Yet another Caddy WAF released :)

Fab23 · January 4, 2025, 8:47am

Helo Caddy users,
I just released a simple Caddy WAF (OWASP rule-based filtering, IP and DNS filtering, rate limiting, GeoIP).

Features:

Rule-based request filtering with regex patterns.
IP and DNS blacklisting to block malicious traffic.
Country-based blocking using MaxMind GeoIP2.
Rate limiting per IP address to prevent abuse.
Anomaly scoring system for detecting suspicious behavior.
Request inspection (URL, args, body, headers, cookies, user-agent).
Protection against common attacks (SQL injection, XSS, RCE, Log4j, etc.).
Detailed logging and monitoring for security analysis.
Dynamic rule reloading without server restart.
Severity-based actions (block, log) for fine-grained control.

Example reverse proxy with WAF

# Global options
{
    # Enable the global error log
    log {
        output file /var/log/caddy/errors.log
        level ERROR
    }
    # Automatic HTTPS settings
    email admin@example.com
}

# Reverse proxy for example.com
example.com {
    # Enable WAF
    waf {
        # Rate limiting: 100 requests per 5 seconds
        rate_limit 100 5s

        # Rules and blacklists
        rule_file /path/to/rules.json
        ip_blacklist_file /path/to/ip_blacklist.txt
        dns_blacklist_file /path/to/dns_blacklist.txt

        # Country blocking (requires MaxMind GeoIP2 database)
        block_countries /path/to/GeoLite2-Country.mmdb RU CN KP

        # Enable detailed logging
        log_all

        # Define actions based on severity
        severity critical block
        severity high block
        severity medium log
        severity low log
    }

    # Log access to a file
    log {
        output file /var/log/caddy/access.log
        format single_field common_log
    }

    # Reverse proxy to the origin server
    reverse_proxy http://origin-server:8080 {
        # Optional: Add headers to forward to the backend
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
}

Enjoy and contribute:

Fab23 · January 19, 2025, 10:14am

Few updates:

Features

per path rate limiting added
usable baseline of ruleset included
test script with 300+ different attacks to evaluate your ruleset
multiple rules files supported
JSON metrics
anomaly score improved
data redaction
dynamic reloading

Performance

async logging
precomp regex at startup
cached regex processing

More to fix/improve until the 0.1.0 release, enjoy and contribute

matt · January 19, 2025, 5:00pm

Awesome! Thanks for sharing this. More plugins strengthens the ecosystem and gives more flexibility to site owners to enhance their security!

svenakela · January 23, 2025, 8:24am

That’s an impressive feature list!
Out of curiosity, why did you make it? I am using Coraza a lot in prod environments, but some of your features are missing and they would be nice to have.

Fab23 · January 25, 2025, 7:16am

Just for fun, learning and so… in addition to that I am enjoying go coding to

svenakela · January 27, 2025, 9:56am

I linked your project in the OWASP Coraza group. People found it interesting.

…maybe you should join the force.

Fab23 · February 1, 2025, 11:10am

Really appreciated and yes, I will be honored to join the force

system · February 3, 2025, 8:48am

This topic was automatically closed after 30 days. New replies are no longer allowed.

matt · February 5, 2025, 4:23pm

(I probably need to adjust the auto-close rules on this category. This thread probably deserves to stay open for now!)