akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix WAF detection mode and payload logging

Browse Source 
- DetectionOnly mode: add SecAction to set anomaly score thresholds to
  9999999 so rule 949110/980130 never fires; works around coraza-caddy
  bug where is_interrupted=true still causes a 403 in detection mode
- Switch SecAuditEngine back to On (from RelevantOnly) so DetectionOnly
  hits are captured, now safe because body parts are excluded
- SecAuditLogParts: ABIJDEFHZ → ABFHZ, dropping request body (I),
  multipart files (J), intermediate response headers (D), and response
  body (E) — prevents multi-MB payloads being written to audit log
- Parser: store both blocked and detected events; filter on rule matched
  OR is_interrupted instead of is_interrupted only
- Add blocked column to waf_events (migration 0014); existing rows
  default to blocked=true
- WAF Events UI: Blocked/Detected chip in table and drawer header
- Fix misleading help text that said to use Detection Only to observe
  traffic before blocking

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-03-06 15:32:56 +01:00
parent 044f012dd0
commit e06b41b604
7 changed files with 39 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/lib/caddy.ts
View File

@@ -845,10 +845,21 @@ function buildWafHandler(waf: WafSettings): Record<string, unknown> {
] : []),
...(waf.excluded_rule_ids?.length ? [`SecRuleRemoveById ${waf.excluded_rule_ids.join(' ')}`] : []),
`SecRuleEngine ${waf.mode}`,
// In DetectionOnly mode, coraza-caddy has a bug where it still blocks requests if the anomaly
// score exceeds the threshold (is_interrupted becomes true). Work around this by setting the
// inbound/outbound anomaly score thresholds to an unreachable value so rule 949110/980130
// never fires and no request is ever interrupted in DetectionOnly mode.
...(waf.mode === 'DetectionOnly' ? [
'SecAction "id:9998001,phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=9999999,setvar:tx.outbound_anomaly_score_threshold=9999999"',
] : []),
// Log all transactions so DetectionOnly hits are captured and shown in WAF Events.
// Body parts are excluded (see SecAuditLogParts below) so large uploads don't bloat the log.
'SecAuditEngine On',
'SecAuditLog /logs/waf-audit.log',
'SecAuditLogFormat JSON',
'SecAuditLogParts ABIJDEFHZ',
// Omit request/response bodies (parts I, J, E) and intermediate response headers (D)
// to prevent logging multi-MB payloads. Headers (B, F) and rule match trailer (H) are kept.
'SecAuditLogParts ABFHZ',
'SecResponseBodyAccess Off',
];