{"id":22481758,"url":"https://github.com/riotkit-org/waf-proxy","last_synced_at":"2025-08-02T16:30:54.917Z","repository":{"id":38373941,"uuid":"491403410","full_name":"riotkit-org/waf-proxy","owner":"riotkit-org","description":"Web Appliaction Firewall reverse-proxy using Coraza WAF + Caddy with ready-to-use rulesets","archived":false,"fork":false,"pushed_at":"2023-03-16T19:57:05.000Z","size":260,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2023-03-16T21:10:17.914Z","etag":null,"topics":["caddy","cloud-native-security","coraza-waf","dependabot","distroless","golang","k8s","k8s-security","kubernetes","openshift","reverse-proxy","riotkit","rootless-containers","security","waf","web-application-firewall","wordpress","wordpress-security"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/riotkit-org.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-05-12T07:11:00.000Z","updated_at":"2022-10-31T02:44:17.000Z","dependencies_parsed_at":"2023-02-17T00:31:05.219Z","dependency_job_id":null,"html_url":"https://github.com/riotkit-org/waf-proxy","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/riotkit-org%2Fwaf-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/riotkit-org%2Fwaf-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/riotkit-org%2Fwaf-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/riotkit-org%2Fwaf-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/riotkit-org","download_url":"https://codeload.github.com/riotkit-org/waf-proxy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228491918,"owners_count":17928719,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["caddy","cloud-native-security","coraza-waf","dependabot","distroless","golang","k8s","k8s-security","kubernetes","openshift","reverse-proxy","riotkit","rootless-containers","security","waf","web-application-firewall","wordpress","wordpress-security"],"created_at":"2024-12-06T16:15:17.889Z","updated_at":"2024-12-06T16:15:18.685Z","avatar_url":"https://github.com/riotkit-org.png","language":"Jinja","readme":"WAF Proxy\n=========\n\n[![Test and release](https://github.com/riotkit-org/waf-proxy/actions/workflows/release.yaml/badge.svg)](https://github.com/riotkit-org/waf-proxy/actions/workflows/release.yaml)\n\nNotice: This container is still a WORK IN PROGRESS\n--------------------------------------------------\n\nSimple WAF reverse-proxy using Caddy and CORAZA WAF, contains few predefined but customizable rulesets\n\n**Features:**\n- Configurable mapping of backends to domains\n- Contains embedded rulesets e.g. OWASP Core Ruleset, Wordpress-specific\n- Kubernetes and cloud native\n- Perfectly integrates with Wordpress and not only\n- Non-root container (running as `uid=65161`)\n- Real [distroless image based on scratch](https://hub.docker.com/_/scratch) **with only 2 binaries and few config files inside**\n- Image is scanned for vulnerabilities on each release using Trivy Scanner\n- Developed purely in Golang, [even entrypoint script was written in Golang instead of Bash](container-files/opt/build/entrypoint/entrypoint.go)\n- Autonomous image, actively maintained by [Dependabot](https://github.com/dependabot) ;-)\n- Limiting requests rate to protect against DoS\n- (todo) Helm Chart for Kubernetes\n- (todo) Strict Pod Security Policy that should run on OpenShift\n\nCheck our [WordPress deployment](https://github.com/riotkit-org/wordpress-hardened) which uses this waf-proxy on Kubernetes.\n\n\nConfiguration reference\n-----------------------\n\n### Picking a version\n\nWe recommend you to pick a versioned release, snapshot version is only for testing for contributors.\n\nList of versions you can find always there: https://github.com/riotkit-org/waf-proxy/pkgs/container/waf-proxy\n\n```bash\ndocker pull ghcr.io/riotkit-org/waf-proxy:{select-your-version}\n```\n\n### Exposed ports\n\n- 8081: Health check at `/` endpoint\n- 8090: Proxied upstreams through WAF, HTTP port\n- 2019: Metrics\n\n### Directory structure\n\n- `/etc/caddy/rules/coraza-recommended`\n- `/etc/caddy/rules/riotit-org-basic`\n- `/etc/caddy/rules/wordpress`\n- `/etc/caddy/rules/owasp-crs`\n- `/etc/caddy/rules/custom.conf` (extra configuration inside `coraza_waf` block)\n- `/etc/caddy/custom-upstream.conf` (extra configuration outside `coraza_waf` block, but inside host block, before `reverse_proxy`, requires `ENABLE_CUSTOM_UPSTREAM_CONF=true`)\n\nTo add specific rules mount a docker volume or Kubernetes ConfigMap at `/etc/caddy/rules/custom/rules.conf`\n\n### Environment variables\n\n```yaml\n#\n# Upstreams\n#\nUPSTREAM_1: '{\"pass_to\": \"http://my-service.default.svc.cluster.local\", \"hostname\": \"wordpress.org\"}'\nUPSTREAM_2: '...'\nUPSTREAM_...: '...'\n\n# to disable generation of Caddyfile you can set this variable to 'true' and mount Caddyfile under \"/etc/caddy/Caddyfile\"\n# you can also still use it with 'false' with a custom template mounted under \"/etc/caddy/Caddyfile.j2\"\nOWN_CADDYFILE: false\nDEBUG: false  # enable extra verbosity, configuration printing to stdout\nENABLE_CUSTOM_UPSTREAM_CONF: false\n\n# rate limiting - how many events are allowed in given time window?\n# docs: https://github.com/mholt/caddy-ratelimit\nENABLE_RATE_LIMITER: false\nRATE_LIMIT_EVENTS: 30\nRATE_LIMIT_WINDOW: 5s\n\n# allows to disable CORAZA WAF at all together with all rules\n# helpful if wanting to use only other Caddy plugins\nENABLE_CORAZA_WAF: true\n\n#\n# Wordpress specific rules\n#\n# Sources:\n#   - https://raw.githubusercontent.com/Rev3rseSecurity/wordpress-modsecurity-ruleset/master/02-INITIALIZATION.conf\n#   - https://raw.githubusercontent.com/Rev3rseSecurity/wordpress-modsecurity-ruleset/master/03-BRUTEFORCE.conf\n#   - https://raw.githubusercontent.com/Rev3rseSecurity/wordpress-modsecurity-ruleset/master/04-EVENTS.conf\n#   - https://raw.githubusercontent.com/SEC642/modsec/master/rules/slr_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf\n#\n\nENABLE_RULE_WORDPRESS: false\nWP_CLIENT_IP: \"remote-addr\"  # x-forwarded-for, remote-addr or cf-connecting-ip\nWP_ENABLE_BRUTEFORCE_MITIGATION: true\nWP_BRUTEFORCE_TIMESPAN: 600\nWP_BRUTEFORCE_THRESHOLD: 5\nWP_BRUTEFORCE_BAN_PERIOD: 300\nWP_ENABLE_XMLRPC: false\nWP_ENABLE_USER_ENUMERATION: false\nWP_ENABLE_DOS_PROTECTION: true\nWP_HARDENED: true # enables a extra ruleset: https://raw.githubusercontent.com/Rev3rseSecurity/wordpress-modsecurity-ruleset/master/05-HARDENING.conf\n\n#\n# CORAZA-recommended preset\n#\nENABLE_RULE_CORAZA_RECOMMENDED: false\n\n#\n# RiotKit Basic preset\n#\nENABLE_RULE_RIOTKIT_ORG_BASIC: false\n\n\n#\n# OWASP Core Ruleset (CRS)\n#\nENABLE_CRS: false\n```\n\n\nRulesets\n--------\n\n### ENABLE_RULE_WORDPRESS\n\n**Enables Wordpress-specific rules to protect against:**\n- Brute force\n- Access to files that should not be published\n- Known vulnerabilities\n\n**Sources:**\n- https://github.com/Rev3rseSecurity/wordpress-modsecurity-ruleset\n- https://github.com/SEC642/modsec\n\n\n### ENABLE_RULE_CORAZA_RECOMMENDED\n\nBasic rules provided by CORAZA WAF **in dry-run only mode**.\n\nhttps://github.com/corazawaf/coraza/blob/v2/master/coraza.conf-recommended\n\n### ENABLE_RULE_RIOTKIT_ORG_BASIC\n\nThe same rules as provided by CORAZA WAF, but not in dry-run mode and with increased upload filesize to 1GB.\n\n### ENABLE_CRS\n\nOWASP Core Ruleset - https://github.com/coreruleset/coreruleset/\n\n```\nThe OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use \nwith ModSecurity or compatible web application firewalls. The CRS aims to protect web \napplications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.\n```\n\nVersioning\n----------\n\nDocker image tag contains a chained version information.\n\n**Example:**\n\n`waf-proxy:2.5.1-coraza-v1.2.0-bv1.0.0`\n\n**Explanation of this example:**\n- 2.5.1: Caddy server version\n- v1.2.0: CORAZA Caddy plugin version\n- v1.0.0: This repositry tag\n\nAutonomous image\n----------------\n\nThis image is rebuilt automatically, when new version of Caddy, Coraza WAF or Golang version is released.\n\n**Dependabot is bumping:**\n- Caddy version in Dockerfile\n- XCaddy version in Dockerfile\n- Coraza WAF in `container-files/opt/build/caddy/go.sum` - created a dummy entry for Dependabot\n- Golang builder in Dockerfile\n\nEach Dependabot PR is automatically merged, when tests are passing.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Friotkit-org%2Fwaf-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Friotkit-org%2Fwaf-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Friotkit-org%2Fwaf-proxy/lists"}