search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
330 stars 41 forks source link

New configuration not loaded on Caddy reload #89

Closed skixmix closed 1 year ago

skixmix commented 1 year ago

Hi,

You may have noticed that I am actively testing the module before utilizing it in production (kudos for the excellent work, by the way 😄 ). During my recent tests, I observed that in both versions 1.x and 2.x, the WAF configurations are not refreshed when I make changes to the .conf file and reload Caddy. However, if I restart the Caddy service, it functions properly (of course...).

This is associated with #11, which is closed, but reloading Caddy after modifying my configuration file, as mentioned, doesn't work.

Currently, the only method I have found is to modify the file name with an added random number, but this approach is not really "clean". Do you know if there is an alternative way to completely reload the WAF configuration for a specific site without restarting Caddy?

Thank you, Simone

skixmix commented 1 year ago

Ok sorry I think I found the issue.

Essentially, Caddy operates in a manner where if it does not detect any alterations in the configuration (even if we modify sections), it does not execute an actual reload and instead displays a message similar to:

{"level":"info","ts":1689607946.3474102,"msg":"config is unchanged"}
{"level":"info","ts":1689607946.3475072,"logger":"admin.api","msg":"load complete"}

This happens if for example we have a configuration like:

(1_waf) {
        coraza_waf {
            include /myconfig.conf
        }
}

and somewhere in the config we import it:

import 1_waf

By modifying it to (2_waf) and importing it with (2_waf), Caddy omits the block name and acknowledges that no modifications were made. The only option is to make an actual alteration in the current configuration, such as changing /myconfig.conf to /myconfig1.conf. Currently, instead of altering the file name, I am appending a custom header with a random value, which is a more cost-effective alternative compared to changing the file name.

Do you have other ideas?

Thank you, Simone

jcchavezs commented 1 year ago

Thanks a lot! ping @mholt for advice.

also this should be documented, are you up to open a PR?

On Mon, 17 Jul 2023, 17:43 Simone Tavoletta, @.***> wrote:

Ok sorry I think I found the issue.

Essentially, Caddy operates in a manner where if it does not detect any alterations in the configuration (even if we modify sections), it does not execute an actual reload and instead displays a message similar to:

{"level":"info","ts":1689607946.3474102,"msg":"config is unchanged"} {"level":"info","ts":1689607946.3475072,"logger":"admin.api","msg":"load complete"}

This happens if for example we have a configuration like:

(1_waf) { coraza_waf { include /myconfig.conf } }

and somewhere in the config we import it:

import 1_waf

By modifying it to (2_waf) and importing it with (2_waf), Caddy omits the block name and acknowledges that no modifications were made. The only option is to make an actual alteration in the current configuration, such as changing /myconfig.conf to /myconfig1.conf. Currently, instead of altering the file name, I am appending a custom header with a random value, which is a more cost-effective alternative compared to changing the file name.

Do you have other ideas?

Thank you, Simone

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/89#issuecomment-1638403257, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAUX4GYQZVSNFYR7VBTXQVMTHANCNFSM6AAAAAA2NC7NPQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

jcchavezs commented 1 year ago

wondering ir adding a timestamp inside a commented line before the import would work?

something like

``

random string

include my-file.conf ``

mholt commented 1 year ago

Caddy compares the new config with the old one when reloads occur. If the old config is 100% identical, it skips a reload because there's no need to change the config. Note that it compares the adapted JSON, not the input Caddyfile. Snippets (their names and structure) are all known only to the Caddyfile adapter; simply changing the name of a snippet doesn't constitute a change in the final JSON config.

A config reload can be forced though, using caddy reload --force (or if you're using the API, by setting the Cache-Control: must-revalidate header) even if there are no changes.

skixmix commented 1 year ago

Hi,

Sure, I checked out this section in the Caddy documentation yesterday. I gave it a try, and it's working smoothly now, without requiring any extra steps.

Thanks! 😃

jcchavezs commented 1 year ago

I think this problem isn't explicit enough. Are you up to add a TROUBLESHOOTING.MD with such problem?

On Tue, 18 Jul 2023, 09:15 Simone Tavoletta, @.***> wrote:

Hi,

Sure, I checked out this section https://caddyserver.com/docs/api#post-load in the Caddy documentation yesterday. I gave it a try, and it's working smoothly now, without requiring any extra steps.

Thanks! 😃

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/89#issuecomment-1639637006, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAUEPHCFV6XALWTO443XQYZX3ANCNFSM6AAAAAA2NC7NPQ . You are receiving this because you commented.Message ID: @.***>

skixmix commented 1 year ago

Hello,

Certainly, I submitted the PR 😄