Wrong http_code in modsec logs when using auth_request

[jaysee]

Problem

When auth_request directive is active, ModSecurity-nginx captures the HTTP status code
from the auth_request subrequest (usually 200 for "pass") instead of the final status
code from the actual backend (proxy_pass).

Setup

location /auth {
	internal;

	modsecurity off;

	proxy_pass http://127.0.0.1:2607/auth?server=$server_name; # => returns 200
	proxy_cache off;
	proxy_pass_request_body	off;

	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header Content-Length "";
	proxy_set_header X-Original-URI $request_uri;

	proxy_intercept_errors	off;
}
auth_request   /auth;
proxy_pass     $upstream; # => returns 404

Scenario

1. Request comes in: GET /?test=/bin/bash
2. auth_request /auth → returns 200 (pass)
3. ModSecurity captures: http_code = 200
4. proxy_pass $upstream → returns 404
5. Audit log has: http_code: 200 ❌ (should be 404)

Expected Behavior

ModSecurity should capture the FINAL status code sent to the client, not intermediate
subrequest statuses.

EDIT

The whole response content in the log seems to be the reponse datas of the /auth subrequest, not the proxy request.