{"id":19923384,"url":"https://github.com/corazawaf/coraza-caddy","last_synced_at":"2025-05-15T11:07:46.845Z","repository":{"id":41100915,"uuid":"378779898","full_name":"corazawaf/coraza-caddy","owner":"corazawaf","description":"OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities","archived":false,"fork":false,"pushed_at":"2025-04-30T11:36:02.000Z","size":12837,"stargazers_count":439,"open_issues_count":25,"forks_count":50,"subscribers_count":14,"default_branch":"main","last_synced_at":"2025-04-30T13:00:06.224Z","etag":null,"topics":["caddy","caddyserver","coreruleset","go","golang","owasp","security","waf","webapplicationfirewall"],"latest_commit_sha":null,"homepage":"https://www.coraza.io/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/corazawaf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-06-21T02:01:19.000Z","updated_at":"2025-04-30T11:34:51.000Z","dependencies_parsed_at":"2023-02-18T08:15:35.319Z","dependency_job_id":"5e5ce17d-3d99-4a67-a8d1-a6973b85cf24","html_url":"https://github.com/corazawaf/coraza-caddy","commit_stats":{"total_commits":123,"total_committers":15,"mean_commits":8.2,"dds":0.6666666666666667,"last_synced_commit":"e2e2d4faeb6c17b343907e2fe6906b8e754c7fc1"},"previous_names":["jptosso/coraza-caddy"],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza-caddy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza-caddy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza-caddy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza-caddy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/corazawaf","download_url":"https://codeload.github.com/corazawaf/coraza-caddy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254328384,"owners_count":22052632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["caddy","caddyserver","coreruleset","go","golang","owasp","security","waf","webapplicationfirewall"],"created_at":"2024-11-12T22:14:03.938Z","updated_at":"2025-05-15T11:07:46.817Z","avatar_url":"https://github.com/corazawaf.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# Coraza WAF Caddy Module\n\n[![Tests](https://github.com/corazawaf/coraza-caddy/actions/workflows/tests.yml/badge.svg)](https://github.com/corazawaf/coraza-caddy/actions/workflows/tests.yml)\n\u003ca href=\"https://pkg.go.dev/github.com/corazawaf/coraza-caddy\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/godoc-reference-blue.svg\"\u003e\u003c/a\u003e\n[![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)\n\n[OWASP Coraza](https://github.com/corazawaf/coraza) Caddy Module provides Web Application Firewall capabilities for Caddy.\n\nOWASP Coraza WAF is 100% compatible with OWASP Coreruleset and Modsecurity syntax.\n\n## Getting started\n\n`go run mage.go -l` lists all the available commands:\n\n```bash\n▶ go run mage.go -l\nTargets:\n  buildCaddy        builds the plugin.\n  buildCaddyLinux   builds the plugin with GOOS=linux.\n  buildExample       builds the example deployment.\n  check              runs lint and tests.\n  coverage           runs tests with coverage and race detector enabled.\n  doc                runs godoc, access at http://localhost:6060\n  e2e                runs e2e tests with a built plugin against the example deployment.\n  format             formats code in this repository.\n  ftw                runs CRS regressions tests.\n  lint               verifies code quality.\n  precommit          installs a git hook to run check when committing\n  reloadExample      reload the test environment.\n  runExample         spins up the test environment, access at http://localhost:8080.\n  teardownExample    tears down the test environment.\n  test               runs all tests.\n```\n\n## Plugin syntax\n\n```caddy\ncoraza_waf {\n directives `\n  Include /path/to/config.conf\n  SecAction \"id:1,pass,log\"\n `\n}\n```\n\nSample usage:  \n\n**Important:** `order coraza_waf first` must be always included in your Caddyfile for Coraza module to work\n\n```caddy\n{\n    order coraza_waf first\n}\n\nhttp://127.0.0.1:8080 {\n coraza_waf {\n  directives `\n   SecAction \"id:1,pass,log\"\n   SecRule REQUEST_URI \"/test5\" \"id:2, deny, log, phase:1\"\n   SecRule REQUEST_URI \"/test6\" \"id:4, deny, log, phase:3\"\n   Include file1.conf \n   Include file2.conf\n   Include /some/path/*.conf\n  `\n }\n reverse_proxy http://192.168.1.15:8080\n}\n```\n\n## Build Caddy with Coraza WAF\n\nRun:\n\n```shell\nxcaddy build --with github.com/corazawaf/coraza-caddy/v2\n```\n\n## Testing\n\nYou may run the test suite by executing:\n\n```shell\ngo run mage.go test\n```\n\n## Using OWASP Core Ruleset\n\nYou can load OWASP CRS by passing the field `load_owasp_crs` and then load the CRS files in the directives as described in the [coraza-coreruleset](https://github.com/corazawaf/coraza-coreruleset/v4) documentation.\n\n```caddy\n:8080 {\n coraza_waf {\n  load_owasp_crs\n  directives `\n   Include @coraza.conf-recommended\n   Include @crs-setup.conf.example\n   Include @owasp_crs/*.conf\n   SecRuleEngine On\n  `\n }\n\n reverse_proxy httpbin:8081\n}\n```\n\n## Running Example\n\n### Docker\n\n```bash\ngo run mage.go buildExample runExample\ncurl -i localhost:8080/\n```\n\n### Local\n\n```bash\n# in terminal 1\ngo run github.com/mccutchen/go-httpbin/v2/cmd/go-httpbin@v2.9.0 -port 8081\n\n# in terminal 2\ngo run mage.go buildCaddy\n./build/caddy run --config example/Caddyfile --adapter caddyfile\n\n# in terminal 3\ncurl -i localhost:8080/\n```\n\n## Respond with custom message or HTML page\n\nIn order to respond with a custom message or HTML page, you can take advantage of [handle_errors](https://caddyserver.com/docs/caddyfile/directives/handle_errors) directive:\n\n```caddy\nhandle_errors 403 {\n header X-Blocked \"true\"\n respond \"Your request was blocked. Request ID: {http.request.header.x-request-id}\"\n}\n```\nor\n```caddy\nhandle_errors {\n @block_codes `{err.status_code} in [403]`\n handle @block_codes {\n  root    * /path/to/html/dir\n  rewrite * /{err.status_code}.html\n  file_server\n }\n}\n```\n\nIt is possible to use the [templates](https://caddyserver.com/docs/caddyfile/directives/templates) directive to render data dynamically. Take a look at [`example/403.html`](./example/403.html) file.  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcorazawaf%2Fcoraza-caddy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcorazawaf%2Fcoraza-caddy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcorazawaf%2Fcoraza-caddy/lists"}