Caddy Waf部署

相关链接

• https://github.com/corazawaf/coraza-caddy
• https://github.com/coreruleset/coreruleset
• https://coraza.io/

Caddy配置

mkdir /opt/corazawaf;cd /opt/corazawaf
vi Caddyfile
{
    order coraza_waf first
    email 346452337@qq.com
}

(headerz) {
    header {
    -server
    -Link
    -X-Powered-By
    Access-Control-Allow-Origin *
    Access-Control-Allow-Methods "GET, POST, OPTIONS"
    }
}

(coraza_waf) {
  coraza_waf {
  load_owasp_crs
  directives `
   Include /app/coreruleset/crs-setup.conf.example
   Include /app/coreruleset/rules/*.conf
   SecRuleEngine On
  `
 }
}

www.gaojinbo.com {
        redir https://gaojinbo.com{uri} permanent
}

gaojinbo.com {
        import coraza_waf
        root * /opt/tools/gaojinbo.com/
        file_server
        handle_errors {
          rewrite * /{err.status_code}.html
          file_server
        }
        import headerz
}

制作Dockerfile

vi Dockerfile
FROM caddy:2.9.1-builder-alpine AS caddy-builder

RUN apk add --no-cache git wget tar

WORKDIR /app
#RUN git clone https://github.com/coreruleset/coreruleset.git  && rm -rf coreruleset/.git
RUN wget https://github.com/coreruleset/coreruleset/releases/download/v4.12.0/coreruleset-4.12.0-minimal.tar.gz && tar xvzf coreruleset-4.12.0-minimal.tar.gz && mv coreruleset-4.12.0 coreruleset

RUN xcaddy build \
    --with github.com/baldinof/caddy-supervisor \
    --with github.com/corazawaf/coraza-caddy/v2

## base
FROM alpine:3.21 AS base

RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories

# 系统设置(设置时区)
RUN rm -rf /etc/localtime \
    && ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && echo ""Asia/Shanghai"" /etc/timezone

WORKDIR /app

COPY ./Caddyfile /app/Caddyfile
COPY --from=caddy-builder /app/caddy /usr/sbin/caddy
COPY --from=caddy-builder /app/coreruleset /app/coreruleset

# Set the user to caddy for security
RUN addgroup -S caddy && adduser -S -G caddy caddy

# Change ownership of the /app to the caddy user
RUN chown -R caddy:caddy /app

USER caddy

# Expose HTTP ports (adjust as needed)
EXPOSE 8080

CMD [""caddy"", ""run"", ""--config"", ""/app/Caddyfile"", ""--adapter"", ""caddyfile""]

构建Caddy并运行

docker build -t hugwww/corazawaf:v1.2 .
docker run --name waf -d -p 80:80 -p 443:443 -e LOG_LEVEL=DEBUG -v /opt/corazawaf/Caddyfile:/app/Caddyfile hugwww/corazawaf:v1.2

拦截日志

{"level":"error","ts":1747138929.2146466,"logger":"http.handlers.waf","msg":"[client \"172.69.68.59\"]
Coraza: Warning. Restricted File Access Attempt [file \"/app/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf\"] [line \"4241\"] [id \"930130\"] [rev \"\"]
[msg \"Restricted File Access Attempt\"] [data \"Matched Data: .env found within REQUEST_FILENAME: /backend/.env\"] [severity \"critical\"] [ver \"OWASP_CRS/4.12.0\"]
[maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-lfi\"] [tag \"paranoia-level/1\"]
[tag \"OWASP_CRS\"] [tag \"capec/1000/255/153/126\"] [tag \"PCI/6.5.4\"] [hostname \"\"] [uri \"/backend/.env\"] [unique_id \"OhgsuYWkEKrUQJrv\"]"}