Hi
I am an Alpha Anywhere developer, and i need to put one of my web apps in an internal lan (no access from outside) with a reverse proxy to filter and forward the requests.
Infrastructure professionals with previous experience in similar scenarios proposed nginx or squid, but stumbled upon Caddy which i like very much. I like it’s simplicity, and even though i haven’t installed it or used it yet, it’s impossible not to understand right away how easy and straightforward it is to configure.
I have overall two questions before i can jump in.
.a5w files
besides the classic html5/javascript fiels, the Alpha Anywhere Application Server handles files with the .a5w extension. These files contain html with specific directives for Server Side commands.
Can Caddy be setup so those files are forwarded and not discarded?
Security, WAF
with NGinx you can easily add Modsecurity WAF or Naxsi, is there any similar plugin for Caddy?
Thank you in advance
Jaime
PS: here is the filled in template where relevant
1. Caddy version (caddy version): v2
2. How I intend to run Caddy:
As a reverse proxy server, internet facing host running Caddy through https, then Caddy should filter and forward those requests to an internal host running Alpha Anywhere Application Server
Hey @WindForce, welcome to the Caddy community! Glad to hear you’re liking Caddy so far.
Absolutely. Depends on your setup, but Caddy will faithfully pass all content between the client and the upstream server. I’m not seeing any reason Caddy would discard anything, unless you were to set up matchers and handle them specifically to discard them yourself.
In short, no, but Caddy is inherently capable of some very sophisticated filtering natively. To borrow the Wikipedia description of ModSecurity:
To detect threats, the ModSecurity engine is deployed embedded within the webserver or as a proxy server in front of a web application. This allows the engine to scan incoming and outgoing HTTP communications to the endpoint. Dependent on the rule configuration the engine will decide how communications should be handled which includes the capability to pass, drop, redirect, return a given status code, execute a user script, and more.
With Caddy v2’s matchers, you can inspect a huge number of aspects of the request and handle things based on those. But I understand that one aspect of ModSecurity’s appeal is the core rule set, which you plug in and forget to CYA against some basic types of vulnerabilities. Caddy does not have a plug-in-and-forget rule set like that, but just about any threat model you can think of, you can probably find a way to harden Caddy against. And it’s already pretty smart about some kinds of vulnerabilities, like directory traversal, for example.
I’m confident just about every rule in the NAXSI list can be replicated, although I will admit it won’t be as compact or neat as their syntax because matchers are primarily designed to help you handle requests, not specifically cover vulnerabilities.
Hi Matthew
Thank you very much for the fast and detailed answer!
I will build a test environment and give Caddy a spin.
As for the WAF issue, i am mainly interested in top 10 OWASP issues, i guess i will bombard the forum whenever i’ll try to implement them as Caddy filtering rules
