How to exclude ModSecurity rules by hostname?

Using REQUEST_HEADERS:Host chained with REQUEST_URI does the trick, but gets harder to maintain, if there are several sites that either need or don't need the exclusion. Therefore, an alternative solution would be disabling the rules on the Nginx configuration for the virtualhost, instead.

It's possible to disable some rules using modsecurity_rules inside specific server & location:

server {
    server_name wiki.example.com;
    modsecurity on;
    . . .

    location /api.php {
        modsecurity_rules '
            SecRuleRemoveById 941160
        ';
    }
}

The same is possible with Apache, too, as some Apache users may later find this question based on its title. With Apache, you can use SecRuleRemoveById / modsecurity_rules directives

• inside VirtualHost and Location or LocationMatch:

  <VirtualHost *:443>
      ServerName wiki.example.com
      . . .
  
      <LocationMatch "^/api.php">
          <IfModule security2_module>
              SecRuleRemoveById 941160
          </IfModule>
          <IfModule security3_module>
              modsecurity_rules 'SecRuleRemoveById 941160'
          </IfModule>
      </LocationMatch>
  </VirtualHost>
  

• or, although not recommended, even with .htaccess:

  <IfModule security2_module>
      <If "%{REQUEST_URI} =~ m#^/api.php#">
          SecRuleRemoveById 941160
      </If>
  </IfModule>
  
  <IfModule security3_module>
      <If "%{REQUEST_URI} =~ m#^/api.php#">
          modsecurity_rules 'SecRuleRemoveById 941160'
      </If>
  </IfModule>
  

The answer is to use REQUEST_HEADERS:Host with chain, like this:

 SecRule REQUEST_HEADERS:Host "wiki.example.com" \
     "id:1017,\
     phase:2,\
     pass,\
     nolog,\
     chain"
     SecRule REQUEST_URI "@beginsWith /api.php" \
         "ctl:ruleRemoveById= 941160"