search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
356 stars 41 forks source link

Unsure if load_owasp_crs is required for using the OWASP core rule set #63

Closed BurningDog closed 1 year ago

BurningDog commented 1 year ago

I'm trying to use Coraza and the OWASP ruleset with Caddy 2.6.4 (this version of Caddy as it's the latest stable, and I'm using API Platform and its Caddyfile).

I need to use the following lines to build caddy:

RUN xcaddy build \
    --with github.com/corazawaf/coraza-caddy \
    --with github.com/corazawaf/coraza-coreruleset

...otherwise the conf files mentioned in the README don't exist anywhere: @coraza.conf-recommended, @crs-setup.conf.example, @owasp_crs/*.conf. I manually copy those files to the correct locations:

cp /go/pkg/mod/github.com/corazawaf/coraza-coreruleset*/rules/@coraza.conf-recommended /etc/caddy/@coraza.conf-recommended
cp /go/pkg/mod/github.com/corazawaf/coraza-coreruleset*/rules/@crs-setup.conf.example /etc/caddy/@crs-setup.conf.example
cp /go/pkg/mod/github.com/corazawaf/coraza-coreruleset*/rules/@owasp_crs/* /etc/caddy/@owasp_crs/

My Caddyfile is as follows:

{
        # Debug
        {$CADDY_DEBUG}

        # must be always included in your Caddyfile for Coraza module to work
        # see https://github.com/corazawaf/coraza-caddy
        order coraza_waf first
}

{$SERVER_NAME}

route {
        coraza_waf {
                load_owasp_crs
                directives `
                Include @coraza.conf-recommended
                Include @crs-setup.conf.example
                Include @owasp_crs/*.conf
                SecRuleEngine On
                `
        }

        root * /srv/app/public

        php_fastcgi unix//var/run/php/php-fpm.sock
        encode zstd gzip
        file_server
}

I've used caddy fmt --overwrite to correctly format the Caddyfile.

However, when I run caddy I get this error:

Error: adapting config using caddyfile: parsing caddyfile tokens for 'coraza_waf': Caddyfile:14 - Error during parsing: invalid key for filter directive: load_owasp_crs

However, if I comment out the load_owasp_crs directive, then caddy runs. Is this expected?

[Edit: after testing, the WAF is running, but I'm not sure how to check that the OWASP core rule set is running too?]

ameyer8 commented 1 year ago

@BurningDog I had this issue too. It looks like xcaddy is pulling in the latest released version of coraza-caddy and that version doesn't have support for the built in rule set. You can force xcaddy to pull from master with this command:

xcaddy build --with github.com/corazawaf/coraza-caddy@master

I did not have to specify the --with github.com/corazawaf/coraza-coreruleset

jcchavezs commented 1 year ago

@BurningDog could you try what @ameyer8 suggests?

jcchavezs commented 1 year ago

Ping @BurningDog

github-actions[bot] commented 1 year ago

This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days.

jcchavezs commented 1 year ago

any movement on this?

github-actions[bot] commented 1 year ago

This issue was closed because it has been inactive for 14 days since being marked as stale.

BurningDog commented 3 months ago

Apologies for the long delay in my response - yes, the suggestion at https://github.com/corazawaf/coraza-caddy/issues/63#issuecomment-1560106130 worked. Thanks @ameyer8!