return Handler{
"handler": "subroute",
"routes": []map[string]interface{}{
{
- "match": []map[string]interface{}{
- {
- "remote_ip": map[string]interface{}{
- "ranges": cidrs,
- },
- },
- },
+ "match": matchParts,
"handle": []map[string]interface{}{
{
"handler": "static_response",
@@ -667,11 +896,91 @@ func buildACLHandler(acl *models.AccessList) (Handler, error)
+ }, nil
+ }
return nil, nil
}
+
+// buildCrowdSecHandler returns a placeholder CrowdSec handler. In a future
+// implementation this can be replaced with a proper Caddy plugin integration
+// to call into a local CrowdSec agent.
+func buildCrowdSecHandler(host *models.ProxyHost, secCfg *models.SecurityConfig, crowdsecEnabled bool) (Handler, error) {
+ // Only add a handler when the computed runtime flag indicates CrowdSec is enabled.
+ // The computed flag incorporates runtime overrides and global Cerberus enablement.
+ if !crowdsecEnabled {
+ return nil, nil
+ }
+ // For now, the local-only mode is supported; crowdsecEnabled implies 'local'
+ h := Handler{"handler": "crowdsec"}
+ h["mode"] = "local"
+ return h, nil
+}
+
+// buildWAFHandler returns a placeholder WAF handler (Coraza) configuration.
+// This is a stub; integration with a Coraza caddy plugin would be required
+// for real runtime enforcement.
+func buildWAFHandler(host *models.ProxyHost, rulesets []models.SecurityRuleSet, rulesetPaths map[string]string, secCfg *models.SecurityConfig, wafEnabled bool) (Handler, error) {
+ // If the host provided an advanced_config containing a 'ruleset_name', prefer that value
+ var hostRulesetName string
+ if host != nil && host.AdvancedConfig != "" {
+ var ac map[string]interface{}
+ if err := json.Unmarshal([]byte(host.AdvancedConfig), &ac); err == nil {
+ if rn, ok := ac["ruleset_name"]; ok {
+ if rnStr, ok2 := rn.(string); ok2 && rnStr != "" {
+ hostRulesetName = rnStr
+ }
+ }
+ }
+ }
+
+ // Find a ruleset to associate with WAF; prefer name match by host.Application, host.AdvancedConfig ruleset_name or default 'owasp-crs'
+ var selected *models.SecurityRuleSet
+ for i, r := range rulesets {
+ if r.Name == "owasp-crs" || (host != nil && r.Name == host.Application) || (hostRulesetName != "" && r.Name == hostRulesetName) || (secCfg != nil && r.Name == secCfg.WAFRulesSource) {
+ selected = &rulesets[i]
+ break
+ }
+ }
+
+ if !wafEnabled {
+ return nil, nil
+ }
+ h := Handler{"handler": "waf"}
+ if selected != nil {
+ if rulesetPaths != nil {
+ if p, ok := rulesetPaths[selected.Name]; ok && p != "" {
+ h["include"] = []string{p}
+ }
+ }
+ } else if secCfg != nil && secCfg.WAFRulesSource != "" {
+ // If there was a requested ruleset name but nothing matched, include path if known
+ if rulesetPaths != nil {
+ if p, ok := rulesetPaths[secCfg.WAFRulesSource]; ok && p != "" {
+ h["include"] = []string{p}
+ }
+ }
+ }
+ // WAF enablement is handled by the caller. Don't add a 'mode' field
+ // here because the module expects a specific configuration schema.
+ if secCfg != nil && secCfg.WAFMode == "disabled" {
+ return nil, nil
+ }
+ return h, nil
+}
+
+// buildRateLimitHandler returns a placeholder for a rate-limit handler.
+// Real implementation should use the relevant Caddy module/plugin when available.
+func buildRateLimitHandler(host *models.ProxyHost, secCfg *models.SecurityConfig) (Handler, error) {
+ // If host has custom rate limit metadata we could parse and construct it.
+ h := Handler{"handler": "rate_limit"}
+ if secCfg != nil && secCfg.RateLimitRequests > 0 && secCfg.RateLimitWindowSec > 0 {
+ h["requests"] = secCfg.RateLimitRequests
+ h["window_sec"] = secCfg.RateLimitWindowSec
+ h["burst"] = secCfg.RateLimitBurst
+ }
+ return h, nil
+}
package caddy
@@ -761,47 +1070,58 @@ type ImportResult struct {
Errors []string `json:"errors"`
}
-// Importer handles Caddyfile parsing and conversion to CPM+ models.
+// Importer handles Caddyfile parsing and conversion to Charon models.
type Importer struct {
caddyBinaryPath string
executor Executor
}
// NewImporter creates a new Caddyfile importer.
-func NewImporter(binaryPath string) *Importer {
- if binaryPath == "" {
+func NewImporter(binaryPath string) *Importer {
+ if binaryPath == "" {
binaryPath = "caddy" // Default to PATH
}
- return &Importer{
+ return &Importer{
caddyBinaryPath: binaryPath,
executor: &DefaultExecutor{},
}
}
+// forceSplitFallback used in tests to exercise the fallback branch
+var forceSplitFallback bool
+
// ParseCaddyfile reads a Caddyfile and converts it to Caddy JSON.
-func (i *Importer) ParseCaddyfile(caddyfilePath string) ([]byte, error) {
- if _, err := os.Stat(caddyfilePath); os.IsNotExist(err) {
- return nil, fmt.Errorf("caddyfile not found: %s", caddyfilePath)
+func (i *Importer) ParseCaddyfile(caddyfilePath string) ([]byte, error) {
+ // Sanitize the incoming path to detect forbidden traversal sequences.
+ clean := filepath.Clean(caddyfilePath)
+ if clean == "" || clean == "." {
+ return nil, fmt.Errorf("invalid caddyfile path")
+ }
+ if strings.Contains(clean, ".."+string(os.PathSeparator)) || strings.HasPrefix(clean, "..") {
+ return nil, fmt.Errorf("invalid caddyfile path")
+ }
+ if _, err := os.Stat(clean); os.IsNotExist(err) {
+ return nil, fmt.Errorf("caddyfile not found: %s", clean)
}
- output, err := i.executor.Execute(i.caddyBinaryPath, "adapt", "--config", caddyfilePath, "--adapter", "caddyfile")
+ output, err := i.executor.Execute(i.caddyBinaryPath, "adapt", "--config", clean, "--adapter", "caddyfile")
if err != nil {
return nil, fmt.Errorf("caddy adapt failed: %w (output: %s)", err, string(output))
}
- return output, nil
+ return output, nil
}
// extractHandlers recursively extracts handlers from a list, flattening subroutes.
-func (i *Importer) extractHandlers(handles []*CaddyHandler) []*CaddyHandler {
+func (i *Importer) extractHandlers(handles []*CaddyHandler) []*CaddyHandler {
var result []*CaddyHandler
- for _, handler := range handles {
+ for _, handler := range handles {
// If this is a subroute, extract handlers from its first route
- if handler.Handler == "subroute" {
+ if handler.Handler == "subroute" {
if routes, ok := handler.Routes.([]interface{}); ok && len(routes) > 0 {
if subroute, ok := routes[0].(map[string]interface{}); ok {
- if subhandles, ok := subroute["handle"].([]interface{}); ok {
+ if subhandles, ok := subroute["handle"].([]interface{}); ok {
// Convert the subhandles to CaddyHandler objects
for _, sh := range subhandles {
if shMap, ok := sh.(map[string]interface{}); ok {
@@ -821,23 +1141,23 @@ func (i *Importer) extractHandlers(handles []*CaddyHandler) []*CaddyHandler {
+ } else {
// Regular handler, add it directly
result = append(result, handler)
}
}
- return result
+ return result
}
// ExtractHosts parses Caddy JSON and extracts proxy host information.
-func (i *Importer) ExtractHosts(caddyJSON []byte) (*ImportResult, error) {
+func (i *Importer) ExtractHosts(caddyJSON []byte) (*ImportResult, error) {
var config CaddyConfig
if err := json.Unmarshal(caddyJSON, &config); err != nil {
return nil, fmt.Errorf("parsing caddy json: %w", err)
}
- result := &ImportResult{
+ result := &ImportResult{
Hosts: []ParsedHost{},
Conflicts: []string{},
Errors: []string{},
@@ -847,12 +1167,12 @@ func (i *Importer) ExtractHosts(caddyJSON []byte) (*ImportResult, error)
- seenDomains := make(map[string]bool)
+ seenDomains := make(map[string]bool)
- for serverName, server := range config.Apps.HTTP.Servers {
+ for serverName, server := range config.Apps.HTTP.Servers {
// Detect if this server uses SSL based on listen address or TLS policies
serverUsesSSL := server.TLSConnectionPolicies != nil
- for _, listenAddr := range server.Listen {
+ for _, listenAddr := range server.Listen {
// Check if listening on :443 or any HTTPS port indicator
if strings.Contains(listenAddr, ":443") || strings.HasSuffix(listenAddr, "443") {
serverUsesSSL = true
@@ -860,9 +1180,9 @@ func (i *Importer) ExtractHosts(caddyJSON []byte) (*ImportResult, error) for routeIdx, route := range server.Routes {
- for _, match := range route.Match {
- for _, hostMatcher := range match.Host {
+ for routeIdx, route := range server.Routes {
+ for _, match := range route.Match {
+ for _, hostMatcher := range match.Host {
domain := hostMatcher
// Check for duplicate domains (report domain names only)
@@ -870,7 +1190,7 @@ func (i *Importer) ExtractHosts(caddyJSON []byte) (*ImportResult, error)
}
- seenDomains[domain] = true
+ seenDomains[domain] = true
// Extract reverse proxy handler
host := ParsedHost{
@@ -881,27 +1201,27 @@ func (i *Importer) ExtractHosts(caddyJSON []byte) (*ImportResult, error) {
- if handler.Handler == "reverse_proxy" {
+ for _, handler := range handlers {
+ if handler.Handler == "reverse_proxy" {
upstreams, _ := handler.Upstreams.([]interface{})
- if len(upstreams) > 0 {
- if upstream, ok := upstreams[0].(map[string]interface{}); ok {
+ if len(upstreams) > 0 {
+ if upstream, ok := upstreams[0].(map[string]interface{}); ok {
dial, _ := upstream["dial"].(string)
- if dial != "" {
+ if dial != "" {
hostStr, portStr, err := net.SplitHostPort(dial)
- if err == nil {
+ if err == nil && !forceSplitFallback {
host.ForwardHost = hostStr
- if _, err := fmt.Sscanf(portStr, "%d", &host.ForwardPort); err != nil {
+ if _, err := fmt.Sscanf(portStr, "%d", &host.ForwardPort); err != nil {
host.ForwardPort = 80
}
- } else {
+ } else {
// Fallback: assume dial is just the host or has some other format
// Try to handle simple "host:port" manually if net.SplitHostPort failed for some reason
// or assume it's just a host
parts := strings.Split(dial, ":")
- if len(parts) == 2 {
+ if len(parts) == 2 {
host.ForwardHost = parts[0]
- if _, err := fmt.Sscanf(parts[1], "%d", &host.ForwardPort); err != nil {
+ if _, err := fmt.Sscanf(parts[1], "%d", &host.ForwardPort); err != nil {
host.ForwardPort = 80
}
} else {
@@ -914,7 +1234,7 @@ func (i *Importer) ExtractHosts(caddyJSON []byte) (*ImportResult, error) if headers, ok := handler.Headers.(map[string]interface{}); ok {
+ if headers, ok := handler.Headers.(map[string]interface{}); ok {
if upgrade, ok := headers["Upgrade"].([]interface{}); ok {
for _, v := range upgrade {
if v == "websocket" {
@@ -926,23 +1246,23 @@ func (i *Importer) ExtractHosts(caddyJSON []byte) (*ImportResult, error) host.ForwardScheme = "http"
+ host.ForwardScheme = "http"
if host.SSLForced {
host.ForwardScheme = "https"
}
}
// Detect unsupported features
- if handler.Handler == "rewrite" {
+ if handler.Handler == "rewrite" {
host.Warnings = append(host.Warnings, "Rewrite rules not supported - manual configuration required")
}
- if handler.Handler == "file_server" {
+ if handler.Handler == "file_server" {
host.Warnings = append(host.Warnings, "File server directives not supported")
}
}
// Store raw JSON for this route
- routeJSON, _ := json.Marshal(map[string]interface{}{
+ routeJSON, _ := json.Marshal(map[string]interface{}{
"server": serverName,
"route": routeIdx,
"data": route,
@@ -955,11 +1275,11 @@ func (i *Importer) ExtractHosts(caddyJSON []byte) (*ImportResult, error) return result, nil
+ return result, nil
}
// ImportFile performs complete import: parse Caddyfile and extract hosts.
-func (i *Importer) ImportFile(caddyfilePath string) (*ImportResult, error) {
+func (i *Importer) ImportFile(caddyfilePath string) (*ImportResult, error) {
caddyJSON, err := i.ParseCaddyfile(caddyfilePath)
if err != nil {
return nil, err
@@ -1001,24 +1321,35 @@ func (i *Importer) ValidateCaddyBinary() error {
}
// BackupCaddyfile creates a timestamped backup of the original Caddyfile.
-func BackupCaddyfile(originalPath, backupDir string) (string, error) {
+func BackupCaddyfile(originalPath, backupDir string) (string, error) {
if err := os.MkdirAll(backupDir, 0755); err != nil {
return "", fmt.Errorf("creating backup directory: %w", err)
}
- timestamp := fmt.Sprintf("%d", os.Getpid()) // Simple timestamp placeholder
- backupPath := filepath.Join(backupDir, fmt.Sprintf("Caddyfile.%s.backup", timestamp))
+ timestamp := fmt.Sprintf("%d", os.Getpid()) // Simple timestamp placeholder
+ // Ensure the backup path is contained within backupDir to prevent path traversal
+ backupFile := fmt.Sprintf("Caddyfile.%s.backup", timestamp)
+ // Create a safe join with backupDir
+ backupPath := filepath.Join(backupDir, backupFile)
- input, err := os.ReadFile(originalPath)
+ // Validate the original path: avoid traversal elements pointing outside backupDir
+ clean := filepath.Clean(originalPath)
+ if clean == "" || clean == "." {
+ return "", fmt.Errorf("invalid original path")
+ }
+ if strings.Contains(clean, ".."+string(os.PathSeparator)) || strings.HasPrefix(clean, "..") {
+ return "", fmt.Errorf("invalid original path")
+ }
+ input, err := os.ReadFile(clean)
if err != nil {
return "", fmt.Errorf("reading original file: %w", err)
}
- if err := os.WriteFile(backupPath, input, 0644); err != nil {
+ if err := os.WriteFile(backupPath, input, 0644); err != nil {
return "", fmt.Errorf("writing backup: %w", err)
}
- return backupPath, nil
+ return backupPath, nil
}
@@ -1032,21 +1363,27 @@ import (
"os"
"path/filepath"
"sort"
+ "strings"
"time"
"gorm.io/gorm"
+ "github.com/Wikid82/charon/backend/internal/config"
+ "github.com/Wikid82/charon/backend/internal/logger"
"github.com/Wikid82/charon/backend/internal/models"
)
// Test hooks to allow overriding OS and JSON functions
var (
- writeFileFunc = os.WriteFile
- readFileFunc = os.ReadFile
- removeFileFunc = os.Remove
- readDirFunc = os.ReadDir
- statFunc = os.Stat
+ writeFileFunc = os.WriteFile
+ readFileFunc = os.ReadFile
+ removeFileFunc = os.Remove
+ readDirFunc = os.ReadDir
+ statFunc = os.Stat
jsonMarshalFunc = json.MarshalIndent
+ // Test hooks for bandaging validation/generation flows
+ generateConfigFunc = GenerateConfig
+ validateConfigFunc = Validate
)
// Manager orchestrates Caddy configuration lifecycle: generate, validate, apply, rollback.
@@ -1056,21 +1393,23 @@ type Manager struct {
configDir string
frontendDir string
acmeStaging bool
+ securityCfg config.SecurityConfig
}
// NewManager creates a configuration manager.
-func NewManager(client *Client, db *gorm.DB, configDir string, frontendDir string, acmeStaging bool) *Manager {
+func NewManager(client *Client, db *gorm.DB, configDir string, frontendDir string, acmeStaging bool, securityCfg config.SecurityConfig) *Manager {
return &Manager{
client: client,
db: db,
configDir: configDir,
frontendDir: frontendDir,
acmeStaging: acmeStaging,
+ securityCfg: securityCfg,
}
}
// ApplyConfig generates configuration from database, validates it, applies to Caddy with rollback on failure.
-func (m *Manager) ApplyConfig(ctx context.Context) error {
+func (m *Manager) ApplyConfig(ctx context.Context) error {
// Fetch all proxy hosts from database
var hosts []models.ProxyHost
if err := m.db.Preload("Locations").Preload("Certificate").Preload("AccessList").Find(&hosts).Error; err != nil {
@@ -1078,38 +1417,107 @@ func (m *Manager) ApplyConfig(ctx context.Context) error
// Fetch ACME email setting
- var acmeEmailSetting models.Setting
+ var acmeEmailSetting models.Setting
var acmeEmail string
if err := m.db.Where("key = ?", "caddy.acme_email").First(&acmeEmailSetting).Error; err == nil {
acmeEmail = acmeEmailSetting.Value
}
// Fetch SSL Provider setting
- var sslProviderSetting models.Setting
+ var sslProviderSetting models.Setting
var sslProvider string
if err := m.db.Where("key = ?", "caddy.ssl_provider").First(&sslProviderSetting).Error; err == nil {
sslProvider = sslProviderSetting.Value
}
+ // Compute effective security flags (re-read runtime overrides)
+ _, aclEnabled, wafEnabled, rateLimitEnabled, crowdsecEnabled := m.computeEffectiveFlags(ctx)
+
+ // Safety check: if Cerberus is enabled in DB and no admin whitelist configured,
+ // block applying changes to avoid accidental self-lockout.
+ var secCfg models.SecurityConfig
+ if err := m.db.Where("name = ?", "default").First(&secCfg).Error; err == nil {
+ if secCfg.Enabled && strings.TrimSpace(secCfg.AdminWhitelist) == "" {
+ return fmt.Errorf("refusing to apply config: Cerberus is enabled but admin_whitelist is empty; add an admin whitelist entry or generate a break-glass token")
+ }
+ }
+
+ // Load ruleset metadata (WAF/Coraza) for config generation
+ var rulesets []models.SecurityRuleSet
+ if err := m.db.Find(&rulesets).Error; err != nil {
+ // non-fatal: just log the error and continue with empty rules
+ logger.Log().WithError(err).Warn("failed to load rulesets for generate config")
+ }
+
+ // Load recent security decisions so they can be injected into the generated config
+ var decisions []models.SecurityDecision
+ if err := m.db.Order("created_at desc").Find(&decisions).Error; err != nil {
+ logger.Log().WithError(err).Warn("failed to load security decisions for generate config")
+ }
+
// Generate Caddy config
- config, err := GenerateConfig(hosts, filepath.Join(m.configDir, "data"), acmeEmail, m.frontendDir, sslProvider, m.acmeStaging)
- if err != nil {
+ // Read admin whitelist for config generation so handlers can exclude admin IPs
+ var adminWhitelist string
+ if secCfg.AdminWhitelist != "" {
+ adminWhitelist = secCfg.AdminWhitelist
+ }
+ // Ensure ruleset files exist on disk and build a map of their paths for GenerateConfig
+ rulesetPaths := make(map[string]string)
+ if len(rulesets) > 0 {
+ corazaDir := filepath.Join(m.configDir, "coraza", "rulesets")
+ if err := os.MkdirAll(corazaDir, 0755); err != nil {
+ logger.Log().WithError(err).Warn("failed to create coraza rulesets dir")
+ }
+ for _, rs := range rulesets {
+ // sanitize name to a safe filename
+ safeName := strings.ReplaceAll(strings.ToLower(rs.Name), " ", "-")
+ safeName = strings.ReplaceAll(safeName, "/", "-")
+ filePath := filepath.Join(corazaDir, safeName+".conf")
+ // Prepend required Coraza directives if not already present.
+ // These are essential for the WAF to actually enforce rules:
+ // - SecRuleEngine On: enables blocking mode (default is DetectionOnly)
+ // - SecRequestBodyAccess On: allows inspecting POST body content
+ content := rs.Content
+ if !strings.Contains(strings.ToLower(content), "secruleengine") {
+ content = "SecRuleEngine On\nSecRequestBodyAccess On\n\n" + content
+ }
+ // Write ruleset file with world-readable permissions so the Caddy
+ // process (which may run as an unprivileged user) can read it.
+ if err := writeFileFunc(filePath, []byte(content), 0644); err != nil {
+ logger.Log().WithError(err).WithField("ruleset", rs.Name).Warn("failed to write coraza ruleset file")
+ } else {
+ // Log a short fingerprint for debugging and confirm path
+ rulesetPaths[rs.Name] = filePath
+ logger.Log().WithField("ruleset", rs.Name).WithField("path", filePath).Info("wrote coraza ruleset file")
+ }
+ }
+ }
+
+ config, err := generateConfigFunc(hosts, filepath.Join(m.configDir, "data"), acmeEmail, m.frontendDir, sslProvider, m.acmeStaging, crowdsecEnabled, wafEnabled, rateLimitEnabled, aclEnabled, adminWhitelist, rulesets, rulesetPaths, decisions, &secCfg)
+ if err != nil {
return fmt.Errorf("generate config: %w", err)
}
+ // Log generated config size and a compact JSON snippet for debugging when in debug mode
+ if cfgJSON, jerr := json.Marshal(config); jerr == nil {
+ logger.Log().WithField("config_json_len", len(cfgJSON)).Debug("generated Caddy config JSON")
+ } else {
+ logger.Log().WithError(jerr).Warn("failed to marshal generated config for debug logging")
+ }
+
// Validate before applying
- if err := Validate(config); err != nil {
+ if err := validateConfigFunc(config); err != nil {
return fmt.Errorf("validation failed: %w", err)
}
// Save snapshot for rollback
- snapshotPath, err := m.saveSnapshot(config)
+ snapshotPath, err := m.saveSnapshot(config)
if err != nil {
return fmt.Errorf("save snapshot: %w", err)
}
// Calculate config hash for audit trail
- configJSON, _ := json.Marshal(config)
+ configJSON, _ := json.Marshal(config)
configHash := fmt.Sprintf("%x", sha256.Sum256(configJSON))
// Apply to Caddy
@@ -1130,19 +1538,19 @@ func (m *Manager) ApplyConfig(ctx context.Context) error m.recordConfigChange(configHash, true, "")
+ m.recordConfigChange(configHash, true, "")
// Cleanup old snapshots (keep last 10)
- if err := m.rotateSnapshots(10); err != nil {
+ if err := m.rotateSnapshots(10); err != nil {
// Non-fatal - log but don't fail
- fmt.Printf("warning: snapshot rotation failed: %v\n", err)
+ logger.Log().WithError(err).Warn("warning: snapshot rotation failed")
}
- return nil
+ return nil
}
// saveSnapshot stores the config to disk with timestamp.
-func (m *Manager) saveSnapshot(config *Config) (string, error) {
+func (m *Manager) saveSnapshot(config *Config) (string, error) {
timestamp := time.Now().Unix()
filename := fmt.Sprintf("config-%d.json", timestamp)
path := filepath.Join(m.configDir, filename)
@@ -1152,24 +1560,24 @@ func (m *Manager) saveSnapshot(config *Config) (string, error)
- if err := writeFileFunc(path, configJSON, 0644); err != nil {
+ if err := writeFileFunc(path, configJSON, 0644); err != nil {
return "", fmt.Errorf("write snapshot: %w", err)
}
- return path, nil
+ return path, nil
}
// rollback loads the most recent snapshot from disk.
-func (m *Manager) rollback(ctx context.Context) error {
+func (m *Manager) rollback(ctx context.Context) error {
snapshots, err := m.listSnapshots()
if err != nil || len(snapshots) == 0 {
return fmt.Errorf("no snapshots available for rollback")
}
// Load most recent snapshot
- latestSnapshot := snapshots[len(snapshots)-1]
+ latestSnapshot := snapshots[len(snapshots)-1]
configJSON, err := readFileFunc(latestSnapshot)
- if err != nil {
+ if err != nil {
return fmt.Errorf("read snapshot: %w", err)
}
@@ -1187,44 +1595,44 @@ func (m *Manager) rollback(ctx context.Context) error {
+func (m *Manager) listSnapshots() ([]string, error) {
entries, err := readDirFunc(m.configDir)
- if err != nil {
+ if err != nil {
return nil, fmt.Errorf("read config dir: %w", err)
}
- var snapshots []string
- for _, entry := range entries {
- if entry.IsDir() || filepath.Ext(entry.Name()) != ".json" {
+ var snapshots []string
+ for _, entry := range entries {
+ if entry.IsDir() || filepath.Ext(entry.Name()) != ".json" {
continue
}
- snapshots = append(snapshots, filepath.Join(m.configDir, entry.Name()))
+ snapshots = append(snapshots, filepath.Join(m.configDir, entry.Name()))
}
// Sort by modification time
- sort.Slice(snapshots, func(i, j int) bool {
+ sort.Slice(snapshots, func(i, j int) bool {
infoI, _ := statFunc(snapshots[i])
infoJ, _ := statFunc(snapshots[j])
return infoI.ModTime().Before(infoJ.ModTime())
})
- return snapshots, nil
+ return snapshots, nil
}
// rotateSnapshots keeps only the N most recent snapshots.
-func (m *Manager) rotateSnapshots(keep int) error {
+func (m *Manager) rotateSnapshots(keep int) error {
snapshots, err := m.listSnapshots()
- if err != nil {
+ if err != nil {
return err
}
- if len(snapshots) <= keep {
+ if len(snapshots) <= keep {
return nil
}
// Delete oldest snapshots
toDelete := snapshots[:len(snapshots)-keep]
- for _, path := range toDelete {
+ for _, path := range toDelete {
if err := removeFileFunc(path); err != nil {
return fmt.Errorf("delete snapshot %s: %w", path, err)
}
@@ -1234,7 +1642,7 @@ func (m *Manager) rotateSnapshots(keep int) error {
}
// recordConfigChange stores an audit record in the database.
-func (m *Manager) recordConfigChange(configHash string, success bool, errorMsg string) {
+func (m *Manager) recordConfigChange(configHash string, success bool, errorMsg string) {
record := models.CaddyConfig{
ConfigHash: configHash,
AppliedAt: time.Now(),
@@ -1255,6 +1663,57 @@ func (m *Manager) Ping(ctx context.Context) error {
func (m *Manager) GetCurrentConfig(ctx context.Context) (*Config, error) {
return m.client.GetConfig(ctx)
}
+
+// computeEffectiveFlags reads runtime settings to determine whether Cerberus
+// suite and each sub-component (ACL, WAF, RateLimit, CrowdSec) are effectively enabled.
+func (m *Manager) computeEffectiveFlags(ctx context.Context) (cerbEnabled bool, aclEnabled bool, wafEnabled bool, rateLimitEnabled bool, crowdsecEnabled bool) {
+ // Base flags from static config
+ cerbEnabled = m.securityCfg.CerberusEnabled
+ // WAF is enabled if explicitly set and not 'disabled' (supports 'monitor'/'block')
+ wafEnabled = m.securityCfg.WAFMode != "" && m.securityCfg.WAFMode != "disabled"
+ rateLimitEnabled = m.securityCfg.RateLimitMode == "enabled"
+ // CrowdSec only supports 'local' mode; treat other values as disabled
+ crowdsecEnabled = m.securityCfg.CrowdSecMode == "local"
+ aclEnabled = m.securityCfg.ACLMode == "enabled"
+
+ if m.db != nil {
+ var s models.Setting
+ // runtime override for cerberus enabled
+ if err := m.db.Where("key = ?", "security.cerberus.enabled").First(&s).Error; err == nil {
+ cerbEnabled = strings.EqualFold(s.Value, "true")
+ }
+
+ // runtime override for ACL enabled
+ if err := m.db.Where("key = ?", "security.acl.enabled").First(&s).Error; err == nil {
+ if strings.EqualFold(s.Value, "true") {
+ aclEnabled = true
+ } else if strings.EqualFold(s.Value, "false") {
+ aclEnabled = false
+ }
+ }
+
+ // runtime override for crowdsec mode (mode value determines whether it's local/remote/enabled)
+ var cm struct{ Value string }
+ if err := m.db.Raw("SELECT value FROM settings WHERE key = ? LIMIT 1", "security.crowdsec.mode").Scan(&cm).Error; err == nil && cm.Value != "" {
+ // Only 'local' runtime mode enables CrowdSec; all other values are disabled
+ if cm.Value == "local" {
+ crowdsecEnabled = true
+ } else {
+ crowdsecEnabled = false
+ }
+ }
+ }
+
+ // ACL, WAF, RateLimit and CrowdSec should only be considered enabled if Cerberus is enabled.
+ if !cerbEnabled {
+ aclEnabled = false
+ wafEnabled = false
+ rateLimitEnabled = false
+ crowdsecEnabled = false
+ }
+
+ return cerbEnabled, aclEnabled, wafEnabled, rateLimitEnabled, crowdsecEnabled
+}
package caddy
@@ -1358,7 +1817,7 @@ type Handler map[string]interface{}
// ReverseProxyHandler creates a reverse_proxy handler.
// application: "none", "plex", "jellyfin", "emby", "homeassistant", "nextcloud", "vaultwarden"
-func ReverseProxyHandler(dial string, enableWS bool, application string) Handler {
+func ReverseProxyHandler(dial string, enableWS bool, application string) Handler {
h := Handler{
"handler": "reverse_proxy",
"flush_interval": -1, // Disable buffering for better streaming performance (Plex, etc.)
@@ -1380,7 +1839,7 @@ func ReverseProxyHandler(dial string, enableWS bool, application string) Handler
// Application-specific headers for proper client IP forwarding
// These are critical for media servers behind tunnels/CGNAT
- switch application {
+ switch application {
case "plex":
// Pass-through common Plex headers for improved compatibility when proxying
setHeaders["X-Plex-Client-Identifier"] = []string{"{http.request.header.X-Plex-Client-Identifier}"}
@@ -1403,17 +1862,17 @@ func ReverseProxyHandler(dial string, enableWS bool, application string) Handler
}
// Only add headers config if we have headers to set
- if len(setHeaders) > 0 {
+ if len(setHeaders) > 0 {
requestHeaders["set"] = setHeaders
headers["request"] = requestHeaders
h["headers"] = headers
}
- return h
+ return h
}
// HeaderHandler creates a handler that sets HTTP response headers.
-func HeaderHandler(headers map[string][]string) Handler {
+func HeaderHandler(headers map[string][]string) Handler {
return Handler{
"handler": "headers",
"response": map[string]interface{}{
@@ -1424,7 +1883,7 @@ func HeaderHandler(headers map[string][]string) Handler {
+func BlockExploitsHandler() Handler {
return Handler{
"handler": "vars",
// Placeholder for future exploit blocking logic
@@ -1489,32 +1948,32 @@ import (
)
// Validate performs pre-flight validation on a Caddy config before applying it.
-func Validate(cfg *Config) error {
+func Validate(cfg *Config) error {
if cfg == nil {
return fmt.Errorf("config cannot be nil")
}
- if cfg.Apps.HTTP == nil {
+ if cfg.Apps.HTTP == nil {
return nil // Empty config is valid
}
// Track seen hosts to detect duplicates
- seenHosts := make(map[string]bool)
+ seenHosts := make(map[string]bool)
- for serverName, server := range cfg.Apps.HTTP.Servers {
+ for serverName, server := range cfg.Apps.HTTP.Servers {
if len(server.Listen) == 0 {
return fmt.Errorf("server %s has no listen addresses", serverName)
}
// Validate listen addresses
- for _, addr := range server.Listen {
+ for _, addr := range server.Listen {
if err := validateListenAddr(addr); err != nil {
return fmt.Errorf("invalid listen address %s in server %s: %w", addr, serverName, err)
}
}
// Validate routes
- for i, route := range server.Routes {
+ for i, route := range server.Routes {
if err := validateRoute(route, seenHosts); err != nil {
return fmt.Errorf("invalid route %d in server %s: %w", i, serverName, err)
}
@@ -1522,107 +1981,110 @@ func Validate(cfg *Config) error {
}
// Validate JSON marshalling works
- if _, err := json.Marshal(cfg); err != nil {
+ if _, err := jsonMarshalValidate(cfg); err != nil {
return fmt.Errorf("config cannot be marshalled to JSON: %w", err)
}
- return nil
+ return nil
}
-func validateListenAddr(addr string) error {
+// allow tests to override JSON marshalling to simulate errors
+var jsonMarshalValidate = json.Marshal
+
+func validateListenAddr(addr string) error {
// Strip network type prefix if present (tcp/, udp/)
if idx := strings.Index(addr, "/"); idx != -1 {
addr = addr[idx+1:]
}
// Parse host:port
- host, portStr, err := net.SplitHostPort(addr)
+ host, portStr, err := net.SplitHostPort(addr)
if err != nil {
return fmt.Errorf("invalid address format: %w", err)
}
// Validate port
- port, err := strconv.Atoi(portStr)
- if err != nil {
+ port, err := strconv.Atoi(portStr)
+ if err != nil {
return fmt.Errorf("invalid port: %w", err)
}
- if port < 1 || port > 65535 {
+ if port < 1 || port > 65535 {
return fmt.Errorf("port %d out of range (1-65535)", port)
}
// Validate host (allow empty for wildcard binding)
- if host != "" && net.ParseIP(host) == nil {
+ if host != "" && net.ParseIP(host) == nil {
return fmt.Errorf("invalid IP address: %s", host)
}
- return nil
+ return nil
}
-func validateRoute(route *Route, seenHosts map[string]bool) error {
+func validateRoute(route *Route, seenHosts map[string]bool) error {
if len(route.Handle) == 0 {
return fmt.Errorf("route has no handlers")
}
// Check for duplicate host matchers
- for _, match := range route.Match {
- for _, host := range match.Host {
+ for _, match := range route.Match {
+ for _, host := range match.Host {
if seenHosts[host] {
return fmt.Errorf("duplicate host matcher: %s", host)
}
- seenHosts[host] = true
+ seenHosts[host] = true
}
}
// Validate handlers
- for i, handler := range route.Handle {
+ for i, handler := range route.Handle {
if err := validateHandler(handler); err != nil {
return fmt.Errorf("invalid handler %d: %w", i, err)
}
}
- return nil
+ return nil
}
-func validateHandler(handler Handler) error {
+func validateHandler(handler Handler) error {
handlerType, ok := handler["handler"].(string)
if !ok {
return fmt.Errorf("handler missing 'handler' field")
}
- switch handlerType {
- case "reverse_proxy":
+ switch handlerType {
+ case "reverse_proxy":
return validateReverseProxy(handler)
- case "file_server", "static_response":
+ case "file_server", "static_response":
return nil // Accept other common handlers
- default:
+ default:
// Unknown handlers are allowed (Caddy is extensible)
return nil
}
}
-func validateReverseProxy(handler Handler) error {
+func validateReverseProxy(handler Handler) error {
upstreams, ok := handler["upstreams"].([]map[string]interface{})
if !ok {
return fmt.Errorf("reverse_proxy missing upstreams")
}
- if len(upstreams) == 0 {
+ if len(upstreams) == 0 {
return fmt.Errorf("reverse_proxy has no upstreams")
}
- for i, upstream := range upstreams {
+ for i, upstream := range upstreams {
dial, ok := upstream["dial"].(string)
if !ok || dial == "" {
return fmt.Errorf("upstream %d missing dial address", i)
}
// Validate dial address format (host:port)
- if _, _, err := net.SplitHostPort(dial); err != nil {
+ if _, _, err := net.SplitHostPort(dial); err != nil {
return fmt.Errorf("upstream %d has invalid dial address %s: %w", i, dial, err)
}
}
- return nil
+ return nil
}
diff --git a/backend/internal/caddy/config.go b/backend/internal/caddy/config.go
index b8cb5f21..8cbb6122 100644
--- a/backend/internal/caddy/config.go
+++ b/backend/internal/caddy/config.go
@@ -328,13 +328,13 @@ func GenerateConfig(hosts []models.ProxyHost, storageDir string, acmeEmail strin
// Ensure it has a "handler" key
if _, ok := v["handler"]; ok {
// Capture ruleset_name if present, remove it from advanced_config,
- // and convert it to rules_files if this is a waf handler.
+ // and set up 'include' array for coraza-caddy plugin.
if rn, has := v["ruleset_name"]; has {
if rnStr, ok := rn.(string); ok && rnStr != "" {
- // Only add rules_files if we map the name to a path
+ // Set 'include' array with the ruleset file path for coraza-caddy
if rulesetPaths != nil {
if p, ok := rulesetPaths[rnStr]; ok && p != "" {
- v["rules_file"] = p
+ v["include"] = []string{p}
}
}
}
@@ -352,7 +352,7 @@ func GenerateConfig(hosts []models.ProxyHost, storageDir string, acmeEmail strin
if rnStr, ok := rn.(string); ok && rnStr != "" {
if rulesetPaths != nil {
if p, ok := rulesetPaths[rnStr]; ok && p != "" {
- m["rules_file"] = p
+ m["include"] = []string{p}
}
}
}
@@ -753,15 +753,15 @@ func buildWAFHandler(host *models.ProxyHost, rulesets []models.SecurityRuleSet,
h := Handler{"handler": "waf"}
if selected != nil {
if rulesetPaths != nil {
- if p, ok := rulesetPaths[selected.Name]; ok && p != "" {
- h["rules_file"] = p
+ if p, ok := rulesetPaths[selected.Name]; ok && p != "" {
+ h["include"] = []string{p}
}
}
} else if secCfg != nil && secCfg.WAFRulesSource != "" {
- // If there was a requested ruleset name but nothing matched, include a rules_files entry if path known
+ // If there was a requested ruleset name but nothing matched, include path if known
if rulesetPaths != nil {
- if p, ok := rulesetPaths[secCfg.WAFRulesSource]; ok && p != "" {
- h["rules_file"] = p
+ if p, ok := rulesetPaths[secCfg.WAFRulesSource]; ok && p != "" {
+ h["include"] = []string{p}
}
}
}
diff --git a/backend/internal/caddy/config_generate_additional_test.go b/backend/internal/caddy/config_generate_additional_test.go
index 78a60652..abe337fe 100644
--- a/backend/internal/caddy/config_generate_additional_test.go
+++ b/backend/internal/caddy/config_generate_additional_test.go
@@ -168,17 +168,17 @@ func TestGenerateConfig_WAFModeAndRulesetReference(t *testing.T) {
sec := &models.SecurityConfig{WAFMode: "block", WAFRulesSource: "nonexistent-rs"}
cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", nil, nil, nil, sec)
require.NoError(t, err)
- // Since a ruleset name was requested but none exists, waf handler should include a reference but no rules_files
+ // Since a ruleset name was requested but none exists, waf handler should include a reference but no include array
route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
found := false
for _, h := range route.Handle {
if hn, ok := h["handler"].(string); ok && hn == "waf" {
- if _, ok := h["rules_file"]; !ok {
+ if _, ok := h["include"]; !ok {
found = true
}
}
}
- require.True(t, found, "expected waf handler without rules_files when referenced ruleset does not exist")
+ require.True(t, found, "expected waf handler without include array when referenced ruleset does not exist")
// Now test learning/monitor mode mapping
sec2 := &models.SecurityConfig{WAFMode: "block", WAFLearning: true}
@@ -218,13 +218,13 @@ func TestGenerateConfig_WAFSelectedSetsContentAndMode(t *testing.T) {
found := false
for _, h := range route.Handle {
if hn, ok := h["handler"].(string); ok && hn == "waf" {
- if rf, ok := h["rules_file"].(string); ok && rf != "" {
+ if incl, ok := h["include"].([]string); ok && len(incl) > 0 {
found = true
break
}
}
}
- require.True(t, found, "expected waf handler with rules_files to be present")
+ require.True(t, found, "expected waf handler with include array to be present")
}
func TestGenerateConfig_DecisionAdminPartsEmpty(t *testing.T) {
@@ -271,11 +271,11 @@ func TestGenerateConfig_WAFUsesRuleSet(t *testing.T) {
cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", []models.SecurityRuleSet{rs}, rulesetPaths, nil, nil)
require.NoError(t, err)
route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
- // check waf handler present with rules_files
+ // check waf handler present with include array
found := false
for _, h := range route.Handle {
if hn, ok := h["handler"].(string); ok && hn == "waf" {
- if rf, ok := h["rules_file"].(string); ok && rf != "" {
+ if incl, ok := h["include"].([]string); ok && len(incl) > 0 {
found = true
break
}
@@ -283,7 +283,7 @@ func TestGenerateConfig_WAFUsesRuleSet(t *testing.T) {
}
if !found {
b2, _ := json.MarshalIndent(route.Handle, "", " ")
- t.Fatalf("waf handler with rules_file should be present; handlers: %s", string(b2))
+ t.Fatalf("waf handler with include array should be present; handlers: %s", string(b2))
}
}
@@ -295,17 +295,17 @@ func TestGenerateConfig_WAFUsesRuleSetFromAdvancedConfig(t *testing.T) {
cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", []models.SecurityRuleSet{rs}, rulesetPaths, nil, nil)
require.NoError(t, err)
route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
- // check waf handler present with rules_files coming from host AdvancedConfig
+ // check waf handler present with include array coming from host AdvancedConfig
found := false
for _, h := range route.Handle {
if hn, ok := h["handler"].(string); ok && hn == "waf" {
- if rf, ok := h["rules_file"].(string); ok && rf == "/tmp/host-rs.conf" {
+ if incl, ok := h["include"].([]string); ok && len(incl) > 0 && incl[0] == "/tmp/host-rs.conf" {
found = true
break
}
}
}
- require.True(t, found, "waf handler with rules_files should include host advanced_config ruleset path")
+ require.True(t, found, "waf handler with include array should include host advanced_config ruleset path")
}
func TestGenerateConfig_WAFUsesRuleSetFromAdvancedConfig_Array(t *testing.T) {
@@ -316,17 +316,17 @@ func TestGenerateConfig_WAFUsesRuleSetFromAdvancedConfig_Array(t *testing.T) {
cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", []models.SecurityRuleSet{rs}, rulesetPaths, nil, nil)
require.NoError(t, err)
route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
- // check waf handler present with rules_file coming from host AdvancedConfig array
+ // check waf handler present with include array coming from host AdvancedConfig array
found := false
for _, h := range route.Handle {
if hn, ok := h["handler"].(string); ok && hn == "waf" {
- if rf, ok := h["rules_file"].(string); ok && rf == "/tmp/host-rs-array.conf" {
+ if incl, ok := h["include"].([]string); ok && len(incl) > 0 && incl[0] == "/tmp/host-rs-array.conf" {
found = true
break
}
}
}
- require.True(t, found, "waf handler with rules_file should include host advanced_config array ruleset path")
+ require.True(t, found, "waf handler with include array should include host advanced_config array ruleset path")
}
func TestGenerateConfig_WAFUsesRulesetFromSecCfgFallback(t *testing.T) {
@@ -336,18 +336,18 @@ func TestGenerateConfig_WAFUsesRulesetFromSecCfgFallback(t *testing.T) {
rulesetPaths := map[string]string{"owasp-crs": "/tmp/owasp-fallback.conf"}
cfg, err := GenerateConfig([]models.ProxyHost{host}, "/tmp/caddy-data", "", "", "", false, false, true, false, false, "", nil, rulesetPaths, nil, sec)
require.NoError(t, err)
- // since secCfg requested owasp-crs and we have a path, the wf handler should include rules_file
+ // since secCfg requested owasp-crs and we have a path, the waf handler should include the path in include array
route := cfg.Apps.HTTP.Servers["charon_server"].Routes[0]
found := false
for _, h := range route.Handle {
if hn, ok := h["handler"].(string); ok && hn == "waf" {
- if rf, ok := h["rules_file"].(string); ok && rf == "/tmp/owasp-fallback.conf" {
+ if incl, ok := h["include"].([]string); ok && len(incl) > 0 && incl[0] == "/tmp/owasp-fallback.conf" {
found = true
break
}
}
}
- require.True(t, found, "waf handler with rules_file should include fallback secCfg ruleset path")
+ require.True(t, found, "waf handler with include array should include fallback secCfg ruleset path")
}
func TestGenerateConfig_RateLimitFromSecCfg(t *testing.T) {
diff --git a/backend/internal/caddy/manager.go b/backend/internal/caddy/manager.go
index 1b17d704..3e10fbeb 100644
--- a/backend/internal/caddy/manager.go
+++ b/backend/internal/caddy/manager.go
@@ -20,12 +20,13 @@ import (
// Test hooks to allow overriding OS and JSON functions
var (
- writeFileFunc = os.WriteFile
- readFileFunc = os.ReadFile
- removeFileFunc = os.Remove
- readDirFunc = os.ReadDir
- statFunc = os.Stat
- jsonMarshalFunc = json.MarshalIndent
+ writeFileFunc = os.WriteFile
+ readFileFunc = os.ReadFile
+ removeFileFunc = os.Remove
+ readDirFunc = os.ReadDir
+ statFunc = os.Stat
+ jsonMarshalFunc = json.MarshalIndent
+ jsonMarshalDebugFunc = json.Marshal // For debug logging, separate hook for testing
// Test hooks for bandaging validation/generation flows
generateConfigFunc = GenerateConfig
validateConfigFunc = Validate
@@ -118,10 +119,22 @@ func (m *Manager) ApplyConfig(ctx context.Context) error {
safeName := strings.ReplaceAll(strings.ToLower(rs.Name), " ", "-")
safeName = strings.ReplaceAll(safeName, "/", "-")
filePath := filepath.Join(corazaDir, safeName+".conf")
- if err := writeFileFunc(filePath, []byte(rs.Content), 0600); err != nil {
+ // Prepend required Coraza directives if not already present.
+ // These are essential for the WAF to actually enforce rules:
+ // - SecRuleEngine On: enables blocking mode (default is DetectionOnly)
+ // - SecRequestBodyAccess On: allows inspecting POST body content
+ content := rs.Content
+ if !strings.Contains(strings.ToLower(content), "secruleengine") {
+ content = "SecRuleEngine On\nSecRequestBodyAccess On\n\n" + content
+ }
+ // Write ruleset file with world-readable permissions so the Caddy
+ // process (which may run as an unprivileged user) can read it.
+ if err := writeFileFunc(filePath, []byte(content), 0644); err != nil {
logger.Log().WithError(err).WithField("ruleset", rs.Name).Warn("failed to write coraza ruleset file")
} else {
+ // Log a short fingerprint for debugging and confirm path
rulesetPaths[rs.Name] = filePath
+ logger.Log().WithField("ruleset", rs.Name).WithField("path", filePath).Info("wrote coraza ruleset file")
}
}
}
@@ -131,6 +144,13 @@ func (m *Manager) ApplyConfig(ctx context.Context) error {
return fmt.Errorf("generate config: %w", err)
}
+ // Log generated config size and a compact JSON snippet for debugging when in debug mode
+ if cfgJSON, jerr := jsonMarshalDebugFunc(config); jerr == nil {
+ logger.Log().WithField("config_json_len", len(cfgJSON)).Debug("generated Caddy config JSON")
+ } else {
+ logger.Log().WithError(jerr).Warn("failed to marshal generated config for debug logging")
+ }
+
// Validate before applying
if err := validateConfigFunc(config); err != nil {
return fmt.Errorf("validation failed: %w", err)
diff --git a/backend/internal/caddy/manager_additional_test.go b/backend/internal/caddy/manager_additional_test.go
index f4902220..3e2b46ce 100644
--- a/backend/internal/caddy/manager_additional_test.go
+++ b/backend/internal/caddy/manager_additional_test.go
@@ -718,12 +718,15 @@ func TestManager_ApplyConfig_IncludesWAFHandlerWithRuleset(t *testing.T) {
if h == "ruleset.example.com" {
for _, handle := range r.Handle {
if handlerName, ok := handle["handler"].(string); ok && handlerName == "waf" {
- // Validate rules_file or inline ruleset_content presence
- if rf, ok := handle["rules_file"].(string); ok && rf != "" {
- // Ensure file exists and contains our content
- b, err := os.ReadFile(rf)
- if err == nil && string(b) == "test-rule-content" {
- found = true
+ // Validate include array (coraza-caddy schema) or inline ruleset_content presence
+ if incl, ok := handle["include"].([]interface{}); ok && len(incl) > 0 {
+ if rf, ok := incl[0].(string); ok && rf != "" {
+ // Ensure file exists and contains our content
+ // Note: manager prepends SecRuleEngine On directives, so we check Contains
+ b, err := os.ReadFile(rf)
+ if err == nil && strings.Contains(string(b), "test-rule-content") {
+ found = true
+ }
}
}
// Inline content may also exist as a fallback
@@ -990,3 +993,158 @@ func TestManager_ApplyConfig_ReappliesOnFlagChange(t *testing.T) {
}
assert.True(t, hasCrowdsec, "CrowdSec handler should be present when enabled via DB")
}
+
+func TestManager_ApplyConfig_PrependsSecRuleEngineDirectives(t *testing.T) {
+ tmp := t.TempDir()
+ dsn := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name()+"secruleengine")
+ db, err := gorm.Open(sqlite.Open(dsn), &gorm.Config{})
+ assert.NoError(t, err)
+ assert.NoError(t, db.AutoMigrate(&models.ProxyHost{}, &models.Location{}, &models.Setting{}, &models.CaddyConfig{}, &models.SSLCertificate{}, &models.SecurityConfig{}, &models.SecurityRuleSet{}))
+
+ // Create host and ruleset without SecRuleEngine directive
+ h := models.ProxyHost{DomainNames: "prepend.example.com", ForwardHost: "127.0.0.1", ForwardPort: 8080, Enabled: true}
+ db.Create(&h)
+ // Ruleset content without SecRuleEngine - should be prepended
+ ruleContent := `SecRule REQUEST_BODY "