From 78f0066cb8f6acf7566a252981b7ab04b724059b Mon Sep 17 00:00:00 2001 From: Fabrizio Salmi Date: Sat, 6 Dec 2025 22:53:33 +0100 Subject: [PATCH] docs: update documentation for v0.1.2 (ASN, SOTA, Issues fixed) --- README.md | 9 ++++++++- caddywaf.go | 2 +- docs/configuration.md | 3 +++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 17ff80a..ef5f979 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ A robust, highly customizable, and feature-rich **Web Application Firewall (WAF) ## 🛡️ Core Protections * **Regex-Based Filtering:** Deep URL, data & header inspection using powerful regex rules. -* **Blacklisting:** Blocks malicious IPs, domains & optionally TOR exit nodes. +* **Blacklisting:** Blocks malicious IPs, domains, ASNs & optionally TOR exit nodes. * **Geo-Blocking:** Restricts access by country using GeoIP. * **Rate Limiting:** Prevents abuse via customizable IP request limits. * **Anomaly Scoring:** Dynamically blocks requests based on cumulative rule matches. @@ -23,6 +23,13 @@ A robust, highly customizable, and feature-rich **Web Application Firewall (WAF) _Simple at a glance UI :)_ ![demo](https://github.com/fabriziosalmi/caddy-waf/blob/main/docs/caddy-waf-ui.png?raw=true) +## Security & Performance (SOTA) +* **Zero-Copy Networking**: Uses `unsafe.String` to eliminate memory allocations during request body inspection. +* **Wait-Free Concurrency**: Atomic counters ensure accurate metrics and rule hit counting without lock contention. +* **Circuit Breaker**: `geoip_fail_open` prevents database failures from causing service outages. +* **DoS Protection**: `io.LimitReader` enforces strict request body limits to prevent memory exhaustion. +* **ReDoS Safety**: Built on top of Go's `regexp` (RE2), guaranteeing linear time execution for all regex rules. + ## 🚀 Quick Start ```bash diff --git a/caddywaf.go b/caddywaf.go index 348f466..07bba79 100644 --- a/caddywaf.go +++ b/caddywaf.go @@ -50,7 +50,7 @@ var ( ) // Add or update the version constant as needed -const wafVersion = "v0.1.0" // update this value to the new release version when tagging +const wafVersion = "v0.1.2" // update this value to the new release version when tagging // ==================== Initialization and Setup ==================== diff --git a/docs/configuration.md b/docs/configuration.md index af8b7fd..4068dbe 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -140,6 +140,9 @@ The WAF provides a variety of configuration options to control its behavior. The | **`log_path`** | Specifies the path for the WAF log file. | `log_path /var/log/waf/access.log` | | **`redact_sensitive_data`** | Redacts sensitive data from the request query string in logs. | `redact_sensitive_data` | | **`custom_response`** | Defines custom HTTP responses for blocked requests. Requires status code, content type, and response content or file path. | `custom_response 403 application/json error.json` | +| **`max_request_body_size`**| Configures request body size limit (default 10MB). Uses `io.LimitReader` for protection. | `max_request_body_size 20MB` | +| **`block_asns`** | Blocks requests from specified Autonomous Systems (ASNs) using the MaxMind GeoIP2 ASN database. | `block_asns GeoLite2-ASN.mmdb 12345 67890` | +| **`geoip_fail_open`** | Configures the WAF to allow requests if GeoIP/ASN lookup fails (Circuit Breaker pattern). Default is false (Fail Closed). | `geoip_fail_open` | ---