Unsure if load_owasp_crs is required for using the OWASP core rule set

Question

Unsure if load_owasp_crs is required for using the OWASP core rule set

BurningDog opened this issue 2 years ago · 7 comments

I'm trying to use Coraza and the OWASP ruleset with Caddy 2.6.4 (this version of Caddy as it's the latest stable, and I'm using API Platform and its Caddyfile).

I need to use the following lines to build caddy:

RUN xcaddy build \
	--with github.com/corazawaf/coraza-caddy \
	--with github.com/corazawaf/coraza-coreruleset

...otherwise the conf files mentioned in the README don't exist anywhere: @coraza.conf-recommended, @crs-setup.conf.example, @owasp_crs/*.conf. I manually copy those files to the correct locations:

cp /go/pkg/mod/github.com/corazawaf/coraza-coreruleset*/rules/@coraza.conf-recommended /etc/caddy/@coraza.conf-recommended
cp /go/pkg/mod/github.com/corazawaf/coraza-coreruleset*/rules/@crs-setup.conf.example /etc/caddy/@crs-setup.conf.example
cp /go/pkg/mod/github.com/corazawaf/coraza-coreruleset*/rules/@owasp_crs/* /etc/caddy/@owasp_crs/

My Caddyfile is as follows:

{
        # Debug
        {$CADDY_DEBUG}

        # must be always included in your Caddyfile for Coraza module to work
        # see https://github.com/corazawaf/coraza-caddy
        order coraza_waf first
}

{$SERVER_NAME}

route {
        coraza_waf {
                load_owasp_crs
                directives `
                Include @coraza.conf-recommended
                Include @crs-setup.conf.example
                Include @owasp_crs/*.conf
                SecRuleEngine On
                `
        }

        root * /srv/app/public

        php_fastcgi unix//var/run/php/php-fpm.sock
        encode zstd gzip
        file_server
}

I've used caddy fmt --overwrite to correctly format the Caddyfile.

However, when I run caddy I get this error:

Error: adapting config using caddyfile: parsing caddyfile tokens for 'coraza_waf': Caddyfile:14 - Error during parsing: invalid key for filter directive: load_owasp_crs

However, if I comment out the load_owasp_crs directive, then caddy runs. Is this expected?

[Edit: after testing, the WAF is running, but I'm not sure how to check that the OWASP core rule set is running too?]

Answer 1 · 2023-05-23T20:49:29.000Z

@BurningDog I had this issue too. It looks like xcaddy is pulling in the latest released version of coraza-caddy and that version doesn't have support for the built in rule set. You can force xcaddy to pull from master with this command:

xcaddy build --with github.com/corazawaf/coraza-caddy@master

I did not have to specify the --with github.com/corazawaf/coraza-coreruleset

Answer 2 · 2023-05-25T09:59:59.000Z

@BurningDog could you try what @ameyer8 suggests?

Answer 3 · 2023-06-11T17:02:15.000Z

Ping @BurningDog

Answer 4 · 2023-07-12T02:47:05.000Z

This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days.

Answer 5 · 2023-07-20T14:05:26.000Z

any movement on this?

Answer 6 · 2023-08-04T02:16:20.000Z

This issue was closed because it has been inactive for 14 days since being marked as stale.

Answer 7 · 2024-08-22T16:54:41.000Z

Apologies for the long delay in my response - yes, the suggestion at #63 (comment) worked. Thanks @ameyer8!