Coraza is blocking the access to one of my reverse proxies

Help
1

1. The problem I’m having:

Hello
I have managed to have a caddy working as a reverse proxy through a cloudflare tunnel.

I have two reverse proxies.
client → https (bha.xxx.com via cloudflare tunnel) → caddy → http → application 1.
client → https ->(bvw.xxx.com via cloudflare tunnel) → caddy → https → application 2.
Everything works fine so I decided to add one more layer of security, Coraza and when it works I will add Crowdsec.

Since I’ve enabled Coraza I can access to application 2 but coraza cuts off access to application 1

I have the same configuration in both cloudflare tunnels.

2. Error messages and/or full log output:

{"level":"error","ts":1754406872.442574,"logger":"http.handlers.waf","msg":"[client \"172.18.0.1\"] Coraza: Access denied (phase 2). Inbound Anomaly Score Exceeded (Total Score: 5) [file \"@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"7441\"] [id \"949110\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [data \"\"] [severity \"emergency\"] [ver \"OWASP_CRS/4.15.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"] [hostname \"\"] [uri \"/auth/login_flow\"] [unique_id \"XJqIoiYIsKNSstNv\"]    |

3. Caddy version:

2.10.0

4. How I installed and ran Caddy:

FROM caddy:2.10.0-builder AS builder

RUN xcaddy build \\
–with github.com/corazawaf/coraza-caddy/v2@latest \\
–with github.com/hslatman/caddy-crowdsec-bouncer/http@main \\
–with github.com/hslatman/caddy-crowdsec-bouncer/appsec@main \\
–with github.com/hslatman/caddy-crowdsec-bouncer/layer4@main \\
–with github.com/WeidiDeng/caddy-cloudflare-ip \\
–with github.com/mholt/caddy-dynamicdns \\
–with github.com/caddy-dns/cloudflare \\
–with github.com/caddy-dns/duckdns

FROM caddy:2.10.0

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

a. System environment:

b. Command:

sudo docker compose up --build in order to see the output log
.

c. Service/unit/compose file:

`services: 

  caddy: 

    build: 

       context: . 

       dockerfile: Dockerfile 

    container_name: caddy 

    restart: unless-stopped 

    cap_add: 

      - NET_ADMIN 

    environment: 

      - CLOUDFLARE_API_TOKEN=$CLOUDFLARE_API_TOKEN 

      - DUCKDNS_API_TOKEN=$DUCKDNS_API_TOKEN 

    ports: 

      - 80:80 

      - 443:443 

#      - 443:443/udp 

      - 8123:8123 

      - 8443:8443 

      - 4080:4080 

    volumes: 

      - $DOCKERDIR/caddy/log:/var/log 

      - $DOCKERDIR/caddy/ruleset:/ruleset 

      - $DOCKERDIR/caddy/Caddyfile:/etc/caddy/Caddyfile 

      - $DOCKERDIR/caddy/data:/data 

      - $DOCKERDIR/caddy/config:/config 

      - $DOCKERDIR/certs/:/config/rlyeh 

# Aquí irían las webs si siquiera meterlas o las configuraciones específicas para cada URL, como reglas personalizadas CRS 

#      - $DOCKERDIR/caddy/site:/srv 

    networks: 

      crowdsec: 

    security_opt: 

      - no-new-privileges=true 

  

  crowdsec: 

   image: docker.io/crowdsecurity/crowdsec:latest 

   container_name: crowdsec 

   restart: unless-stopped 

   environment: 

     - GID=1000 

     - COLLECTIONS=crowdsecurity/caddy crowdsecurity/http-cve  crowdsecurity/base-http-scenarios crowdsecurity/appsec-generic- 

rules crowdsecurity/linux crowdsecurity/sshd crowdsecurity/whitelist-good-actors crowdsecurity/iptables 

     - BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY} 

   ports: 

     - 8080:8080 

     - 7422:7422 

   volumes: 

     - $DOCKERDIR/caddy/crowdsec_config:/etc/crowdsec 

     - crowdsec_db:/var/lib/crowdsec/data/ 

     - $DOCKERDIR/caddy/log:/var/log/caddy:ro 

   networks: 

     crowdsec: 

   security_opt: 

     - no-new-privileges=true 

volumes: 

  crowdsec_db: 

  

networks: 

  crowdsec: 

    driver: bridge ``

```

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{ 

#Token de la API Cloudflare que usa el módulo para la gestión ACME de Cloudflare

  acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}

#Configuración para el módulo de aceptar solo el tráfico proveniente del rango de IPs de cloudflare
  servers {
    trusted_proxies cloudflare {
      interval 12h
      timeout 15s
    }
  }

# Definición de duckdns como proveedor DNS par el módulo "caddy-dns/duckdns". Ver documento sobre porque está comentado.
#  dns duckdns {env.DUCKDNS_API_TOKEN}

#Configuración para el módulo de gestión de duckdns
  dynamic_dns {
       provider duckdns {env.DUCKDNS_API_TOKEN}
       domains {
             duckdns.org xxyy
       }
  } 


#Configuración para el módulo de gestión de duckdns 
  dynamic_dns { 
       provider duckdns {env.DUCKDNS_API_TOKEN} 
       domains { 
             duckdns.org sar1978 
       } 
  } 

#Mail para recibir los avisos de la gestión de certificados con  ACME 

  email xxx.com 

# Ponemos el log de debug (crowsec usa los log para detectar anomalías)
  log {
   level DEBUG
  }

#Habilitamos coraza
    order coraza_waf first
} 

#Fin de la zona de configuración global 

#Esta es la zona de definición de sites 

  

#Configuración de reserve proxy (esto incluye la configuración para la inspección de coraza) 

  

#Home Assistant 

https://bha.xxx.com { 
        coraza_waf {
                load_owasp_crs
                directives `
                   Include @coraza.conf-recommended
                   Include @crs-setup.conf.example
                   Include @owasp_crs/*.conf
                   SecRuleEngine On
                `
         }
         reverse_proxy http://192.168.8.22:8123 {
         header_up X-Real-IP {remote_host}
         }
         log {
           output file /var/log/caddy/homeassistant.log
             }
}


  

#VaultWarden 

https://bvw.xxx.com { 
tls {
  dns cloudflare {env.CLOUDFLARE_API_TOKEN}
  resolvers 1.1.1.1
  propagation_timeout 10m
}

        coraza_waf {
                load_owasp_crs
                directives `
                   Include @coraza.conf-recommended
                   Include @crs-setup.conf.example
                   Include @owasp_crs/*.conf
                   SecRuleEngine On
                `
          }
          reverse_proxy https://192.168.8.20:8443 {
#Esta directiva la he puesto por recomendación del creador de Vaultwarden.
                header_up X-Real-IP {remote_host}
                transport http {
                        tls_trust_pool file /config/rlyeh/rlyeh-ca.pem
#                       tls_insecure_skip_verify
                }
          }
                log {
                output file /var/log/caddy/vaultwarden.log
                }
}

5. Links to relevant resources:

2

Hi again

I’ve been searching for a solution and I’ve found 2 topics where the error was the same and also cloudflare is involved.

Unfortunately I have not known how to use its content to solve it.

On the oher hand, I haven’t found the audit.log, the log where coraza writes in order to have more information.

3

Remove this.

Or use {client_ip}

2 Likes
4

Thanks

I’ll try asap.

I put it because the error appears without.

Do you mean directly in a line or like this?

header_up X-Real-IP {client_ip}

Any case I’ll do all the combinations if I can try before you answer me :smiley:

5

Same error :frowning:

I get something but an error instead de login page.

image
image830×1280 55 KB

6

Hi again @Mohammed90

I’ve been trying a solutions since I have not found information about how to solve my problem.

I’ve tried with because i saw them in a forum

    header_up X-Real-IP {remote}
    header_up X-Forwarded-Proto {scheme}

The problem persists, which makes sense because I was actually testing without knowing what I was doing :slight_smile:

I can’t find any log where I can find more precise information about the reason why Coraza blocks the connection.

Could you help me find where to look?

Thank you so much

Edit:

I’ve created an audit log including this 2 directives

    coraza_waf {

            load_owasp_crs
            directives `
               Include @coraza.conf-recommended
               Include @crs-setup.conf.example
               Include @owasp_crs/*.conf
               SecAuditLog "/var/log/caddy/audit.log"
               SecAuditLogParts ABCFHZ
               SecRuleEngine On
            `
     }

The log info is very scarce, it does not include, for example, the rule applied or the reason.

–MwuxSWOqbZ-B–
[2025/08/08 15:22:39] mXrudmGjYuvnnGPu 172.18.0.1 0 0
POST /auth/login_flow HTTP/1.1
cf-warp-tag-id: 12ee7372-440d-4d6a-821a-e03ce4df07b2
content-type: text/plain;charset=UTF-8
origin: https://bha.xxx.com
x-forwarded-proto: https
host: bha.xxx.com
x-forwarded-host: bha.xxx.com
cf-ipcountry: ES
user-agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Mobile Safari/537.36
content-length: 165
accept: /
cf-ray: 96c002aecc8ccfd2-MAD
cf-connecting-ip: 2a02:9130:84bf:7c0b:1859:c895:1db8:5ebc
sec-fetch-mode: cors
cdn-loop: cloudflare; loops=1
sec-fetch-site: same-origin
x-forwarded-for: 2a02:9130:84bf:7c0b:1859:c895:1db8:5ebc
priority: u=1, i
save-data: on
accept-encoding: gzip, br
accept-language: es-ES,es;q=0.9
cf-visitor: {“scheme”:“https”}
sec-fetch-dest: empty
connection: keep-alive
sec-ch-ua-platform: “Android”
sec-ch-ua: “Not)A;Brand”;v=“8”, “Chromium”;v=“138”, “Google Chrome”;v=“138”
sec-ch-ua-mobile: ?1
–MwuxSWOqbZ-C–
[2025/08/08 15:22:39] mXrudmGjYuvnnGPu 172.18.0.1 0 0
{“client_id”:“https://bha.xxx.com/",“handler”:[“homeassistant”,null],“redirect_uri”:"https://bha.xxx.com/?auth_callback=1”}
–MwuxSWOqbZ-F–
[2025/08/08 15:22:39] mXrudmGjYuvnnGPu 172.18.0.1 0 0
–MwuxSWOqbZ-H–
[2025/08/08 15:22:39] mXrudmGjYuvnnGPu 172.18.0.1 0 0
Stopwatch:
Response-Body-Transformed:
Producer:
Server:

7

I don’t think the issue now in Coraza. The request is clearly passed to the backend service, Home Automation. I think Home Automation doesn’t like something, and some requests are failing. Open the browser console/devtools (press F12) and look for failures or errors in the Console and Network tab.

2 Likes
8

I’ll use the dev tools but I pretty sure is coraza because when I comment the coraza lines in Caddyfile, Home Assistant works.

The first connection works, I see it the first page, but after that the user login load page fails.

9

If the issue is with Coraza itself, you might have better luck with the Coraza community. It seems they use GitHub Discussions.

1 Like
10

Thanks

I first wanted to make sure I hadn’t made any mistakes setting up the caddy.

thank you so much

I will ask in the coraza forum and if it is solved I will post here how I did it in case it helps someone :smiley:

11

Hi again @Mohammed90

I’ve asked in the coraza forums and at the momento there are not resposes.

I update the information also here.

image
image1902×801 94.8 KB

12

Hello

Just to say that everithing is working now.

there was a mix, CRS exclusions needed and caddy configuration because coraza don’t support websockets.

Everything is in the above post.

Thanks to all of you

2 Likes
13

Thank you for coming back with an update!

1 Like
14

It’s the least I can do, after everything you have helped me and the time you have dedicated to me.

Furthermore, leaving the answers is the way in which the community grows, so it seems basic to me to leave the final answer.

Thank you very much again, you are a great team.

1 Like
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.