The fundamental idea behind ModSecurity is to inspect the content of a request, determine if the request appears to be malicious, and block the request if it is. There are a few steps involved and interactions with other software required for ModSecurity to do its job.
Before the content of a request can be analyzed by software such as ModSecurity, the SSL encryption on the request must be decrypted. This is done by a web server such as Nginx where the site's SSL key and certificate are configured.
Next, the web server and potentially also the web application partially parse the HTTP request. From there, the details of the request are handed over to ModSecurity.
ModSecurity then applies the rules it is configured to use, determines which rules match, and calculates a score based on the rules that matched. The results of processing certain rules may influence which other rules run.
Finally, ModSecurity makes a determination about whether the request should be blocked based on a score calculated from the matched rules. ModSecurity reports back its determination to the original service that asked ModSecurity to check the request. That service will then block the request if ModSecurity indicates the request should be blocked.