Anyone actually using Coraza?

I need to find a not-killing-us-expensive WAF reverse proxy.
There are a few pages mentioning Coraza, but has anyone here tried it out?
Is it working? Any real experience?
The only hands-on article out there is made by one of the project maintainers. That’s about it…

1 Like

Hello Sven,

I’ve implemented Coraza to safeguard my homelab web application, primarily focused on securing Vaultwarden, while keeping other applications inaccessible from the web.

Utilizing Coraza alongside CRS rules 4.0, I’ve set it up with a paranoia level of 3. Currently, I’m fine-tuning the configuration to minimize false positives.

Although I can’t confirm if my use case is a real-world experience.

My experience with Coraza so far has been great. The mainteners and the community are nice and helpfull.

Best regards,



I am now using Caddy Coraza in a production environment. Running great so far, but there are not many live examples of Coraza deployed so it’s a bit of guess work if this is deployed correctly or not.

I am also interested in using coraza in front of vaultwarden, would you be comfortable sharing what you have tuned?

Thank you!

I would also be interested in an example

Follow the documentation at Introduction - OWASP Coraza and enable the rules when everything is running.
This blog post, written by one of the developers, is better than the official docs in explaining what to do IMO. OSS WAF stack using Coraza, Caddy, and Elastic | by Juan Pablo Tosso | Medium

I’ve deployed Caddy in a multi-node setup for redundancy, they share the same config. Runs very well so far. Might write a post about the setup in another lifetime, when time isn’t a factor… :smiley: