Closed
Description
It seems like the redirect action on the current master is behaving differently from ModSecurity v2.
When investigating an issue it was found that in order for the action to work as intended, on my environment, it was mandatory for the rule writer to specify the actual status code for the redirect in the form of:
SecRule REQUEST_URI "@contains /administrator" "id:2000001,\
phase:1,\
log,\
status:301,\
redirect:'http://1.1.1.1/failed.html',\
t:none,\
msg:"Unauthorized administrator request'"
One could expect that by simply adding the redirect action and omitting the status code libModSecurity would still trigger the 302 by default when the action is initialized here but instead it's triggering the SecDefaultAction defined for the phase on which the rule is running even without specifying the block action.