fix WAF detection mode and payload logging
- DetectionOnly mode: add SecAction to set anomaly score thresholds to 9999999 so rule 949110/980130 never fires; works around coraza-caddy bug where is_interrupted=true still causes a 403 in detection mode - Switch SecAuditEngine back to On (from RelevantOnly) so DetectionOnly hits are captured, now safe because body parts are excluded - SecAuditLogParts: ABIJDEFHZ → ABFHZ, dropping request body (I), multipart files (J), intermediate response headers (D), and response body (E) — prevents multi-MB payloads being written to audit log - Parser: store both blocked and detected events; filter on rule matched OR is_interrupted instead of is_interrupted only - Add blocked column to waf_events (migration 0014); existing rows default to blocked=true - WAF Events UI: Blocked/Detected chip in table and drawer header - Fix misleading help text that said to use Detection Only to observe traffic before blocking Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
fuomag9
@@ -261,6 +261,7 @@ export const wafEvents = sqliteTable(
|
||||
ruleMessage: text('rule_message'),
|
||||
severity: text('severity'),
|
||||
rawData: text('raw_data'),
|
||||
blocked: integer('blocked', { mode: 'boolean' }).notNull().default(true),
|
||||
},
|
||||
(table) => ({
|
||||
tsIdx: index('idx_waf_events_ts').on(table.ts),
|
||||
|
||||
Reference in New Issue
Block a user