1D: caddy

I use caddy

Hit an issue where a public reverse proxy caddy config was giving this error:

Error: dial tcp x.x.x.x:xxx: connect: no route to host

That message suggests to me a routing issue, but I could still ping x.x.x.x, so the machine clearly had a route to the host.

Issue was firewall on x.x.x.x didn't have port xxx open.

coraza owasp config

In the caddyfile:


  load_owasp_crs
  directives `
   Include @coraza.conf-recommended
   Include @crs-setup.conf.example
   Include @owasp_crs/*.conf
   SecRuleEngine On
  `
 }

This will load the config files from the go module loaded as part of the caddy build.

Alternatively, can grab the files from:

https://github.com/corazawaf/coraza-coreruleset/tree/main/rules

which gets them from:

https://github.com/coreruleset/coreruleset/

and then use the absolute path.

overriding rules

since we're applying full OWASP set, we need to be able to bypass particular rules per application. Rather than taking a copy or modifying the ruleset for each app, or just immediately passing what we want, instead, disable the problematic rule only with action `ruleRemoveById:


     coraza_waf {
        load_owasp_crs
        directives `
          # Custom rule to allow application/activity+json for incoming activitypub reqs
          SecRule REQUEST_HEADERS:Content-Type "@contains application/activity+json" "id:9204201,phase:1,nolog,ctl:ruleRemoveById=920420"

          Include /home/caddy/coraza/config/coraza.conf-recommended
          Include /home/caddy/coraza/config/crs-setup.conf
          Include /home/caddy/coraza/rules/*.conf

          SecRuleEngine On
        `
    }

"invalid log part", error vs audit log

I hit some very irritating error messages in the logs from Coraza: AuditLogParts","value":"+E","error":"audit log parts is required to start with A"}. I couldn't work out why this was, and Googling bought back very little.

I tried manually specifying secauditlogformat to allow all the parts in the audit log, but this still didn't solve it.

The fix was to make sure I was using the latest ruleset. I was using an old 4.0.0 beta tag. Updating the the latest ruleset 4.14.0 fixed it.

Although I didn't fully solve the issue, I'm pretty certain the cause was that some of the rules were using the auditlog accidentally.

This page was helpful in understanding:

https://deepwiki.com/corazawaf/coraza/5-logging-and-audit

The tldr is that there's 2 kinds of logs:

error logs: capture info about rule matches and violations.
audit logs: records detailed transaction data for forensic analysis or compliance

Audit logs are more than I require for my homelab, so the owasp ruleset moved away from using using audit log, but a few bits were left in the beta ruleset I was using.