Coraza is blocking the access to one of my reverse proxies

nachomagic · August 5, 2025, 4:14pm

1. The problem I’m having:

Hello
I have managed to have a caddy working as a reverse proxy through a cloudflare tunnel.

I have two reverse proxies.
client → https (bha.xxx.com via cloudflare tunnel) → caddy → http → application 1.
client → https ->(bvw.xxx.com via cloudflare tunnel) → caddy → https → application 2.
Everything works fine so I decided to add one more layer of security, Coraza and when it works I will add Crowdsec.

Since I’ve enabled Coraza I can access to application 2 but coraza cuts off access to application 1

I have the same configuration in both cloudflare tunnels.

2. Error messages and/or full log output:

{"level":"error","ts":1754406872.442574,"logger":"http.handlers.waf","msg":"[client \"172.18.0.1\"] Coraza: Access denied (phase 2). Inbound Anomaly Score Exceeded (Total Score: 5) [file \"@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"7441\"] [id \"949110\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [data \"\"] [severity \"emergency\"] [ver \"OWASP_CRS/4.15.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"] [hostname \"\"] [uri \"/auth/login_flow\"] [unique_id \"XJqIoiYIsKNSstNv\"]    |

3. Caddy version:

2.10.0

4. How I installed and ran Caddy:

FROM caddy:2.10.0-builder AS builder

RUN xcaddy build \\
–with github.com/corazawaf/coraza-caddy/v2@latest \\
–with github.com/hslatman/caddy-crowdsec-bouncer/http@main \\
–with github.com/hslatman/caddy-crowdsec-bouncer/appsec@main \\
–with github.com/hslatman/caddy-crowdsec-bouncer/layer4@main \\
–with github.com/WeidiDeng/caddy-cloudflare-ip \\
–with github.com/mholt/caddy-dynamicdns \\
–with github.com/caddy-dns/cloudflare \\
–with github.com/caddy-dns/duckdns

FROM caddy:2.10.0

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

a. System environment:

b. Command:

sudo docker compose up --build in order to see the output log
.

c. Service/unit/compose file:

`services: 

  caddy: 

    build: 

       context: . 

       dockerfile: Dockerfile 

    container_name: caddy 

    restart: unless-stopped 

    cap_add: 

      - NET_ADMIN 

    environment: 

      - CLOUDFLARE_API_TOKEN=$CLOUDFLARE_API_TOKEN 

      - DUCKDNS_API_TOKEN=$DUCKDNS_API_TOKEN 

    ports: 

      - 80:80 

      - 443:443 

#      - 443:443/udp 

      - 8123:8123 

      - 8443:8443 

      - 4080:4080 

    volumes: 

      - $DOCKERDIR/caddy/log:/var/log 

      - $DOCKERDIR/caddy/ruleset:/ruleset 

      - $DOCKERDIR/caddy/Caddyfile:/etc/caddy/Caddyfile 

      - $DOCKERDIR/caddy/data:/data 

      - $DOCKERDIR/caddy/config:/config 

      - $DOCKERDIR/certs/:/config/rlyeh 

# Aquí irían las webs si siquiera meterlas o las configuraciones específicas para cada URL, como reglas personalizadas CRS 

#      - $DOCKERDIR/caddy/site:/srv 

    networks: 

      crowdsec: 

    security_opt: 

      - no-new-privileges=true 

  

  crowdsec: 

   image: docker.io/crowdsecurity/crowdsec:latest 

   container_name: crowdsec 

   restart: unless-stopped 

   environment: 

     - GID=1000 

     - COLLECTIONS=crowdsecurity/caddy crowdsecurity/http-cve  crowdsecurity/base-http-scenarios crowdsecurity/appsec-generic- 

rules crowdsecurity/linux crowdsecurity/sshd crowdsecurity/whitelist-good-actors crowdsecurity/iptables 

     - BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY} 

   ports: 

     - 8080:8080 

     - 7422:7422 

   volumes: 

     - $DOCKERDIR/caddy/crowdsec_config:/etc/crowdsec 

     - crowdsec_db:/var/lib/crowdsec/data/ 

     - $DOCKERDIR/caddy/log:/var/log/caddy:ro 

   networks: 

     crowdsec: 

   security_opt: 

     - no-new-privileges=true 

volumes: 

  crowdsec_db: 

  

networks: 

  crowdsec: 

    driver: bridge ``

```

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{ 

#Token de la API Cloudflare que usa el módulo para la gestión ACME de Cloudflare

  acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}

#Configuración para el módulo de aceptar solo el tráfico proveniente del rango de IPs de cloudflare
  servers {
    trusted_proxies cloudflare {
      interval 12h
      timeout 15s
    }
  }

# Definición de duckdns como proveedor DNS par el módulo "caddy-dns/duckdns". Ver documento sobre porque está comentado.
#  dns duckdns {env.DUCKDNS_API_TOKEN}

#Configuración para el módulo de gestión de duckdns
  dynamic_dns {
       provider duckdns {env.DUCKDNS_API_TOKEN}
       domains {
             duckdns.org xxyy
       }
  } 


#Configuración para el módulo de gestión de duckdns 
  dynamic_dns { 
       provider duckdns {env.DUCKDNS_API_TOKEN} 
       domains { 
             duckdns.org sar1978 
       } 
  } 

#Mail para recibir los avisos de la gestión de certificados con  ACME 

  email xxx.com 

# Ponemos el log de debug (crowsec usa los log para detectar anomalías)
  log {
   level DEBUG
  }

#Habilitamos coraza
    order coraza_waf first
} 

#Fin de la zona de configuración global 

#Esta es la zona de definición de sites 

  

#Configuración de reserve proxy (esto incluye la configuración para la inspección de coraza) 

  

#Home Assistant 

https://bha.xxx.com { 
        coraza_waf {
                load_owasp_crs
                directives `
                   Include @coraza.conf-recommended
                   Include @crs-setup.conf.example
                   Include @owasp_crs/*.conf
                   SecRuleEngine On
                `
         }
         reverse_proxy http://192.168.8.22:8123 {
         header_up X-Real-IP {remote_host}
         }
         log {
           output file /var/log/caddy/homeassistant.log
             }
}


  

#VaultWarden 

https://bvw.xxx.com { 
tls {
  dns cloudflare {env.CLOUDFLARE_API_TOKEN}
  resolvers 1.1.1.1
  propagation_timeout 10m
}

        coraza_waf {
                load_owasp_crs
                directives `
                   Include @coraza.conf-recommended
                   Include @crs-setup.conf.example
                   Include @owasp_crs/*.conf
                   SecRuleEngine On
                `
          }
          reverse_proxy https://192.168.8.20:8443 {
#Esta directiva la he puesto por recomendación del creador de Vaultwarden.
                header_up X-Real-IP {remote_host}
                transport http {
                        tls_trust_pool file /config/rlyeh/rlyeh-ca.pem
#                       tls_insecure_skip_verify
                }
          }
                log {
                output file /var/log/caddy/vaultwarden.log
                }
}

5. Links to relevant resources:

nachomagic · August 5, 2025, 8:03pm

Hi again

I’ve been searching for a solution and I’ve found 2 topics where the error was the same and also cloudflare is involved.

github.com/corazawaf/coraza-caddy

wrong client ip when using with cloudflared

opened 11:38PM - 16 May 24 UTC

closed 09:11AM - 09 Jan 25 UTC

berkansivri

I am running caddy and cloudflared in containers. I expose the app through cloud…flare tunnel. Even though I see correct IP address for the user in the **client_ip** field in caddy HTTP access logs, I only see my local IP where my cloudflared container is running in "client" field in coraza's logs. ``` ERR ts=1715890755.5588253 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 1). Restricted File Access Attempt [file "@owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "3004"] [id "930130"] [rev ""] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /backup/.env"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname ""] [uri "/backup/.env"] [unique_id "cMcEsZeHrZypdcza"] ERR ts=1715890755.5638793 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 2). Inbound Anomaly Score Exceeded (Total Score: 5) [file "@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "6836"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname ""] [uri "/backup/.env"] [unique_id "cMcEsZeHrZypdcza"] ERR ts=1715901998.4102561 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 1). Restricted File Access Attempt [file "@owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "3004"] [id "930130"] [rev ""] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /server/.env"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname ""] [uri "/server/.env"] [unique_id "gtdfrphGnOfXfwZS"] ERR ts=1715901998.8870468 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 2). Inbound Anomaly Score Exceeded (Total Score: 5) [file "@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "6836"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname ""] [uri "/server/.env"] [unique_id "gtdfrphGnOfXfwZS"] ``` In caddy logs, **remote_ip** field refers to 172.19.0.2 (my local cloudflared) As far as I remember caddy recommends to use "client_ip" field rather than "remote_ip" for the addons. that might be the case.

Unfortunately I have not known how to use its content to solve it.

On the oher hand, I haven’t found the audit.log, the log where coraza writes in order to have more information.

Mohammed90 · August 5, 2025, 9:31pm

Remove this.

Or use {client_ip}

nachomagic · August 6, 2025, 1:14pm

Thanks

I’ll try asap.

I put it because the error appears without.

Do you mean directly in a line or like this?

header_up X-Real-IP {client_ip}

Any case I’ll do all the combinations if I can try before you answer me

nachomagic · August 6, 2025, 2:25pm

Same error

I get something but an error instead de login page.

nachomagic · August 8, 2025, 3:03pm

Hi again @Mohammed90

I’ve been trying a solutions since I have not found information about how to solve my problem.

I’ve tried with because i saw them in a forum

    header_up X-Real-IP {remote}
    header_up X-Forwarded-Proto {scheme}

The problem persists, which makes sense because I was actually testing without knowing what I was doing

I can’t find any log where I can find more precise information about the reason why Coraza blocks the connection.

Could you help me find where to look?

Thank you so much

Edit:

I’ve created an audit log including this 2 directives

    coraza_waf {

            load_owasp_crs
            directives `
               Include @coraza.conf-recommended
               Include @crs-setup.conf.example
               Include @owasp_crs/*.conf
               SecAuditLog "/var/log/caddy/audit.log"
               SecAuditLogParts ABCFHZ
               SecRuleEngine On
            `
     }

The log info is very scarce, it does not include, for example, the rule applied or the reason.

–MwuxSWOqbZ-B–
[2025/08/08 15:22:39] mXrudmGjYuvnnGPu 172.18.0.1 0 0
POST /auth/login_flow HTTP/1.1
cf-warp-tag-id: 12ee7372-440d-4d6a-821a-e03ce4df07b2
content-type: text/plain;charset=UTF-8
origin: https://bha.xxx.com
x-forwarded-proto: https
host: bha.xxx.com
x-forwarded-host: bha.xxx.com
cf-ipcountry: ES
user-agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Mobile Safari/537.36
content-length: 165
accept: /
cf-ray: 96c002aecc8ccfd2-MAD
cf-connecting-ip: 2a02:9130:84bf:7c0b:1859:c895:1db8:5ebc
sec-fetch-mode: cors
cdn-loop: cloudflare; loops=1
sec-fetch-site: same-origin
x-forwarded-for: 2a02:9130:84bf:7c0b:1859:c895:1db8:5ebc
priority: u=1, i
save-data: on
accept-encoding: gzip, br
accept-language: es-ES,es;q=0.9
cf-visitor: {“scheme”:“https”}
sec-fetch-dest: empty
connection: keep-alive
sec-ch-ua-platform: “Android”
sec-ch-ua: “Not)A;Brand”;v=“8”, “Chromium”;v=“138”, “Google Chrome”;v=“138”
sec-ch-ua-mobile: ?1
–MwuxSWOqbZ-C–
[2025/08/08 15:22:39] mXrudmGjYuvnnGPu 172.18.0.1 0 0
{“client_id”:“https://bha.xxx.com/",“handler”:[“homeassistant”,null],“redirect_uri”:"https://bha.xxx.com/?auth_callback=1”}
–MwuxSWOqbZ-F–
[2025/08/08 15:22:39] mXrudmGjYuvnnGPu 172.18.0.1 0 0
–MwuxSWOqbZ-H–
[2025/08/08 15:22:39] mXrudmGjYuvnnGPu 172.18.0.1 0 0
Stopwatch:
Response-Body-Transformed:
Producer:
Server:

Mohammed90 · August 8, 2025, 6:32pm

I don’t think the issue now in Coraza. The request is clearly passed to the backend service, Home Automation. I think Home Automation doesn’t like something, and some requests are failing. Open the browser console/devtools (press F12) and look for failures or errors in the Console and Network tab.

nachomagic · August 8, 2025, 8:42pm

I’ll use the dev tools but I pretty sure is coraza because when I comment the coraza lines in Caddyfile, Home Assistant works.

The first connection works, I see it the first page, but after that the user login load page fails.

Mohammed90 · August 8, 2025, 11:40pm

If the issue is with Coraza itself, you might have better luck with the Coraza community. It seems they use GitHub Discussions.

nachomagic · August 9, 2025, 7:51am

Thanks

I first wanted to make sure I hadn’t made any mistakes setting up the caddy.

thank you so much

I will ask in the coraza forum and if it is solved I will post here how I did it in case it helps someone

nachomagic · August 10, 2025, 10:24am

Hi again @Mohammed90

I’ve asked in the coraza forums and at the momento there are not resposes.

I update the information also here.