From 1c81e1a38529f53348b4fe3a2c7e03da6f6283f6 Mon Sep 17 00:00:00 2001 From: fuomag9 <1580624+fuomag9@users.noreply.github.com> Date: Wed, 4 Mar 2026 02:02:14 +0100 Subject: [PATCH] fix WAF: load_owasp_crs=true loads CRS automatically, no Include needed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Caddyfile adapter test confirms: load_owasp_crs loads all CRS rules internally without any Include directives. Include @owasp_crs/... was wrong — that path is not accessible from SecLang directives. Co-Authored-By: Claude Sonnet 4.6 --- src/lib/caddy.ts | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts index c4678852..224b7b42 100644 --- a/src/lib/caddy.ts +++ b/src/lib/caddy.ts @@ -828,9 +828,9 @@ function resolveEffectiveWaf( function buildWafHandler(waf: WafSettings): Record { // directives is a single string (Go struct type is string, not []string). - // load_owasp_crs: true makes the embedded CRS filesystem accessible (@owasp_crs prefix), - // but the rules still need to be explicitly included via Include directives. - // Both fields are required together to actually load and apply CRS rules. + // load_owasp_crs: true makes the module load the embedded OWASP CRS automatically — + // no Include directives are needed for CRS itself (the Caddyfile adapter confirms this: + // `load_owasp_crs` with no directives is sufficient to load all rules). const parts = [ `SecRuleEngine ${waf.mode}`, 'SecAuditEngine On', @@ -840,13 +840,6 @@ function buildWafHandler(waf: WafSettings): Record { 'SecResponseBodyAccess Off', ]; - if (waf.load_owasp_crs) { - parts.push( - 'Include @owasp_crs/crs-setup.conf.example', - 'Include @owasp_crs/rules/*.conf', - ); - } - if (waf.custom_directives?.trim()) { parts.push(waf.custom_directives.trim()); }