Caddy as Web Application Firewall (WAF)

Hey there,

sorry if “help” is the wrong category, I couldn’t find a better one.

On Caddy’s Homepage, it’s being mentioned how Caddy is a fusion out of many things like a Web-Server, API-Gateway, RevProxy etc. - and a Web Application Firewall.

As this seemingly is the only occurence on the whole webpage (besides feature requests from 2016) where the keyword “Web Application Firewall” or “WAF” is being used - I’m a bit curious.

When talking about WAFs I’m thinking of software like ModSecurity, NAXSI, WebKnight, Shadow Deamon and so on - all with features like SQL injection protection, web-crawler blocking, brute-force prevention etc,

I wouldn’t know how to activate/configure any of those features in Caddy, but would love to use those possibilities. Can anyone point me in the right direction here?

It seems like an feature they want to implement i.F., that isn’t implemented yet.
Maybe @Whitestrake can tell us something about developments going on arround the WAF.
We could also create an Feature-Request on GitHub or create an module which adds a compatibility to your given WAF’s. <= Which I would only prefer if there is currently no WAF implementation planed.

That would certainly make sense. I would love to see a WAF directly integrated in Caddy. Especially for smaller business or users in general, which might just want to run a webpage on a single VPS, this seems like a great opportunity. You’d get the ultimate All-In-One-Package.

1 Like

Yeah, I’d like that too. Anyone is welcome to write a WAF module and share it!

@matt do you think it’s possible to merge this module (in an later/more mature state of programming) into the default caddy installation?

  • I mean, I think I’m not allowed to create an Module, because I don’t use go and have no usage for the language. So learning it to create one Module isn’t really an option for me.

What about you @Tenou ?

Unfortunatly, I’m currently just a trainee sysadmin with no experience in coding whatsoever. So writing the module myself, as much as I’d love to, won’t be an option if it should work even remotely. Sorry about that!

It’s very unlikely it would be shipped as a default module. We’re very careful about what we want to maintain because it’s a burden.

It would be best to start as a plugin, and if it’s very popular, we may consider pulling it in as a default module… But frankly I highly doubt that will happen.

I have to say, that under these circumstances, I really don’t think that it’s appropriate to advertise Caddy as WAF capable on the first picture of
This feature, as neat as it would be, isn’t there at the moment and - from what I could gather from this conversation - there aren’t any serious plans to implement it in the future.


This topic was automatically closed after 30 days. New replies are no longer allowed.