On one of my sites, I post various PHP code snippets and examples, and mod_security's 50_outbound.conf would always warn about PHP source code leakage. The rule was correct, and it was in fact catching PHP code being sent in the response, but I wanted to allow this for this site. I did not want to disable the rule, since this is an incredibly useful warning, but for this particular site, I felt it was fine to turn off.
With mod_security-2.1.2, they switched from phase:1 to phase:2 on when they check. This is important to understand, because phase:1 would be too early to exclude a rule at the vhost level. phase:2 rules will allow us to manage rules at the vhost. My particular rule set was handled at phase:4 which is response, so definitely won't be a problem.
The particular rule I wanted to block was this:
SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|
"ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970015',severity:'4'"
SecRule RESPONSE_BODY "<\?(?!xml)" \
"chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970902',severity:'4'"
#SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)"
To exclude this rule at the vhost level, I added the following to the VirtualHost block:
You can also optionally add additional exclude rules here.