Hey
I have Caddy with Coraza WAF setup right now behind a reverse proxy (nginx). In the caddy request logs, all client ip fields are 127.0.0.1.
If I query Caddy directly, the logs are printed correctly.nc -lp 8080 and send a request through NGINX, the headers are correct (X-Real-IP, X-Forwarded-For, X-Forwarded-Host)
{"level":"error","ts":1718636999.067847,"logger":"http.handlers.waf","msg":"[client \"127.0.0.1\"] Coraza: Access den...
Caddy version v2.8.4
I built it with xcaddy
Ubuntu 20.02
./caddy run --config Caddyfile
{
debug
auto_https off
order coraza_waf first
log {
format json
level info
output file /var/log/caddy/caddy_events.log
}
}
:8080 {
coraza_waf {
load_owasp_crs
directives `
Include coraza.conf
Include coreruleset/crs-setup.conf.example
Include coreruleset/rules/*.conf
SecRuleEngine On
SecDebugLog /dev/stdout
SecDebugLogLevel 9
SecResponseBodyAccess On
SecResponseBodyMimeType application/json
`
}
reverse_proxy http://localhost
}
Mohammed90
June 17, 2024, 4:20pm
2
Caddy doesn’t blindly trust the X-Forwarded-For because it isn’t secure to just assume so. Anyone can point a reverse-proxy at your service. You need to set the trusted_proxies:
1 Like
For testing, I set my trusted_proxies to 0.0.0.0/0, and I am still getting the same issue.
{
debug
auto_https off
order coraza_waf first
log {
format json
level info
output file /var/log/caddy/caddy_events.log
}
servers {
trusted_proxies static 0.0.0.0/0
}
}
:8080 {
coraza_waf {
load_owasp_crs
directives `
Include coraza.conf
Include coreruleset/crs-setup.conf.example
Include coreruleset/rules/*.conf
SecRuleEngine On
SecDebugLog /var/log/caddy/coraza.log
SecDebugLogLevel 9
SecAuditLogParts ABZ
SecResponseBodyAccess On
SecResponseBodyMimeType application/json
`
}
reverse_proxy http://localhost
}
Is this the correct spot to set trusted_proxies?
Mohammed90
June 17, 2024, 6:06pm
4
It seems like Coraza is using the wrong value per this GitHub issue
opened 11:38PM - 16 May 24 UTC
I am running caddy and cloudflared in containers. I expose the app through cloud… flare tunnel. Even though I see correct IP address for the user in the **client_ip** field in caddy HTTP access logs, I only see my local IP where my cloudflared container is running in "client" field in coraza's logs.
```
ERR ts=1715890755.5588253 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 1). Restricted File Access Attempt [file "@owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "3004"] [id "930130"] [rev ""] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /backup/.env"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname ""] [uri "/backup/.env"] [unique_id "cMcEsZeHrZypdcza"]
ERR ts=1715890755.5638793 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 2). Inbound Anomaly Score Exceeded (Total Score: 5) [file "@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "6836"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname ""] [uri "/backup/.env"] [unique_id "cMcEsZeHrZypdcza"]
ERR ts=1715901998.4102561 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 1). Restricted File Access Attempt [file "@owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "3004"] [id "930130"] [rev ""] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /server/.env"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname ""] [uri "/server/.env"] [unique_id "gtdfrphGnOfXfwZS"]
ERR ts=1715901998.8870468 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 2). Inbound Anomaly Score Exceeded (Total Score: 5) [file "@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "6836"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname ""] [uri "/server/.env"] [unique_id "gtdfrphGnOfXfwZS"]
```
In caddy logs, **remote_ip** field refers to 172.19.0.2 (my local cloudflared)
As far as I remember caddy recommends to use "client_ip" field rather than "remote_ip" for the addons. that might be the case.
1 Like
Yep, you’re correct lol.
I just edited the coraza module directly to use the header sent by my reverse proxy instead.
Mohammed90
June 17, 2024, 6:15pm
6
For posterity, can you share the final config? It’ll help future wanderers
2 Likes
system
July 17, 2024, 6:16pm
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.