To have a custom HTTP 403 error page when using NGINX Modsecurity, you need to set ModSecurity off (modsecurity off;) in location with a custom error page.

The problem is that if ModSecurity is enabled in the server context, all of its locations inherit these settings. When ModSecurity finds something nasty and throws an HTTP 403 response, the internal redirection mechanism will redirect this response to a location with a custom error page

Since this location also includes ModSecurity, the custom error page is not displayed. The request is checked again (as seen in the audit log entries). Of course, this is not the expected behavior. To change this behavious, you should disable ModSecurity at a location that contains a custom error page:

# WAF Custom error page
#
# error_page 403 404 /40x.html;
#


error_page 403 404 /40x.html;

location = /40x.html {
	root /srv/http;
	modsecurity off; # important - Modsecurity needs to be disabled here
	internal;
}

The problem is that if ModSecurity is enabled in the server context, all of its locations inherit these settings. When ModSecurity will finds something nasty and thrown 403 response, the internal redirection mechanism will redirects this response to a location with a custom error page. Since this location also includes ModSecurity, the custom error page is not displayed. The request is checked again (as you can see in audit log entries). Of course, this is not the expected behavior. To change this you should disable ModSecurity at a location that contains custom error page