README
¶
caddy-modsecurity 
caddy-modsecurity integrates ModSecurity with Caddy to provide a robust Web Application Firewall (WAF). Protect your web applications against SQL injection, XSS, and other OWASP Top 10 vulnerabilities while leveraging Caddy’s simplicity and performance.
Features
- Full ModSecurity v3 integration with Caddy v2
- Blocking (
403) or logging mode for requests - Easy configuration with Caddyfile or JSON
- Detailed logging for security auditing
Prerequisites
- Caddy v2.x
- ModSecurity v3
- Linux or BSD-based system recommended
Installation
git clone https://github.com/kitche/caddy-modsecurity.git
cd caddy-modsecurity
export CGO_ENABLED=1
xcaddy build --with github.com/kitche/caddy-modsecurity=/path/to/checkout
Configuration
Example Caddyfile
example.com {
route {
modsecurity {
rules_file /etc/caddy/modsecurity.conf
mode blocking
}
reverse_proxy localhost:8080
}
}
Troubleshooting
Caddy fails to start with modsecurity block: Check your rules syntax in modsecurity.conf.
Requests not being blocked: Ensure SecRuleEngine On and mode blocking are set.
Logs not generated: Confirm the log path exists and Caddy has write permissions.
Contributing
We welcome contributions!
Fork the repository
Create a branch: git checkout -b feature-name
Commit your changes: git commit -m "Add feature"
Push to your branch: git push origin feature-name
Open a Pull Request
Documentation
¶
Index ¶
- func GetVersion(w *WAF) string
- type Intervention
- type ModSecurity
- func (ModSecurity) CaddyModule() caddy.ModuleInfo
- func (m *ModSecurity) Provision(ctx caddy.Context) error
- func (m ModSecurity) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error
- func (m *ModSecurity) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
- func (m *ModSecurity) Validate() error
- type Transaction
- func (t *Transaction) Cleanup()
- func (t *Transaction) GetIntervention() (*Intervention, error)
- func (t *Transaction) ProcessConnection(clientIP string, clientPort int, serverIP string, serverPort int)
- func (t *Transaction) ProcessRequestBody(body io.Reader) error
- func (t *Transaction) ProcessRequestHeaders(headers http.Header)
- func (t *Transaction) ProcessURI(uri string, method string, httpVersion string)
- type WAF
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Intervention ¶
Intervention represents ModSecurity's decision on a transaction
type ModSecurity ¶
type ModSecurity struct {
// Configuration fields
Enabled bool `json:"enabled,omitempty"`
RulesPath string `json:"rules_path,omitempty"`
ConfigPath string `json:"config_path,omitempty"`
AuditLog string `json:"audit_log,omitempty"`
BlockMode bool `json:"block_mode,omitempty"` // false = detection only
// contains filtered or unexported fields
}
ModSecurity implements an HTTP handler that integrates ModSecurity WAF
func (ModSecurity) CaddyModule ¶
func (ModSecurity) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information
func (*ModSecurity) Provision ¶
func (m *ModSecurity) Provision(ctx caddy.Context) error
Provision sets up the ModSecurity module
func (ModSecurity) ServeHTTP ¶
func (m ModSecurity) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error
ServeHTTP implements the HTTP handler
func (*ModSecurity) UnmarshalCaddyfile ¶
func (m *ModSecurity) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
UnmarshalCaddyfile sets up the handler from Caddyfile configuration
func (*ModSecurity) Validate ¶
func (m *ModSecurity) Validate() error
Validate ensures the module configuration is valid
type Transaction ¶
type Transaction struct {
// contains filtered or unexported fields
}
Transaction represents a single HTTP request/response transaction
func (*Transaction) Cleanup ¶
func (t *Transaction) Cleanup()
Cleanup frees the transaction resources
func (*Transaction) GetIntervention ¶
func (t *Transaction) GetIntervention() (*Intervention, error)
GetIntervention checks if ModSecurity requires intervention
func (*Transaction) ProcessConnection ¶
func (t *Transaction) ProcessConnection(clientIP string, clientPort int, serverIP string, serverPort int)
ProcessConnection processes the connection phase
func (*Transaction) ProcessRequestBody ¶
func (t *Transaction) ProcessRequestBody(body io.Reader) error
ProcessRequestBody processes the request body
func (*Transaction) ProcessRequestHeaders ¶
func (t *Transaction) ProcessRequestHeaders(headers http.Header)
ProcessRequestHeaders processes request headers
func (*Transaction) ProcessURI ¶
func (t *Transaction) ProcessURI(uri string, method string, httpVersion string)
ProcessURI processes the request URI
type WAF ¶
type WAF struct {
// contains filtered or unexported fields
}
WAF represents a ModSecurity WAF instance
func (*WAF) LoadConfig ¶
LoadConfig loads the main ModSecurity configuration file
func (*WAF) NewTransaction ¶
func (w *WAF) NewTransaction(uniqueID string) *Transaction
NewTransaction creates a new transaction for inspecting a request
Source Files