akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

fix WAF detection mode and payload logging

Browse Source 
- DetectionOnly mode: add SecAction to set anomaly score thresholds to
  9999999 so rule 949110/980130 never fires; works around coraza-caddy
  bug where is_interrupted=true still causes a 403 in detection mode
- Switch SecAuditEngine back to On (from RelevantOnly) so DetectionOnly
  hits are captured, now safe because body parts are excluded
- SecAuditLogParts: ABIJDEFHZ → ABFHZ, dropping request body (I),
  multipart files (J), intermediate response headers (D), and response
  body (E) — prevents multi-MB payloads being written to audit log
- Parser: store both blocked and detected events; filter on rule matched
  OR is_interrupted instead of is_interrupted only
- Add blocked column to waf_events (migration 0014); existing rows
  default to blocked=true
- WAF Events UI: Blocked/Detected chip in table and drawer header
- Fix misleading help text that said to use Detection Only to observe
  traffic before blocking

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-03-06 15:32:56 +01:00
parent 044f012dd0
commit e06b41b604
7 changed files with 39 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
drizzle/0014_waf_blocked.sql Normal file
View File

@@ -0,0 +1,3 @@
-- Add blocked column to waf_events.
-- Existing rows are backfilled as blocked=1 (they were all captured via is_interrupted=true).
ALTER TABLE `waf_events` ADD COLUMN `blocked` integer NOT NULL DEFAULT 1;