1. The problem I’m having:
I am using Caddy as a reverse proxy with Coraza WAF for security. The webapp behind the reverse proxy is a fileserver and I need to upload large files (around 100GB). The fileserver does not support chunked multipart uploads, so the whole 100GB file goes in one single POST request.
The problem is that the reverse proxy tries to buffer the whole request. I can see the RAM memory quickly filling up while nothing is received by the fileserver.
I did a quick upload test with a 20GB file, with Coraza ON and OFF and:
- Coraza WAF not loaded into Caddyfile, the reverse proxy doesn’t buffer anything. The file goes straight to the fileserver
- Coraza WAF loaded (as the Caddyfile below shows), the reverse proxy starts buffering the request. The RAM memory quickly fills up and the fileserver doesn’t receive anything.
I thought that using SecRequestBodyLimitAction ProcessPartial would cause the first SecRequestBodyLimit 13107200 bytes to be processed and the rest of the request to be streamed to the fileserver but this doesn’t seem to be the case.
What configurations I must do in order to tell Caddy/Coraza to just process that number of bytes from the request and stream the rest directly to the fileserver?
2. Error messages and/or full log output:
N/A
3. Caddy version:
v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=
4. How I installed and ran Caddy:
xcaddy build --with github.com/corazawaf/coraza-caddy/v2
a. System environment:
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION=“Ubuntu 22.04.5 LTS”
Linux 6.14.8-2-pve #1 SMP PREEMPT_DYNAMIC PMX 6.14.8-2 (2025-07-22T10:04Z) x86_64 x86_64 x86_64 GNU/Linux
b. Command:
/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
c. Service/unit/compose file:
N/A
d. My complete Caddy config:
{
order coraza_waf first
admin off
auto_https disable_certs
}
example.com:4431 {
coraza_waf {
load_owasp_crs
directives `
SecAuditEngine On
SecAuditLog "/var/log/coraza.log"
SecAuditLogFormat JSON
SecAuditLogParts ABIJDEFHKZ
Include /etc/caddy/rules/coreruleset/crs-setup.conf
Include /etc/caddy/rules/coraza.conf
Include /etc/caddy/rules/coreruleset/rules/*.conf
SecResponseBodyAccess On
SecRuleEngine On
SecRequestBodyLimitAction ProcessPartial
SecRequestBodyLimit 13107200
SecRequestBodyInMemoryLimit 131072
SecRequestBodyNoFilesLimit 131072
`
}
#basic TLS proto and certs
tls /etc/caddy/certs/certificate.crt /etc/caddy/certs/private.key {
protocols tls1.3
}
header {
+Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+Cross-Origin-Resource-Policy "same-origin"
+Referrer-Policy "strict-origin-when-cross-origin"
+X-Content-Type-Options "nosniff"
+X-Frame-Options "DENY"
+X-XSS-Protection "1; mode=block"
+Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()"
+Access-Control-Allow-Origin "null"
}
reverse_proxy localhost:8080 {
flush_interval -1
request_buffers 0b
response_buffers 0b
}
}
5. Links to relevant resources:
N/A