScript.php" \
"id:3021,allow,phase:2,nolog"
What happens is that sometimes the rule runs and is allowed, but other times modsecurity continues and gets caught by modsecurity's built in CRS rules after this rule and I cant seem to figure out why? I am new to modsecurity and have been reading all the online docs but have not found the answer yet. I have also tried regex rules which (in other places Ive used regex) were used slightly differently with the same results. Sometimes they work and other times they do not.
"@rx ^/\cgi-bin\/myPHPScript\.php"
"@rx ^.*\/cgi-bin\/myPHPScript\.php.*$"
I want to understand whats wrong with this particular situation because I have other
more complex regex scripts I want to allow as well so understanding the issue with this
one should apply to the others.
Thank you in advance.
[EDIT]
It appears that when:
SecRuleEngine DetectionOnly
one needs to set:
ctl:ruleEngine=Off
or
ctl:ruleEngine=On
when trying to use allow with DetectionOnly
According to this article:
https://stackoverflow.com/questions/58452059/modsecurity-is-turning-off-the-rule-engine-really-necessary-when-implementing-a
Example:
SecRule REQUEST_URI "@rx ^(?i)/cgi-bin/myPHPScript.php" \
"id:3021,allow,phase:2,nolog,ctl:ruleEngine=On"
