coraza: pre-CRS Include for runtime per-host exemptions (load-order fix)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

coraza-spoa/Dockerfile

@@ -49,6 +49,7 @@ LABEL org.opencontainers.image.title="coraza-spoa-whp" \
 COPY --from=build /out/coraza-spoa /coraza-spoa
 COPY config.yaml /etc/coraza-spoa/config.yaml
 COPY overrides.conf /etc/coraza/overrides.conf
+COPY pre-overrides.conf /etc/coraza/pre-overrides.conf
 COPY local-overrides.conf /etc/coraza/local-overrides.conf
 COPY host-exceptions/ /etc/coraza/host-exceptions/
 COPY --from=catalog /out/rules-catalog.json /etc/coraza/rules-catalog.json

coraza-spoa/config.yaml

@@ -27,6 +27,14 @@ applications:
       # the rule pack itself (~16 MB of rules embedded in the binary).
       Include @coraza.conf-recommended
       Include @crs-setup.conf.example
+
+      # Runtime-managed PRE-CRS exclusions written by WHP UI. Empty by default.
+      # Loaded BEFORE the CRS rules so per-host ctl:ruleRemoveById exemptions
+      # fire in phase:1 BEFORE the CRS rule they're trying to exempt would
+      # otherwise match. Server-wide overrides live in local-overrides.conf
+      # (loaded after CRS) instead.
+      Include /etc/coraza/pre-overrides.conf
+
       Include @owasp_crs/*.conf
 
       # WHP-specific overrides — day-one enforce list, plus tuning for
@@ -34,7 +42,7 @@ applications:
       # to see exactly what blocks vs what's detect-only.
       Include /etc/coraza/overrides.conf
 
-      # Runtime-managed overrides written by WHP UI. Empty by default.
+      # Runtime-managed POST-CRS overrides written by WHP UI. Empty by default.
       Include /etc/coraza/local-overrides.conf
 
       # Global mode: log all alerts, block only what overrides.conf

coraza-spoa/pre-overrides.conf

@@ -0,0 +1,3 @@
+# AUTOGENERATED by WHP — do not hand-edit.
+# Source of truth: whp.security_db coraza_rule_host_exceptions table.
+# Loaded BEFORE the CRS rules. Empty file = no per-host exemptions active.