chore: refactor caddy folder structure

templates/caddy/full/caddy/Caddyfile

@@ -7,7 +7,7 @@
 
   # Logging
   log {
-    level DEBUG
+    level INFO
     format console
   }
 
@@ -19,40 +19,5 @@
 
 }
 
-# Example: Static file server
-# static.example.com {
-#   root * /srv/static/test
-#   file_server
-# }
-
-# Example: Reverse Proxy for service running in docker container (must be under caddy_net)
-# api.example.com {
-#   coraza_waf {
-#     directives `
-#       Include /etc/caddy/coraza.conf
-#     `
-#   }
-#
-#   reverse_proxy * http://{CONTAINER_NAME}:{CONTAINER_PORT}
-# }
-
-# Example: Bypassing WAF for given API path
-# NEEDED FOR PROMETHEUS
-# api.example2.com {
-#   basic_auth {
-#     agala {$PROMETHEUS_PASSWORD}
-#   }
-#
-#   @waf {
-#     not path /api/v1/*
-#   }
-#
-#   handle @waf {
-#     coraza_waf {
-#       directives `
-#       Include /etc/caddy/coraza.conf
-#       `
-#     }
-#   }
-#   reverse_proxy * http://prometheus:9090
-# }
+# Import all site configurations from sites-enabled directory
+import /etc/caddy/sites-enabled/*.Caddyfile

templates/caddy/full/caddy/coraza/coraza.conf

@@ -6,7 +6,7 @@
 # only to start with, because that minimises the chances of post-installation
 # disruption.
 #
-SecRuleEngine DetectionOnly
+SecRuleEngine On
 
 
 # -- Request body handling ---------------------------------------------------

templates/caddy/full/caddy/sites-enabled/examples.Caddyfile

@@ -0,0 +1,19 @@
+# Example configurations for different use cases
+# Remove this file and create your own site-specific Caddyfiles
+
+# Example: Static file server
+# static.example.com {
+#   root * /srv/static/YOUR_APP_FOLDER
+#   file_server
+# }
+
+# Example: Reverse Proxy for service running in docker container (must be under caddy_net)
+# api.example.com {
+#   coraza_waf {
+#     directives `
+#       Include /etc/caddy/coraza.conf
+#     `
+#   }
+#
+#   reverse_proxy * http://{CONTAINER_NAME}:{CONTAINER_PORT}
+# }

templates/caddy/full/caddy/sites-enabled/prometheus.Caddyfile

@@ -0,0 +1,20 @@
+# Prometheus monitoring endpoint
+# Bypasses WAF for API endpoints since Prometheus scraping doesn't need WAF protection
+prometheus.example.com {
+  basic_auth {
+    agala {$PROMETHEUS_PASSWORD}
+  }
+
+  @waf {
+    not path /api/v1/*
+  }
+
+  handle @waf {
+    coraza_waf {
+      directives `
+      Include /etc/caddy/coraza.conf
+      `
+    }
+  }
+  reverse_proxy * http://prometheus:9090
+}

templates/caddy/full/docker-compose.yml

@@ -25,6 +25,7 @@ services:
     volumes:
       - ../../deploy/static:/srv/static # Your static files location
       - ./caddy/Caddyfile:/etc/caddy/Caddyfile
+      - ./caddy/sites-enabled:/etc/caddy/sites-enabled
       - ./caddy/coraza/coraza.conf:/etc/caddy/coraza.conf
       - ./caddy/logs:/var/log/caddy
       - caddy_data:/data