mirror of
https://github.com/fabriziosalmi/caddy-waf.git
synced 2025-12-23 22:27:46 -05:00
70 lines
1.6 KiB
Caddyfile
70 lines
1.6 KiB
Caddyfile
{
|
|
auto_https off
|
|
admin localhost:2019
|
|
}
|
|
|
|
:8080 {
|
|
log {
|
|
output stdout
|
|
format console
|
|
level INFO
|
|
}
|
|
|
|
handle {
|
|
header -Server
|
|
}
|
|
|
|
route {
|
|
# WAF Plugin runs on all requests first
|
|
waf {
|
|
metrics_endpoint /waf_metrics
|
|
anomaly_threshold 20
|
|
# Using modified rules file that prevents false positives with Chrome browser requests
|
|
rule_file rules.json
|
|
# block_countries GeoLite2-Country.mmdb RU CN KP
|
|
# whitelist_countries GeoLite2-Country.mmdb US
|
|
|
|
# custom_response 403 application/json error.json
|
|
|
|
# rate limiter
|
|
rate_limit {
|
|
requests 100
|
|
window 10s
|
|
cleanup_interval 5m
|
|
paths /ratelimited # List of individual regex patterns (example: paths ^/api/.*)
|
|
match_all_paths false
|
|
}
|
|
|
|
# Tor blocking configuration
|
|
tor {
|
|
enabled true
|
|
tor_ip_blacklist_file tor_ip_blacklist.txt
|
|
update_interval 24h
|
|
retry_on_failure true
|
|
retry_interval 1h
|
|
}
|
|
|
|
ip_blacklist_file ip_blacklist.txt
|
|
dns_blacklist_file dns_blacklist.txt
|
|
log_severity info
|
|
log_json
|
|
log_path debug.json
|
|
# redact_sensitive_data
|
|
}
|
|
|
|
# Match the waf metrics endpoint specifically and stop processing
|
|
@wafmetrics path /waf_metrics
|
|
handle @wafmetrics {
|
|
header Access-Control-Allow-Origin * # Allow requests from any origin (for development - see note below)
|
|
header Access-Control-Allow-Methods "GET, OPTIONS" # Allow GET and OPTIONS methods
|
|
header Access-Control-Allow-Headers "User-Agent, Content-Type, *" # Allow User-Agent and Content-Type headers
|
|
# Do not respond here so it goes to the WAF plugin
|
|
}
|
|
|
|
# All other requests, respond with "Hello World"
|
|
handle {
|
|
respond "Hello world!" 200
|
|
}
|
|
}
|
|
}
|