fuomag9
26fcf8ca90
When allowWebsocket=true and WAF is enabled, the WAF handler sits first in the handler chain and processes the initial HTTP upgrade request (GET + Upgrade: websocket). If any rule matches, Coraza can block the handshake before SecAuditEngine captures it — producing no log entry and an unexplained connection failure from the client's perspective. Fix: when allowWebsocket=true, prepend a phase:1 SecLang rule that matches Upgrade: websocket (case-insensitive) and turns the rule engine off for that transaction via ctl:ruleEngine=off. After the 101 Switching Protocols response the connection becomes a raw WebSocket tunnel that the WAF cannot inspect anyway, so this bypass has no impact on normal HTTP traffic through the same host. The rule is inserted before OWASP CRS includes so it always fires first regardless of which ruleset is loaded. Add 9 unit tests in caddy-waf.test.ts covering: bypass present/absent, phase:1 placement, case-insensitive regex, nolog/noauditlog flags, ordering before CRS, and compatibility with custom directives. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 KiB
13 KiB