mirror of
https://github.com/fabriziosalmi/caddy-waf.git
synced 2026-06-10 22:34:28 -04:00
69bf6d0ef1
Full rewrite of README.md, MODULE.md, caddyfile.example, and docs/ to match the actual code in caddywaf.go, handler.go, config.go, rules.go, ratelimiter.go, blacklist.go, geoip.go, request.go, and types.go. Notable corrections: - docs/configuration.md now lists every directive recognised by the Caddyfile parser (directiveHandlers in config.go) and separates JSON-only fields (MaxRequestBodySize, GeoIPFailOpen, Tor.CustomTORExitNodeURL). - docs/rules.md documents the JSON tag mismatch on Rule.Action: the struct tag is "mode" while the bundled rule files commonly use "action". - docs/ratelimit.md corrects the match_all_paths semantics to match ratelimiter.go (true rate-limits all paths; false + non-empty paths rate-limits only matching paths; false + empty paths is a no-op). - docs/dynamicupdates.md adds a reload matrix distinguishing what fsnotify reloads from what requires caddy reload. - docs/metrics.md aligns the JSON schema with handleMetricsRequest and notes that all counters are process-local. - docs/prometheus.md uses Gauge.set instead of Counter.inc to match the process-local monotonic counter semantics. - caddyfile.example no longer references inexistent directives (country_block, custom_response block form). Also adds the missing CHANGELOG entry for v0.3.0 (duplicate response headers fix and CIDR support in IP blacklist) and removes emoji from all user-facing documentation.
89 lines
2.9 KiB
Plaintext
89 lines
2.9 KiB
Plaintext
# Example Caddyfile for the caddy-waf module (http.handlers.waf).
|
|
# Every directive below is recognised by the Caddyfile parser in config.go.
|
|
|
|
{
|
|
auto_https off
|
|
admin localhost:2019
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Example 1: minimal setup
|
|
# ---------------------------------------------------------------------------
|
|
example.com {
|
|
route {
|
|
waf {
|
|
rule_file rules.json
|
|
ip_blacklist_file ip_blacklist.txt
|
|
dns_blacklist_file dns_blacklist.txt
|
|
metrics_endpoint /waf_metrics
|
|
|
|
anomaly_threshold 10
|
|
|
|
log_severity info
|
|
log_path /var/log/caddy/waf.log
|
|
}
|
|
|
|
respond "Hello, World — protected by Caddy WAF" 200
|
|
}
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Example 2: API gateway with rate limiting, GeoIP, ASN block, and
|
|
# custom responses
|
|
# ---------------------------------------------------------------------------
|
|
api.example.com {
|
|
route {
|
|
waf {
|
|
metrics_endpoint /waf_metrics
|
|
anomaly_threshold 15
|
|
|
|
# One or more rule files (the directive may repeat).
|
|
rule_file rules/sql-injection.json
|
|
rule_file rules/xss.json
|
|
rule_file rules/lfi.json
|
|
|
|
# Per-IP rate limiting on /api/* and /admin/*.
|
|
rate_limit {
|
|
requests 100
|
|
window 10s
|
|
cleanup_interval 5m
|
|
paths ^/api/.* ^/admin/.*
|
|
match_all_paths false
|
|
}
|
|
|
|
# Country and ASN gating (require GeoLite2 MMDB files).
|
|
block_countries GeoLite2-Country.mmdb RU CN KP
|
|
block_asns GeoLite2-ASN.mmdb 14618 16509
|
|
|
|
# Tor exit-node blocking; refreshed every 24h, retries every hour
|
|
# on transient failures.
|
|
tor {
|
|
enabled true
|
|
tor_ip_blacklist_file tor_blacklist.txt
|
|
update_interval 24h
|
|
retry_on_failure true
|
|
retry_interval 1h
|
|
}
|
|
|
|
# IP and DNS blacklists.
|
|
ip_blacklist_file ip_blacklist.txt
|
|
dns_blacklist_file dns_blacklist.txt
|
|
|
|
# Custom responses for blocked requests.
|
|
# form 1: status content-type "inline body…"
|
|
# form 2: status content-type /path/to/body.file
|
|
custom_response 403 application/json error.json
|
|
custom_response 429 text/plain "Slow down."
|
|
|
|
# Logging.
|
|
log_severity info
|
|
log_json
|
|
log_path /var/log/caddy/waf.log
|
|
log_buffer 2000
|
|
redact_sensitive_data
|
|
}
|
|
|
|
reverse_proxy localhost:8080
|
|
}
|
|
}
|