Add full caddy installation (Coraza WAF + Crowdsec)

- Remove security issue when exposing ports in a docker container: Use intranet instead - Modify install_caddy to use new template
2026-02-14 05:06:18 +00:00 · 2025-01-26 01:35:59 -03:00
parent f352126e56
commit 3d9bdc04b2
9 changed files with 149 additions and 10 deletions
--- a/templates/caddy/full/.env
+++ b/templates/caddy/full/.env
@@ -0,0 +1 @@
+CROWDSEC_API_KEY=${CROWDSEC_API_KEY}
--- a/templates/caddy/full/caddy/Caddyfile
+++ b/templates/caddy/full/caddy/Caddyfile
@@ -0,0 +1,39 @@
+{
+  # Put Coraza in front of every request
+  order coraza_waf first
+  
+  # Logging
+  log {
+    level DEBUG
+    format console
+  }
+
+  # Allow CrowdSec globally
+  crowdsec {
+    api_url http://crowdsec:8080
+    api_key {$CROWDSEC_API_KEY}
+  }
+
+}
+
+# Example static
+static.example.com {
+  coraza_waf {
+    directives `
+      Include /etc/caddy/coraza.conf
+    `
+  }
+      
+  root * /src/static/test
+  file_server
+}
+
+api.example.com {
+  coraza_waf {
+    directives `
+      Include /etc/caddy/coraza.conf
+    `
+  }
+
+  reverse_proxy * http://{CONTAINER_NAME}:{CONTAINER_PORT}
+}
--- a/templates/caddy/full/caddy/coraza/coraza_rules.conf
+++ b/templates/caddy/full/caddy/coraza/coraza_rules.conf
@@ -0,0 +1,15 @@
+# OWASP CRS rules
+Include /etc/caddy/coreruleset/crs-setup.conf.example
+Include /etc/caddy/coreruleset/rules/*.conf
+
+# Custom rules
+SecRuleEngine On
+
+# Block SQLi
+SecRule ARGS "@detectSQLi" \
+  "id:1000,\
+  phase:2,\
+  deny,\
+  status:403,\
+  msg:'SQL Injection Detected'"
+
--- a/templates/caddy/full/crowdsec/acquis.yaml
+++ b/templates/caddy/full/crowdsec/acquis.yaml
@@ -0,0 +1,6 @@
+# Parse Caddy JSON logs
+filenames:
+  - /var/log/caddy/access.log
+labels:
+  type: caddy
+
--- a/templates/caddy/full/docker-compose.yml
+++ b/templates/caddy/full/docker-compose.yml
@@ -0,0 +1,43 @@
+services:
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest
+    container_name: crowdsec
+    volumes:
+      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
+      - ./crowdsec/data:/var/lib/crowdsec/data
+      - ./caddy/logs:/var/log/caddy:ro
+    environment:
+      - COLLECTIONS=crowdsecurity/caddy crowdsecurity/whitelist-good-actors crowdsecurity/http-cve
+      - BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY}
+    networks:
+      - caddy_net
+    restart: unless-stopped
+
+  caddy:
+    image: ghcr.io/elagala/server-initializer/caddy-waf-crowdsec:latest 
+    container_name: caddy
+    ports:
+      - "80:80"
+      - "443:443"
+    environment:
+      - CROWDSEC_API_KEY=${CROWDSEC_API_KEY}
+    volumes:
+      - ../static:/src/static # Your static files location
+      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
+      - ./caddy/coraza/coraza.conf:/etc/caddy/coraza.conf
+      - ./caddy/logs:/var/log/caddy
+      - caddy_data:/data
+      - caddy_config:/config
+    networks:
+      - caddy_net
+    depends_on:
+      - crowdsec
+    restart: unless-stopped
+
+volumes:
+  caddy_data:
+  caddy_config:
+
+networks:
+  caddy_net:
+    external: true