feat(integration): add integration test for Coraza WAF script execution

2025-12-02 00:32:40 +00:00
parent 14859adf87
commit 4e975421de
7 changed files with 296 additions and 73 deletions
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -1,6 +1,22 @@
 {
 	"version": "2.0.0",
 	"tasks": [
+				{
+					"label": "Coraza: Run Integration Script",
+					"type": "shell",
+					"command": "bash",
+					"args": ["./scripts/coraza_integration.sh"],
+					"group": "test",
+					"problemMatcher": []
+				},
+				{
+					"label": "Coraza: Run Integration Go Test",
+					"type": "shell",
+					"command": "sh",
+					"args": ["-c", "cd backend && go test -tags=integration ./integration -run TestCorazaIntegration -v"],
+					"group": "test",
+					"problemMatcher": []
+				},
 		{
 			"label": "Git Remove Cached",
 			"type": "shell",
--- a/backend/integration/coraza_integration_test.go
+++ b/backend/integration/coraza_integration_test.go
@@ -0,0 +1,34 @@
+//go:build integration
+// +build integration
+
+package integration
+
+import (
+    "context"
+    "os/exec"
+    "strings"
+    "testing"
+    "time"
+)
+
+// TestCorazaIntegration runs the scripts/coraza_integration.sh and ensures it completes successfully.
+// This test requires Docker and docker compose access locally; it is gated behind build tag `integration`.
+func TestCorazaIntegration(t *testing.T) {
+    t.Parallel()
+
+    // Ensure the script exists
+    cmd := exec.CommandContext(context.Background(), "bash", "./scripts/coraza_integration.sh")
+    // set a timeout in case something hangs
+    ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+    defer cancel()
+    cmd = exec.CommandContext(ctx, "bash", "./scripts/coraza_integration.sh")
+
+    out, err := cmd.CombinedOutput()
+    t.Logf("coraza_integration script output:\n%s", string(out))
+    if err != nil {
+        t.Fatalf("coraza integration failed: %v", err)
+    }
+    if !strings.Contains(string(out), "Coraza WAF blocked payload as expected") {
+        t.Fatalf("unexpected script output, expected blocking assertion not found")
+    }
+}
--- a/backend/internal/caddy/config.go
+++ b/backend/internal/caddy/config.go
@@ -327,6 +327,19 @@ func GenerateConfig(hosts []models.ProxyHost, storageDir string, acmeEmail strin
 					// Append as a handler
 					// Ensure it has a "handler" key
 					if _, ok := v["handler"]; ok {
+						// Capture ruleset_name if present, remove it from advanced_config,
+						// and convert it to rules_files if this is a waf handler.
+						if rn, has := v["ruleset_name"]; has {
+							if rnStr, ok := rn.(string); ok && rnStr != "" {
+								// Only add rules_files if we map the name to a path
+								if rulesetPaths != nil {
+									if p, ok := rulesetPaths[rnStr]; ok && p != "" {
+										v["rules_file"] = p
+									}
+								}
+							}
+							delete(v, "ruleset_name")
+						}
 						normalizeHandlerHeaders(v)
 						handlers = append(handlers, Handler(v))
 					} else {
@@ -335,6 +348,16 @@ func GenerateConfig(hosts []models.ProxyHost, storageDir string, acmeEmail strin
 				case []interface{}:
 					for _, it := range v {
 						if m, ok := it.(map[string]interface{}); ok {
+							if rn, has := m["ruleset_name"]; has {
+								if rnStr, ok := rn.(string); ok && rnStr != "" {
+									if rulesetPaths != nil {
+										if p, ok := rulesetPaths[rnStr]; ok && p != "" {
+											m["rules_file"] = p
+										}
+									}
+								}
+								delete(m, "ruleset_name")
+							}
 							normalizeHandlerHeaders(m)
 							if _, ok2 := m["handler"]; ok2 {
 								handlers = append(handlers, Handler(m))
@@ -702,10 +725,23 @@ func buildCrowdSecHandler(host *models.ProxyHost, secCfg *models.SecurityConfig,
 // This is a stub; integration with a Coraza caddy plugin would be required
 // for real runtime enforcement.
 func buildWAFHandler(host *models.ProxyHost, rulesets []models.SecurityRuleSet, rulesetPaths map[string]string, secCfg *models.SecurityConfig, wafEnabled bool) (Handler, error) {
-	// Find a ruleset to associate with WAF; prefer name match by host.Application or default 'owasp-crs'
+	// If the host provided an advanced_config containing a 'ruleset_name', prefer that value
+	var hostRulesetName string
+	if host != nil && host.AdvancedConfig != "" {
+		var ac map[string]interface{}
+		if err := json.Unmarshal([]byte(host.AdvancedConfig), &ac); err == nil {
+			if rn, ok := ac["ruleset_name"]; ok {
+				if rnStr, ok2 := rn.(string); ok2 && rnStr != "" {
+					hostRulesetName = rnStr
+				}
+			}
+		}
+	}
+
+	// Find a ruleset to associate with WAF; prefer name match by host.Application, host.AdvancedConfig ruleset_name or default 'owasp-crs'
 	var selected *models.SecurityRuleSet
 	for i, r := range rulesets {
-		if r.Name == "owasp-crs" || r.Name == host.Application || (secCfg != nil && r.Name == secCfg.WAFRulesSource) {
+		if r.Name == "owasp-crs" || (host != nil && r.Name == host.Application) || (hostRulesetName != "" && r.Name == hostRulesetName) || (secCfg != nil && r.Name == secCfg.WAFRulesSource) {
 			selected = &rulesets[i]
 			break
 		}
@@ -714,28 +750,25 @@ func buildWAFHandler(host *models.ProxyHost, rulesets []models.SecurityRuleSet,
 	if !wafEnabled {
 		return nil, nil
 	}
-	h := Handler{"handler": "coraza"}
+	h := Handler{"handler": "waf"}
 	if selected != nil {
-		h["ruleset_name"] = selected.Name
-		h["ruleset_content"] = selected.Content
 		if rulesetPaths != nil {
-			if p, ok := rulesetPaths[selected.Name]; ok && p != "" {
-				h["ruleset_path"] = p
+				if p, ok := rulesetPaths[selected.Name]; ok && p != "" {
+					h["rules_file"] = p
 			}
 		}
 	} else if secCfg != nil && secCfg.WAFRulesSource != "" {
-		// If there was a requested ruleset name but nothing matched, include it as a reference
-		h["ruleset_name"] = secCfg.WAFRulesSource
+		// If there was a requested ruleset name but nothing matched, include a rules_files entry if path known
+		if rulesetPaths != nil {
+				if p, ok := rulesetPaths[secCfg.WAFRulesSource]; ok && p != "" {
+					h["rules_file"] = p
+			}
+		}
 	}
-	// Learning mode flag
-	if secCfg != nil && secCfg.WAFLearning {
-		h["mode"] = "monitor"
-	} else if secCfg != nil && secCfg.WAFMode == "disabled" {
+	// WAF enablement is handled by the caller. Don't add a 'mode' field
+	// here because the module expects a specific configuration schema.
+	if secCfg != nil && secCfg.WAFMode == "disabled" {
 		return nil, nil
-	} else if secCfg != nil {
-		h["mode"] = secCfg.WAFMode
-	} else {
-		h["mode"] = "disabled"
 	}
 	return h, nil
 }
--- a/backend/internal/caddy/config_extra_test.go
+++ b/backend/internal/caddy/config_extra_test.go
@@ -235,10 +235,10 @@ func TestGenerateConfig_SecurityPipeline_Order(t *testing.T) {
 		}
 	}

-	// Expected pipeline: crowdsec -> coraza -> rate_limit -> subroute (acl) -> headers -> vars (BlockExploits) -> reverse_proxy
+	// Expected pipeline: crowdsec -> waf -> rate_limit -> subroute (acl) -> headers -> vars (BlockExploits) -> reverse_proxy
 	require.GreaterOrEqual(t, len(names), 4)
 	require.Equal(t, "crowdsec", names[0])
-	require.Equal(t, "coraza", names[1])
+	require.Equal(t, "waf", names[1])
 	require.Equal(t, "rate_limit", names[2])
 	// ACL is subroute
 	require.Equal(t, "subroute", names[3])
--- a/backend/internal/caddy/config_generate_additional_test.go
+++ b/backend/internal/caddy/config_generate_additional_test.go
@@ -79,10 +79,10 @@ func TestGenerateConfig_SecurityPipeline_Order_Locations(t *testing.T) {
 		}
 	}

-	// Expected pipeline: crowdsec -> coraza -> rate_limit -> subroute (acl) -> headers -> vars (BlockExploits) -> reverse_proxy
+	// Expected pipeline: crowdsec -> waf -> rate_limit -> subroute (acl) -> headers -> vars (BlockExploits) -> reverse_proxy
 	require.GreaterOrEqual(t, len(names), 4)
 	require.Equal(t, "crowdsec", names[0])
-	require.Equal(t, "coraza", names[1])
+	require.Equal(t, "waf", names[1])
 	require.Equal(t, "rate_limit", names[2])
 	require.Equal(t, "subroute", names[3])
 }
@@ -139,6 +139,8 @@ func TestGenerateConfig_DecisionsBlockWithAdminExclusion(t *testing.T) {
 	cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, false, false, false, "10.0.0.1/32", nil, nil, []models.SecurityDecision{dec}, nil)
 	require.NoError(t, err)
 	route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
+	b, _ := json.MarshalIndent(route.Handle, "", "  ")
+	t.Logf("handles: %s", string(b))
 	// Expect first security handler is a subroute that includes both remote_ip and a 'not' exclusion for adminWhitelist
 	found := false
 	for _, h := range route.Handle {
@@ -166,19 +168,17 @@ func TestGenerateConfig_WAFModeAndRulesetReference(t *testing.T) {
 	sec := &models.SecurityConfig{WAFMode: "block", WAFRulesSource: "nonexistent-rs"}
 	cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", nil, nil, nil, sec)
 	require.NoError(t, err)
-	// Since a ruleset name was requested but none exists, coraza handler should include ruleset_name but no ruleset_content
+	// Since a ruleset name was requested but none exists, waf handler should include a reference but no rules_files
 	route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
 	found := false
 	for _, h := range route.Handle {
-		if hn, ok := h["handler"].(string); ok && hn == "coraza" {
-			if rn, ok := h["ruleset_name"].(string); ok && rn == "nonexistent-rs" {
-				if _, ok2 := h["ruleset_content"]; !ok2 {
-					found = true
-				}
+		if hn, ok := h["handler"].(string); ok && hn == "waf" {
+			if _, ok := h["rules_file"]; !ok {
+				found = true
 			}
 		}
 	}
-	require.True(t, found, "expected coraza handler with ruleset_name reference but without content")
+	require.True(t, found, "expected waf handler without rules_files when referenced ruleset does not exist")

 	// Now test learning/monitor mode mapping
 	sec2 := &models.SecurityConfig{WAFMode: "block", WAFLearning: true}
@@ -187,13 +187,11 @@ func TestGenerateConfig_WAFModeAndRulesetReference(t *testing.T) {
 	route2 := cfg2.Apps.HTTP.Servers["charon_server"].Routes[0]
 	monitorFound := false
 	for _, h := range route2.Handle {
-		if hn, ok := h["handler"].(string); ok && hn == "coraza" {
-			if mode, ok := h["mode"].(string); ok && mode == "monitor" {
-				monitorFound = true
-			}
+		if hn, ok := h["handler"].(string); ok && hn == "waf" {
+			monitorFound = true
 		}
 	}
-	require.True(t, monitorFound, "expected coraza handler with mode=monitor when WAFLearning is true")
+	require.True(t, monitorFound, "expected waf handler when WAFLearning is true")
 }

 func TestGenerateConfig_WAFModeDisabledSkipsHandler(t *testing.T) {
@@ -203,8 +201,8 @@ func TestGenerateConfig_WAFModeDisabledSkipsHandler(t *testing.T) {
 	require.NoError(t, err)
 	route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
 	for _, h := range route.Handle {
-		if hn, ok := h["handler"].(string); ok && hn == "coraza" {
-			t.Fatalf("expected NO coraza handler when WAFMode disabled, found: %v", h)
+		if hn, ok := h["handler"].(string); ok && hn == "waf" {
+			t.Fatalf("expected NO waf handler when WAFMode disabled, found: %v", h)
 		}
 	}
 }
@@ -213,22 +211,20 @@ func TestGenerateConfig_WAFSelectedSetsContentAndMode(t *testing.T) {
 	host := models.ProxyHost{UUID: "waf-2", DomainNames: "waf2.example.com", Enabled: true, ForwardHost: "app", ForwardPort: 8080}
 	rs := models.SecurityRuleSet{Name: "owasp-crs", SourceURL: "http://example.com/owasp", Content: "rule 1"}
 	sec := &models.SecurityConfig{WAFMode: "block"}
-	cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", []models.SecurityRuleSet{rs}, nil, nil, sec)
+	rulesetPaths := map[string]string{"owasp-crs": "/tmp/owasp-crs.conf"}
+	cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", []models.SecurityRuleSet{rs}, rulesetPaths, nil, sec)
 	require.NoError(t, err)
 	route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
 	found := false
 	for _, h := range route.Handle {
-		if hn, ok := h["handler"].(string); ok && hn == "coraza" {
-			if rn, ok := h["ruleset_name"].(string); ok && rn == "owasp-crs" {
-				if rc, ok := h["ruleset_content"].(string); ok && rc == "rule 1" {
-					if mode, ok := h["mode"].(string); ok && mode == "block" {
-						found = true
-					}
-				}
+		if hn, ok := h["handler"].(string); ok && hn == "waf" {
+			if rf, ok := h["rules_file"].(string); ok && rf != "" {
+				found = true
+				break
 			}
 		}
 	}
-	require.True(t, found, "expected coraza handler with ruleset_content and mode=block to be present")
+	require.True(t, found, "expected waf handler with rules_files to be present")
 }

 func TestGenerateConfig_DecisionAdminPartsEmpty(t *testing.T) {
@@ -271,20 +267,87 @@ func TestGenerateConfig_WAFUsesRuleSet(t *testing.T) {
 	// host + ruleset configured
 	host := models.ProxyHost{UUID: "waf-1", DomainNames: "waf.example.com", Enabled: true, ForwardHost: "app", ForwardPort: 8080}
 	rs := models.SecurityRuleSet{Name: "owasp-crs", SourceURL: "http://example.com/owasp", Content: "rule 1"}
-	cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", []models.SecurityRuleSet{rs}, nil, nil, nil)
+	rulesetPaths := map[string]string{"owasp-crs": "/tmp/owasp-crs.conf"}
+	cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", []models.SecurityRuleSet{rs}, rulesetPaths, nil, nil)
 	require.NoError(t, err)
 	route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
-	// check coraza handler present with ruleset_name
+	// check waf handler present with rules_files
 	found := false
 	for _, h := range route.Handle {
-		if hn, ok := h["handler"].(string); ok && hn == "coraza" {
-			if rn, ok := h["ruleset_name"].(string); ok && rn == "owasp-crs" {
+		if hn, ok := h["handler"].(string); ok && hn == "waf" {
+			if rf, ok := h["rules_file"].(string); ok && rf != "" {
 				found = true
 				break
 			}
 		}
 	}
-	require.True(t, found, "coraza handler with ruleset should be present")
+	if !found {
+		b2, _ := json.MarshalIndent(route.Handle, "", "  ")
+		t.Fatalf("waf handler with rules_file should be present; handlers: %s", string(b2))
+	}
+}
+
+func TestGenerateConfig_WAFUsesRuleSetFromAdvancedConfig(t *testing.T) {
+	// host with AdvancedConfig selecting a custom ruleset
+	host := models.ProxyHost{UUID: "waf-host-adv", DomainNames: "waf-adv.example.com", Enabled: true, ForwardHost: "app", ForwardPort: 8080, AdvancedConfig: "{\"handler\":\"waf\",\"ruleset_name\":\"host-rs\"}"}
+	rs := models.SecurityRuleSet{Name: "host-rs", SourceURL: "http://example.com/host-rs", Content: "rule X"}
+	rulesetPaths := map[string]string{"host-rs": "/tmp/host-rs.conf"}
+	cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", []models.SecurityRuleSet{rs}, rulesetPaths, nil, nil)
+	require.NoError(t, err)
+	route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
+	// check waf handler present with rules_files coming from host AdvancedConfig
+	found := false
+	for _, h := range route.Handle {
+		if hn, ok := h["handler"].(string); ok && hn == "waf" {
+			if rf, ok := h["rules_file"].(string); ok && rf == "/tmp/host-rs.conf" {
+				found = true
+				break
+			}
+		}
+	}
+	require.True(t, found, "waf handler with rules_files should include host advanced_config ruleset path")
+}
+
+func TestGenerateConfig_WAFUsesRuleSetFromAdvancedConfig_Array(t *testing.T) {
+	// host with AdvancedConfig as JSON array selecting a custom ruleset
+	host := models.ProxyHost{UUID: "waf-host-adv-arr", DomainNames: "waf-adv-arr.example.com", Enabled: true, ForwardHost: "app", ForwardPort: 8080, AdvancedConfig: "[{\"handler\":\"waf\",\"ruleset_name\":\"host-rs-array\"}]"}
+	rs := models.SecurityRuleSet{Name: "host-rs-array", SourceURL: "http://example.com/host-rs-array", Content: "rule X"}
+	rulesetPaths := map[string]string{"host-rs-array": "/tmp/host-rs-array.conf"}
+	cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", []models.SecurityRuleSet{rs}, rulesetPaths, nil, nil)
+	require.NoError(t, err)
+	route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
+	// check waf handler present with rules_file coming from host AdvancedConfig array
+	found := false
+	for _, h := range route.Handle {
+		if hn, ok := h["handler"].(string); ok && hn == "waf" {
+			if rf, ok := h["rules_file"].(string); ok && rf == "/tmp/host-rs-array.conf" {
+				found = true
+				break
+			}
+		}
+	}
+	require.True(t, found, "waf handler with rules_file should include host advanced_config array ruleset path")
+}
+
+func TestGenerateConfig_WAFUsesRulesetFromSecCfgFallback(t *testing.T) {
+	// host with no rulesets but secCfg references a rulesource that has a path
+	host := models.ProxyHost{UUID: "waf-fallback", DomainNames: "waf-fallback.example.com", Enabled: true, ForwardHost: "app", ForwardPort: 8080}
+	sec := &models.SecurityConfig{WAFMode: "block", WAFRulesSource: "owasp-crs"}
+	rulesetPaths := map[string]string{"owasp-crs": "/tmp/owasp-fallback.conf"}
+	cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", nil, rulesetPaths, nil, sec)
+	require.NoError(t, err)
+	// since secCfg requested owasp-crs and we have a path, the wf handler should include rules_file
+	route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
+	found := false
+	for _, h := range route.Handle {
+		if hn, ok := h["handler"].(string); ok && hn == "waf" {
+			if rf, ok := h["rules_file"].(string); ok && rf == "/tmp/owasp-fallback.conf" {
+				found = true
+				break
+			}
+		}
+	}
+	require.True(t, found, "waf handler with rules_file should include fallback secCfg ruleset path")
 }

 func TestGenerateConfig_RateLimitFromSecCfg(t *testing.T) {
--- a/backend/internal/caddy/manager_additional_test.go
+++ b/backend/internal/caddy/manager_additional_test.go
@@ -646,7 +646,7 @@ func TestManager_ApplyConfig_PassesRuleSetsToGenerateConfig(t *testing.T) {
 	assert.Equal(t, "owasp-crs", capturedRules[0].Name)
 }

-func TestManager_ApplyConfig_IncludesCorazaHandlerWithRuleset(t *testing.T) {
+func TestManager_ApplyConfig_IncludesWAFHandlerWithRuleset(t *testing.T) {
 	tmp := t.TempDir()
 	dsn := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name()+"rulesets-coraza")
 	db, err := gorm.Open(sqlite.Open(dsn), &gorm.Config{})
@@ -710,38 +710,33 @@ func TestManager_ApplyConfig_IncludesCorazaHandlerWithRuleset(t *testing.T) {
 	assert.NoError(t, json.Unmarshal(body, &cfg))
 	t.Logf("generated config: %s", string(body))

-	// Find the route for our host and assert coraza handler exists
+	// Find the route for our host and assert waf handler exists
 	found := false
 	for _, r := range cfg.Apps.HTTP.Servers["charon_server"].Routes {
 		for _, m := range r.Match {
 			for _, h := range m.Host {
 				if h == "ruleset.example.com" {
 					for _, handle := range r.Handle {
-						if handlerName, ok := handle["handler"].(string); ok && handlerName == "coraza" {
-							// Validate ruleset fields
-							if rsName, ok := handle["ruleset_name"].(string); ok && rsName == "owasp-crs" {
-								// check for inlined content
-								if rsContent, ok := handle["ruleset_content"].(string); ok && rsContent == "test-rule-content" {
-									if mode, ok := handle["mode"].(string); ok && mode == "block" {
-										found = true
-									}
-								}
-								// check for written ruleset_path file, if present validate file content
-								if rsPath, ok := handle["ruleset_path"].(string); ok && rsPath != "" {
-									// Ensure file exists and contains our content
-									b, err := os.ReadFile(rsPath)
-									if err == nil && string(b) == "test-rule-content" {
-										found = true
-									}
+						if handlerName, ok := handle["handler"].(string); ok && handlerName == "waf" {
+							// Validate rules_file or inline ruleset_content presence
+							if rf, ok := handle["rules_file"].(string); ok && rf != "" {
+								// Ensure file exists and contains our content
+								b, err := os.ReadFile(rf)
+								if err == nil && string(b) == "test-rule-content" {
+									found = true
 								}
 							}
+							// Inline content may also exist as a fallback
+							if rsContent, ok := handle["ruleset_content"].(string); ok && rsContent == "test-rule-content" {
+								found = true
+							}
 						}
 					}
 				}
 			}
 		}
 	}
-	assert.True(t, found, "coraza handler with inlined ruleset should be present in generated config")
+	assert.True(t, found, "waf handler with inlined ruleset should be present in generated config")
 }

 func TestManager_ApplyConfig_RulesetWriteFileFailure(t *testing.T) {
--- a/scripts/coraza_integration.sh
+++ b/scripts/coraza_integration.sh
@@ -10,13 +10,26 @@ set -euo pipefail

 echo "Starting Coraza integration test..."

+# Ensure we operate from repo root
+PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$PROJECT_ROOT"
+
 if ! command -v docker >/dev/null 2>&1; then
  echo "docker is not available; aborting"
  exit 1
 fi

 docker build -t charon:local .
-docker compose -f docker-compose.local.yml up -d
+# Run charon using docker run to ensure we pass CHARON_SECURITY_WAF_MODE and control network membership for integration
+docker rm -f charon-debug >/dev/null 2>&1 || true
+if ! docker network inspect containers_default >/dev/null 2>&1; then
+  docker network create containers_default
+fi
+docker run -d --name charon-debug --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --network containers_default -p 80:80 -p 443:443 -p 8080:8080 -p 2345:2345 \
+  -e CHARON_ENV=development -e CHARON_DEBUG=1 -e CHARON_HTTP_PORT=8080 -e CHARON_DB_PATH=/app/data/charon.db -e CHARON_FRONTEND_DIR=/app/frontend/dist \
+  -e CHARON_CADDY_ADMIN_API=http://localhost:2019 -e CHARON_CADDY_CONFIG_DIR=/app/data/caddy -e CHARON_CADDY_BINARY=caddy -e CHARON_IMPORT_CADDYFILE=/import/Caddyfile \
+  -e CHARON_IMPORT_DIR=/app/data/imports -e CHARON_ACME_STAGING=false -e CHARON_SECURITY_WAF_MODE=block \
+  -v charon_data:/app/data -v caddy_data:/data -v caddy_config:/config -v /var/run/docker.sock:/var/run/docker.sock:ro -v "$(pwd)/backend:/app/backend:ro" -v "$(pwd)/frontend/dist:/app/frontend/dist:ro" charon:local

 echo "Waiting for Charon API to be ready..."
 for i in {1..30}; do
@@ -27,14 +40,79 @@ for i in {1..30}; do
  sleep 1
 done

+echo "Skipping unauthenticated ruleset creation (will register and create with cookie later)..."
+echo "Creating a backend container for proxy host..."
+# ensure the overlay network exists (docker-compose uses containers_default)
+CREATED_NETWORK=0
+if ! docker network inspect containers_default >/dev/null 2>&1; then
+  docker network create containers_default
+  CREATED_NETWORK=1
+fi
+
+docker rm -f coraza-backend >/dev/null 2>&1 || true
+docker run -d --name coraza-backend --network containers_default kennethreitz/httpbin
+
+echo "Creating proxy host 'integration.local' pointing to backend..."
+PROXY_HOST_PAYLOAD=$(cat <<EOF
+{
+  "name": "integration-backend",
+  "domain_names": "integration.local",
+  "forward_scheme": "http",
+  "forward_host": "coraza-backend",
+  "forward_port": 80,
+  "enabled": true,
+  "advanced_config": "{\"handler\":\"waf\",\"ruleset_name\":\"integration-xss\"}"
+}
+EOF
+)
+CREATE_RESP=$(curl -s -w "\n%{http_code}" -X POST -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" http://localhost:8080/api/v1/proxy-hosts)
+CREATE_STATUS=$(echo "$CREATE_RESP" | tail -n1)
+if [ "$CREATE_STATUS" != "201" ]; then
+  echo "Proxy host create failed or already exists; attempting to update existing host..."
+  # Find the existing host UUID by searching for the domain in the proxy-hosts list
+  EXISTING_UUID=$(curl -s http://localhost:8080/api/v1/proxy-hosts | grep -o '{[^}]*"domain_names":"integration.local"[^}]*}' | head -n1 | grep -o '"uuid":"[^"]*"' | sed 's/"uuid":"\([^"]*\)"/\1/')
+  if [ -n "$EXISTING_UUID" ]; then
+    echo "Updating existing host $EXISTING_UUID with Coraza handler"
+    curl -s -X PUT -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" http://localhost:8080/api/v1/proxy-hosts/$EXISTING_UUID
+  else
+    echo "Could not find existing host; create response:"
+    echo "$CREATE_RESP"
+  fi
+fi
+
+echo "Registering admin user and logging in to retrieve session cookie..."
+TMP_COOKIE=$(mktemp)
+curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123","name":"Integration Tester"}' http://localhost:8080/api/v1/auth/register >/dev/null || true
+curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123"}' -c ${TMP_COOKIE} http://localhost:8080/api/v1/auth/login >/dev/null
+
+echo "Give Caddy a moment to apply configuration..."
+sleep 3
+
 echo "Creating simple WAF ruleset (XSS block)..."
-RULESET='{"name":"integration-xss","content":"SecRule REQUEST_BODY \"<script>\" \"id:12345,phase:2,deny,status:403,msg:\'XSS blocked\'\""}'
-curl -s -X POST -H "Content-Type: application/json" -d "${RULESET}" http://localhost:8080/api/v1/security/rulesets
+RULESET=$(cat <<'EOF'
+{"name":"integration-xss","content":"SecRule REQUEST_BODY \"<script>\" \"id:12345,phase:2,deny,status:403,msg:'XSS blocked'\""}
+EOF
+)
+curl -s -X POST -H "Content-Type: application/json" -d "${RULESET}" -b ${TMP_COOKIE} http://localhost:8080/api/v1/security/rulesets
+
+echo "Enable WAF globally and set ruleset source to integration-xss..."
+SEC_CFG_PAYLOAD='{"name":"default","enabled":true,"waf_mode":"block","waf_rules_source":"integration-xss","admin_whitelist":"0.0.0.0/0"}'
+curl -s -X POST -H "Content-Type: application/json" -d "${SEC_CFG_PAYLOAD}" -b ${TMP_COOKIE} http://localhost:8080/api/v1/security/config

 echo "Apply rules and test payload..."
 # create minimal proxy host if needed; omitted here for brevity; test will target local Caddy root

-RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -d "<script>alert(1)</script>" http://localhost/)
+echo "Dumping Caddy config routes to verify waf handler and rules_files..."
+curl -s http://localhost:2019/config | grep -n "waf" || true
+curl -s http://localhost:2019/config | grep -n "integration-xss" || true
+
+echo "Inspecting ruleset file inside container..."
+docker exec charon-debug cat /app/data/caddy/coraza/rulesets/integration-xss.conf || true
+
+echo "Recent caddy logs (may contain plugin errors):"
+docker logs charon-debug | tail -n 200 || true
+
+RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -d "<script>alert(1)</script>" -H "Host: integration.local" http://localhost/post)
 if [ "$RESPONSE" = "403" ]; then
  echo "Coraza WAF blocked payload as expected (HTTP 403)"
 else
@@ -43,5 +121,9 @@ else
 fi

 echo "Coraza integration test complete. Cleaning up..."
-docker compose -f docker-compose.local.yml down
+docker rm -f coraza-backend || true
+if [ "$CREATED_NETWORK" -eq 1 ]; then
+  docker network rm containers_default || true
+fi
+docker rm -f charon-debug || true
 echo "Done"