From e9f61481eb8b0f367fbe8ab6c976c89894a3b64a Mon Sep 17 00:00:00 2001 From: fuomag9 <1580624+fuomag9@users.noreply.github.com> Date: Wed, 4 Mar 2026 02:19:21 +0100 Subject: [PATCH] fix: include OWASP CRS files via @-prefixed embedded FS paths load_owasp_crs: true only merges the embedded coraza-coreruleset filesystem - it does NOT auto-include rule files. The correct way to load CRS rules is to explicitly Include them using the @ prefix which references the embedded FS: Include @coraza.conf-recommended Include @crs-setup.conf.example Include @owasp_crs/*.conf Without these includes, SecRuleEngine On had no rules to apply and all requests passed through unblocked (rulesets: null in audit log). Co-Authored-By: Claude Sonnet 4.6 --- src/lib/caddy.ts | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts index 224b7b42..38c6afaf 100644 --- a/src/lib/caddy.ts +++ b/src/lib/caddy.ts @@ -828,10 +828,15 @@ function resolveEffectiveWaf( function buildWafHandler(waf: WafSettings): Record { // directives is a single string (Go struct type is string, not []string). - // load_owasp_crs: true makes the module load the embedded OWASP CRS automatically — - // no Include directives are needed for CRS itself (the Caddyfile adapter confirms this: - // `load_owasp_crs` with no directives is sufficient to load all rules). + // load_owasp_crs: true merges the embedded CRS filesystem so that @-prefixed paths resolve. + // We then explicitly Include the CRS files in the correct order via SecLang directives. + // The @ prefix references files from the embedded coraza-coreruleset filesystem. const parts = [ + 'Include @coraza.conf-recommended', + ...(waf.load_owasp_crs ? [ + 'Include @crs-setup.conf.example', + 'Include @owasp_crs/*.conf', + ] : []), `SecRuleEngine ${waf.mode}`, 'SecAuditEngine On', 'SecAuditLog /logs/waf-audit.log',