search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
357 stars 41 forks source link

I am struggling to understand how to configure caddy with coraza. #122

Closed elico closed 7 months ago

elico commented 11 months ago

It took me a while and I managed to first install caddy as a reverse proxy. Then after this worked for a week I tried to add coraza to the picture. I eventually managed to build caddy with coraza support but now I am struggling to understand how to configure it with the CRS. I looked at: https://coraza.io/docs/tutorials/coreruleset/

and the files sits at: /opt/src/coreruleset ie:

/opt/src/coreruleset# ls -la  /opt/src/coreruleset/
total 28
drwxr-xr-x  3 root root 4096 Dec  8 23:58 .
drwxr-xr-x  8 root root 4096 Dec  8 23:57 ..
-rw-r--r--  1 root root 9443 Dec  8 23:57 coraza.conf
drwxr-xr-x 10 root root 4096 Dec  8 23:59 coreruleset
-rw-r--r--  1 root root   46 Dec  8 23:57 links
# ls -la  /opt/src/coreruleset/coreruleset/
total 292
drwxr-xr-x 10 root root   4096 Dec  8 23:59 .
drwxr-xr-x  3 root root   4096 Dec  8 23:58 ..
-rw-r--r--  1 root root 114584 Dec  8 23:57 CHANGES.md
-rw-r--r--  1 root root  27903 Dec  8 23:57 CONTRIBUTING.md
-rw-r--r--  1 root root   6085 Dec  8 23:57 CONTRIBUTORS.md
-rw-r--r--  1 root root  31922 Dec  8 23:57 crs-setup.conf.example
drwxr-xr-x  3 root root   4096 Dec  8 23:57 docs
-rw-r--r--  1 root root    519 Dec  8 23:57 .editorconfig
drwxr-xr-x  8 root root   4096 Dec  8 23:57 .git
drwxr-xr-x  5 root root   4096 Dec  8 23:57 .github
-rw-r--r--  1 root root    662 Dec  8 23:57 .gitignore
-rw-r--r--  1 root root    151 Dec  8 23:57 .gitmodules
-rw-r--r--  1 root root  13515 Dec  8 23:57 INSTALL
-rw-r--r--  1 root root   2776 Dec  8 23:57 KNOWN_BUGS.md
-rw-r--r--  1 root root  11351 Dec  8 23:57 LICENSE
-rw-r--r--  1 root root    287 Dec  8 23:57 .linelint.yml
drwxr-xr-x  2 root root   4096 Dec  8 23:57 plugins
-rw-r--r--  1 root root    438 Dec  8 23:57 .pre-commit-config.yaml
-rw-r--r--  1 root root   3011 Dec  8 23:57 README.md
drwxr-xr-x  4 root root   4096 Dec  8 23:57 regex-assembly
drwxr-xr-x  2 root root   4096 Dec  8 23:57 rules
-rw-r--r--  1 root root   4511 Dec  8 23:57 SECURITY.md
-rw-r--r--  1 root root    102 Dec  8 23:57 SPONSORS.md
drwxr-xr-x  5 root root   4096 Dec  8 23:57 tests
drwxr-xr-x 17 root root   4096 Dec  8 23:57 util
-rw-r--r--  1 root root    751 Dec  8 23:57 .yamllint.yml

I have never used CRS or modsecurity so I will readlly appreciate any help. I will give an example caddy file which can be used to set the example up:

{
        email text@example.com
        order coraza_waf first
}

https://example.com {
        coraza_waf {

        }

        header * x-request-id "{http.transaction_id}"
        reverse_proxy https://1.1.1.1:443 {
                header_up X-Forwarded-Proto "https"
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

I will appreciate any help to understand how to do the most basic configuration, From there I assume it will be pretty simple since it's basic CRS configurations.

Thanks, Eliezer

M4tteoP commented 11 months ago

Hey! The easiest way to load the CRS is the one described by Using OWASP Core Ruleset section of the Readme of this repo. Also, this repo comes with an out of the box example. Its CaddyFile is under example/CaddyFile, here you can see some back configuration overrides, custom rules etc.

If you wish to point to a local version of the CRS, It should be enough to customize the Include directives( E.g. Include @coraza.conf-recommended) pointing to your files instead of relying on the aliases loaded thanks to load_owasp_crs