Phases and rule ordering
It is important to understand in which order ModSecurity evaluates rules. This makes you more comfortable when creating your own rules and avoids situations where things are unexpectedly blocked or allowed even though you expect the opposite to happen.
We learned in Chapter 1 that the rule engine divides requests into five phases:
REQUEST_HEADERS(phase 1)REQUEST_BODY(phase 2)RESPONSE_HEADERS(phase 3)RESPONSE_BODY(phase 4)LOGGING(phase 5)
Rules are executed strictly in a phase-by-phase order. This means that ModSecurity first evaluates all rules in phase 1 ("request headers") for a match. It then proceeds with phases 2 through 5 (unless a rule match causes processing to stop).
Within phases, rules are processed in the order in which they appear in the configuration files. You can think of the ModSecurity engine as going through the configuration files five times; one time for each processing phase. During each pass, the engine considers only rules belonging...
