th.d
th.d

Caddy Coraza

An example how get Coraza WAF running in Caddy Webserver.

Coraza can be installed the usual way, as a plugin by building a new Caddy binary. I prefer the docker compose way.

Ensure that build: . is added:

compose.yml
services:
  caddy:
    image: caddy:2.10.2
    build: .

The Dockerfile is simple as:

Dockerfile
FROM caddy:2.10.2-builder AS builder

RUN xcaddy build --output ./caddy \
      --with github.com/corazawaf/coraza-caddy/v2@v2.1.0

FROM caddy:2.10.2

COPY --from=builder /app/caddy /usr/bin/caddy

docker compose build will then do the trick

Finally the required config to enable the WAF

  • coraza_waf should be the first option in the file
Caddyfile
{
	order coraza_waf first
	log {
		level INFO
		output file /log/caddy.log
	}
}

{$DOMAIN_1} {
	coraza_waf {
		load_owasp_crs
		directives `
		Include @coraza.conf-recommended
		Include @crs-setup.conf.example
		Include @owasp_crs/*.conf
		SecRuleEngine On
		SecAuditEngine On
		SecAuditLog /log/coraza-audit.log
		SecDebugLog /log/coraza-debug.log
		SecDebugLogLevel 0
		SecAction "id:900000,phase:1,nolog,pass,t:none,setvar:tx.paranoia_level=1"
		`
	}

	handle_errors 403 {
		header X-Blocked "true"
		respond "{err.status_code} {err.status_text}" {
			close
		}
Prev
Replace Root Disk
Next
Ghost Caddy Multihost