I wanted to make note of this page, because it was a huge help getting the ModSecurity OWASP rule set working with nginx.
LinuxBabe: How to Set Up ModSecurity with Nginx on Debian/Ubuntu
Then to start exempting specific pages from specific rule ID’s, you’ll using these three commands quite a bit:
`tailf /var/log/modsec_audit.log`
`sudo nano /etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf`
`sudo nginx -t`
`sudo systemctl reload nginx`