akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
eee4c7b718592c09262bd7a2b5f95464738c9a50
caddy-proxy-manager/drizzle/0014_waf_blocked.sql
fuomag9 e06b41b604 fix WAF detection mode and payload logging 
- DetectionOnly mode: add SecAction to set anomaly score thresholds to
  9999999 so rule 949110/980130 never fires; works around coraza-caddy
  bug where is_interrupted=true still causes a 403 in detection mode
- Switch SecAuditEngine back to On (from RelevantOnly) so DetectionOnly
  hits are captured, now safe because body parts are excluded
- SecAuditLogParts: ABIJDEFHZ → ABFHZ, dropping request body (I),
  multipart files (J), intermediate response headers (D), and response
  body (E) — prevents multi-MB payloads being written to audit log
- Parser: store both blocked and detected events; filter on rule matched
  OR is_interrupted instead of is_interrupted only
- Add blocked column to waf_events (migration 0014); existing rows
  default to blocked=true
- WAF Events UI: Blocked/Detected chip in table and drawer header
- Fix misleading help text that said to use Detection Only to observe
  traffic before blocking

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 15:32:56 +01:00

4 lines
206 B
SQL
Raw Blame History

-- Add blocked column to waf_events.
-- Existing rows are backfilled as blocked=1 (they were all captured via is_interrupted=true).
ALTER TABLE `waf_events` ADD COLUMN `blocked` integer NOT NULL DEFAULT 1;
Reference in New Issue View Git Blame Copy Permalink