Set mod_security to detectionOnly for a specific page?

Question

If mod_security is set to ON for the whole website, is there a way I can set specific pages to detection_only?

Use case is that the application is used to configure websites, and use of CSS or js is very common, but very likely to make modsecurity throw an XSS rule exception. I'd like to detect those exceptions but not block them, on those pages only. However on all other pages I want rule exceptions to block.

More gritty detail: The application is actually an IIS application running on another Windows server, while mod_security is running in Apache on a linux server. haproxy directs incoming requests to apache, and apache takes the request through modsecurity; if it passes, it reverse-proxies it back to haproxy, which then passes it to IIS.

== incoming request ==> haproxy ==> apache 
                                      v
                                    mod_security
                                      v
        IIS machine <== haproxy <== mod_proxy

_{(yes, there's a good reason for using haproxy. We have hundreds of https certificates, and we can point haproxy at a folder full of them and it will pick the right one, based on the SNI https request. Haven't found anything else that can do that yet.)}

So there's no directory on the apache side where a .htaccess file would make sense, at least to my tiny mind.

Paths to be treated as DetectionOnly would match the host admin.mysite.com and the path ^/site/[a-zA-Z0-9-]+/Settings$

Answer 1

Something like this should work (untested):

SecRule REQUEST_HEADERS:Host "@streq admin.mysite.com" "phase:1,id:1234,chain"
    SecRule REQUEST_URI "^/site/[a-zA-Z0-9-]+/Settings$" "ctl:ruleEngine=DetectionOnly"

Just add that rule before any of the others and make sure the id is unique (I've used 1234 as an example).

The rule engine will be reset for the next request as ctl changes are for this request only.