caddy-proxy-manager

akanealw/caddy-proxy-manager

Fork 0

Commit Graph

Author	SHA1	Message	Date
akanealw	99819b70ff	added caddy-proxy-manager for testing Some checks failed Build and Push Docker Images (Trusted) / build-and-push (., docker/caddy/Dockerfile, caddy) (push) Has been cancelled Details Build and Push Docker Images (Trusted) / build-and-push (., docker/l4-port-manager/Dockerfile, l4-port-manager) (push) Has been cancelled Details Build and Push Docker Images (Trusted) / build-and-push (., docker/web/Dockerfile, web) (push) Has been cancelled Details Tests / test (push) Has been cancelled Details	2026-04-21 22:49:08 +00:00
fuomag9	5d0b4837d8	Security hardening: fix SQL injection, WAF bypass, placeholder injection, and more - C1: Replace all ClickHouse string interpolation with parameterized queries (query_params) to eliminate SQL injection in analytics endpoints - C3: Strip Caddy placeholder patterns from redirect rules, protected paths, and Authentik auth endpoint to prevent config injection - C4: Replace WAF custom directive blocklist with allowlist approach — only SecRule/SecAction/SecMarker/SecDefaultAction permitted; block ctl:ruleEngine and Include directives - H2: Validate GCM authentication tag is exactly 16 bytes before decryption - H3: Validate forward auth redirect URIs (scheme, no credentials) to prevent open redirects - H4: Switch 11 analytics/WAF/geoip endpoints from session-only requireAdmin to requireApiAdmin supporting both Bearer token and session auth - H5: Add input validation for instance-mode (whitelist) and sync-token (32-char minimum) in settings API - M1: Add non-root user to l4-port-manager Dockerfile - M5: Document Caddy admin API binding security rationale - Document C2 (custom config injection) and H1 (SSRF via upstreams) as intentional admin features Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 12:13:50 +02:00
fuomag9	0dad675c6d	feat: integrate Coraza WAF with full UI and event logging - Add coraza-caddy/v2 to Caddy Docker build - Add waf_events + waf_log_parse_state DB tables (migration 0010) - Add WafSettings type and get/save functions to settings - Add WafHostConfig/WafMode types to proxy-hosts model - Add resolveEffectiveWaf + buildWafHandler to caddy config generation - Create waf-log-parser.ts: parse Coraza JSON audit log → waf_events - Add WafFields.tsx per-host WAF UI (accordion, mode, CRS, directives) - Add global WAF settings card to SettingsClient - Add WAF Events dashboard page with search, pagination, severity chips - Add WAF Events nav link to sidebar Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-03 22:16:34 +01:00

Author

SHA1

Message

Date

akanealw

99819b70ff

added caddy-proxy-manager for testing

Build and Push Docker Images (Trusted) / build-and-push (., docker/caddy/Dockerfile, caddy) (push) Has been cancelled

Details

Build and Push Docker Images (Trusted) / build-and-push (., docker/l4-port-manager/Dockerfile, l4-port-manager) (push) Has been cancelled

Details

Build and Push Docker Images (Trusted) / build-and-push (., docker/web/Dockerfile, web) (push) Has been cancelled

Details

Tests / test (push) Has been cancelled

Details

2026-04-21 22:49:08 +00:00

fuomag9

5d0b4837d8

Security hardening: fix SQL injection, WAF bypass, placeholder injection, and more

- C1: Replace all ClickHouse string interpolation with parameterized queries
  (query_params) to eliminate SQL injection in analytics endpoints
- C3: Strip Caddy placeholder patterns from redirect rules, protected paths,
  and Authentik auth endpoint to prevent config injection
- C4: Replace WAF custom directive blocklist with allowlist approach — only
  SecRule/SecAction/SecMarker/SecDefaultAction permitted; block ctl:ruleEngine
  and Include directives
- H2: Validate GCM authentication tag is exactly 16 bytes before decryption
- H3: Validate forward auth redirect URIs (scheme, no credentials) to prevent
  open redirects
- H4: Switch 11 analytics/WAF/geoip endpoints from session-only requireAdmin
  to requireApiAdmin supporting both Bearer token and session auth
- H5: Add input validation for instance-mode (whitelist) and sync-token
  (32-char minimum) in settings API
- M1: Add non-root user to l4-port-manager Dockerfile
- M5: Document Caddy admin API binding security rationale
- Document C2 (custom config injection) and H1 (SSRF via upstreams) as
  intentional admin features

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-10 12:13:50 +02:00

fuomag9

0dad675c6d

feat: integrate Coraza WAF with full UI and event logging

- Add coraza-caddy/v2 to Caddy Docker build
- Add waf_events + waf_log_parse_state DB tables (migration 0010)
- Add WafSettings type and get/save functions to settings
- Add WafHostConfig/WafMode types to proxy-hosts model
- Add resolveEffectiveWaf + buildWafHandler to caddy config generation
- Create waf-log-parser.ts: parse Coraza JSON audit log → waf_events
- Add WafFields.tsx per-host WAF UI (accordion, mode, CRS, directives)
- Add global WAF settings card to SettingsClient
- Add WAF Events dashboard page with search, pagination, severity chips
- Add WAF Events nav link to sidebar

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-03 22:16:34 +01:00

3 Commits