This is an automated archive made by the Lemmit Bot.
The original was posted on /r/selfhosted by /u/fab_space on 2025-01-03 08:23:31+00:00.
After a week hands on an automated solution to obtain fresh OWASP rules for webservers I ended up by publishing a new project specifically dedicated to the Caddy http server since others are now covered.
How to waste more time? Caddy WAF is waiting for u 🤣
caddy-waf
A simple Web Application Firewall (WAF) middleware for the Caddy server, designed to provide comprehensive protection against web attacks. This middleware integrates seamlessly with Caddy and offers a wide range of security features to safeguard your applications.
Key Features
- Rule-based request filtering with regex patterns.
- IP and DNS blacklisting to block malicious traffic.
- Country-based blocking using MaxMind GeoIP2.
- Rate limiting per IP address to prevent abuse.
- Anomaly scoring system for detecting suspicious behavior.
- Request inspection (URL, args, body, headers, cookies, user-agent).
- Protection against common attacks (SQL injection, XSS, RCE, Log4j, etc.).
- Detailed logging and monitoring for security analysis.
- Dynamic rule reloading without server restart.
- Severity-based actions (block, log) for fine-grained control.
Notes
- A script to easily convert all OWASP rules to the rules.json file used by caddy is included in the repo.
- I added bad bots regex as last rule in the rules.json file to block garbage clients, you can review that user agents list to fit to your use case.
- A simple security assessment script is included to evaluate loaded rules.
- DNS and IP blacklists retrieval can be easily automated, I will release the related scripts today.
Enjoy and contribute ☕️