diff --git a/README.md b/README.md index 5cbaa724..fd6ed251 100644 --- a/README.md +++ b/README.md @@ -16,15 +16,19 @@ This project provides a web UI for Caddy Server, eliminating the need to manuall **Key features:** - Reverse proxy configuration with multiple upstreams, load balancing, and custom headers +- WAF (Web Application Firewall) powered by Coraza with OWASP Core Rule Set, per-host config, and event log - Server-side search and pagination across all data tables - HTTP basic auth access lists with multi-account support - OAuth2/OIDC authentication support - Automatic HTTPS via Caddy's ACME (Let's Encrypt) with Cloudflare DNS-01 support - ACME certificate visibility with real issuer, expiry status, and per-host tracking +- Built-in CA for issuing internal client certificates - Optional upstream DNS pinning (resolve upstream hostnames on config apply) - Geo blocking per proxy host — block/allow by country, continent, ASN, CIDR, or IP - Custom certificate import (internal CA, wildcards, etc.) +- Instance sync — push configuration from a master to one or more slave instances - Audit logging of all configuration changes with full-text search +- Mobile-responsive UI (iPhone and narrow viewports) - Built with Next.js 16, React 19, Drizzle ORM, and TypeScript --- @@ -48,13 +52,16 @@ Data persists in Docker volumes (caddy-manager-data, caddy-data, caddy-config, c ## Features - **Proxy Hosts** - Reverse proxies with custom headers, multiple upstreams, load balancing, and enable/disable toggle +- **WAF** - Web Application Firewall powered by Coraza with optional OWASP Core Rule Set (SQLi, XSS, LFI, RCE). Per-host enable/disable, global and per-host rule suppression, custom SecLang directives, and a searchable event log with severity and blocked/detected classification - **Analytics** - Live traffic charts, country map, top user agents, and blocked request log with configurable time ranges - **Search & Pagination** - Server-side search and pagination on all data tables (proxy hosts, access lists, audit log, certificates) - **Geo Blocking** - Block or allow traffic by country, continent, ASN, CIDR range, or exact IP per proxy host - **Access Lists** - Multi-account HTTP basic auth protection assignable per proxy host -- **Certificates** - Automatic HTTPS for every proxy host via Caddy ACME (Let's Encrypt / ZeroSSL), with issuer and expiry visibility + manual SSL/TLS import -- **Settings** - ACME email, Cloudflare DNS-01, and upstream DNS pinning defaults +- **Certificates** - Automatic HTTPS for every proxy host via Caddy ACME (Let's Encrypt / ZeroSSL), with issuer and expiry visibility + manual SSL/TLS import. Built-in CA for issuing internal client certificates +- **Instance Sync** - Master/slave configuration sync for multi-instance deployments. The master pushes proxy hosts, certificates, access lists, and settings to slaves on every change +- **Settings** - ACME email, Cloudflare DNS-01, upstream DNS pinning defaults, Authentik outpost, Prometheus metrics - **Audit Log** - Searchable configuration change history with user attribution +- **Mobile UI** - Fully responsive interface optimised for iPhone and other narrow viewports --- @@ -84,6 +91,11 @@ Data persists in Docker volumes (caddy-manager-data, caddy-data, caddy-config, c | `OAUTH_TOKEN_URL` | Optional OAuth token endpoint override | Auto-discovered from `OAUTH_ISSUER` | No | | `OAUTH_USERINFO_URL` | Optional OAuth userinfo endpoint override | Auto-discovered from `OAUTH_ISSUER` | No | | `OAUTH_ALLOW_AUTO_LINKING` | Allow auto-linking OAuth identities to existing users | `false` | No | +| `INSTANCE_MODE` | Instance role: `standalone`, `master`, or `slave` | `standalone` | No | +| `INSTANCE_SYNC_TOKEN` | Bearer token slaves use to authenticate sync requests | None | No (required if `slave`) | +| `INSTANCE_SLAVES` | JSON array of slave instances for the master to push to | None | No | +| `INSTANCE_SYNC_INTERVAL` | Periodic sync interval in seconds (`0` = disabled) | `0` | No | +| `INSTANCE_SYNC_ALLOW_HTTP` | Allow sync over HTTP (for internal Docker networks) | `false` | No | **Production Requirements:** - `SESSION_SECRET`: 32+ characters (`openssl rand -base64 32`) @@ -162,6 +174,47 @@ The databases are stored in the `geoip-data` Docker volume and shared between th --- +## WAF (Web Application Firewall) + +The WAF is powered by [Coraza](https://coraza.io/) and integrates the OWASP Core Rule Set. + +Enable globally in **WAF → Settings**, then optionally override per proxy host. Two modes: +- **Block** — requests matching rules are rejected with 403 +- **Detect** — requests are logged but not blocked + +**OWASP CRS** covers SQLi, XSS, LFI, RCE, and more (enabled by default when WAF is on). + +**Rule suppression** — suppress noisy rules globally or per host from the event detail drawer or the Suppressed Rules tab. + +**Custom directives** — any ModSecurity SecLang syntax is accepted, e.g.: +``` +SecRule REQUEST_URI "@beginsWith /api/" "id:9001,phase:1,ctl:ruleEngine=Off,nolog" +``` + +--- + +## Instance Sync + +Run a master instance that pushes configuration to one or more slaves on every change. + +```bash +# Master +INSTANCE_MODE=master +INSTANCE_SLAVES='[{"name":"replica","url":"https://replica.example.com","token":"<32-char-token>"}]' + +# Slave +INSTANCE_MODE=slave +INSTANCE_SYNC_TOKEN=<32-char-token> +``` + +Synced data: proxy hosts, certificates, access lists, and settings. User accounts are **not** synced. + +Use HTTPS slave URLs in production. Set `INSTANCE_SYNC_ALLOW_HTTP=true` only for internal Docker networks. + +See the [Environment Variables Reference](https://github.com/fuomag9/caddy-proxy-manager/wiki/Environment-Variables-Reference) for all `INSTANCE_*` options. + +--- + ## Upstream DNS Pinning You can enable upstream DNS pinning globally (**Settings → Upstream DNS Pinning**) and override per host (**Proxy Host → Upstream DNS Pinning**).