Implement Phase 4 handling for ModSecurity-nginx

[Easton97-Jens]

What changed

This PR introduces and stabilizes dedicated phase:4 handling for the nginx ModSecurity connector.

Main additions include:

• Support for configurable phase4 handling modes:
  • minimal
  • safe
  • strict
• Explicit late-intervention handling when response headers were already sent
• Dedicated phase4 JSON logging via:
  • modsecurity_phase4_log
• Configurable content-type scoping through:
  • modsecurity_phase4_content_types_file
• Additional parser, logging, HTTP/2, proxy, and regression test coverage
• Production-oriented example configurations and documentation

Additional fixes included in this PR:

• Fixed multiple phase4-related build issues
• Corrected raw-rule and status logging order
• Added missing parser and regression test cases
• Improved validation and configuration parsing behavior

---

Why these changes

phase:4 operates on response bodies. At this stage, nginx may already have sent response headers or even part of the response body.

Because of this technical limitation, actions such as:

• deny
• status
• redirect

cannot always be converted into a clean client-visible HTTP response once headers are already sent.

This PR introduces explicit and predictable handling for those late-intervention scenarios:

• minimal
  → downgrade to log_only
• safe
  → downgrade to log_only (default-safe production behavior)
• strict
  → optional connection_abort

The goal is to:

• avoid false guarantees around late blocking behavior,
• make phase4 handling transparent and deterministic,
• improve operational visibility,
• provide safer production defaults,
• clearly separate production behavior from test/demo behavior.

---

Logging and observability

The new phase4 logging implementation provides structured JSON-lines logging including fields such as:

• intervention mode
• requested vs actual action
• header-sent state
• response status
• content type
• rule ID
• downgrade reason

Tests also verify that response-body payload data is not leaked into phase4 logs.

---

Testing

This PR adds and extends coverage for:

• parser validation
• regression handling
• proxy paths
• HTTP/2 handling
• late-intervention scenarios
• content-type scoping
• logging behavior

---

Documentation

Comprehensive documentation for the implemented behavior was added, including:

• operational limitations of phase:4
• behavior differences between modes
• production configuration examples
• logging semantics
• known technical boundaries and guarantees

[sonarqubecloud]

Quality Gate passed

Issues
13 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud