From 19baaa18a4c8cd27611c882ef5591785e75c1629 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sat, 3 Aug 2024 09:24:14 -0300 Subject: [PATCH 1/6] fix: read plugins for user directory Signed-off-by: Felipe Zipitria --- caddy/Dockerfile | 26 ++++++++++++-------------- src/templates/Caddyfile | 7 +++++++ src/templates/coraza.conf | 22 ++-------------------- 3 files changed, 21 insertions(+), 34 deletions(-) diff --git a/caddy/Dockerfile b/caddy/Dockerfile index 696717e..1a08604 100644 --- a/caddy/Dockerfile +++ b/caddy/Dockerfile @@ -141,15 +141,14 @@ USER "${CADDY_USER}:${CADDY_GROUP}" ENV \ XDG_CONFIG_HOME="$CADDY_CONFIG_DIR" \ XDG_DATA_HOME="$CADDY_DATA_DIR" \ - ACCESSLOG=/var/log/nginx/access.log \ + ACCESSLOG=/var/log/caddy/access.log \ BACKEND=localhost:80 \ DNS_SERVER= \ - ERRORLOG=/var/log/nginx/error.log \ + ERRORLOG=/var/log/caddy/error.log \ KEEPALIVE_TIMEOUT=60s \ METRICS_ALLOW_FROM='127.0.0.0/24' \ METRICS_DENY_FROM='all' \ METRICSLOG=/dev/null \ - CORAZA_ARGUMENT_SEPARATOR="&" \ CORAZA_ARGUMENTS_LIMIT=1000 \ CORAZA_AUDIT_ENGINE="RelevantOnly" \ CORAZA_AUDIT_LOG=/dev/stdout \ @@ -158,8 +157,8 @@ ENV \ CORAZA_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4[0-9][0-35-9])" \ CORAZA_AUDIT_LOG_TYPE=Serial \ CORAZA_COOKIE_FORMAT=0 \ - CORAZA_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ - CORAZA_DATA_DIR=/tmp/modsecurity/data \ + CORAZA_AUDIT_STORAGE_DIR=/var/log/coraza/audit/ \ + CORAZA_DATA_DIR=/tmp/coraza/data \ CORAZA_DEBUG_LOG=/dev/null \ CORAZA_DEBUG_LOGLEVEL=0 \ CORAZA_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${CORAZA_TAG}'" \ @@ -167,22 +166,21 @@ ENV \ CORAZA_DISABLE_BACKEND_COMPRESSION="Off" \ CORAZA_PCRE_MATCH_LIMIT=100000 \ CORAZA_PCRE_MATCH_LIMIT_RECURSION=100000 \ - CORAZA_REQ_BODY_ACCESS=on \ - CORAZA_REQ_BODY_JSON_DEPTH_LIMIT=512 \ + CORAZA_REQ_BODY_ACCESS="On" \ + CORAZA_REQ_BODY_JSON_DEPTH_LIMIT=1024 \ CORAZA_REQ_BODY_LIMIT=13107200 \ CORAZA_REQ_BODY_LIMIT_ACTION="Reject" \ - CORAZA_REQ_BODY_NOFILES_LIMIT=131072 \ - CORAZA_RESP_BODY_ACCESS=on \ + CORAZA_REQ_BODY_NOFILES_LIMIT=524288 \ + CORAZA_RESP_BODY_ACCESS="On" \ CORAZA_RESP_BODY_LIMIT=1048576 \ CORAZA_RESP_BODY_LIMIT_ACTION="ProcessPartial" \ CORAZA_RESP_BODY_MIMETYPE="text/plain text/html text/xml" \ - CORAZA_RULE_ENGINE=on \ - CORAZA_STATUS_ENGINE="Off" \ - CORAZA_TAG=modsecurity \ - CORAZA_TMP_DIR=/tmp/modsecurity/tmp \ + CORAZA_RULE_ENGINE=On \ + CORAZA_TAG=coraza \ + CORAZA_TMP_DIR=/tmp/coraza \ CORAZA_TMP_SAVE_UPLOADED_FILES="on" \ CORAZA_UNICODE_MAPPING=20127 \ - CORAZA_UPLOAD_DIR=/tmp/modsecurity/upload \ + CORAZA_UPLOAD_DIR=/tmp/coraza/upload \ CORAZA_UPLOAD_FILE_MODE=0600 \ CORAZA_UPLOAD_KEEP_FILES=Off \ PORT=8080 \ diff --git a/src/templates/Caddyfile b/src/templates/Caddyfile index f2c7e75..85b09c1 100644 --- a/src/templates/Caddyfile +++ b/src/templates/Caddyfile @@ -24,11 +24,18 @@ include /opt/coraza/owasp-crs/plugins/*-config.conf include /opt/coraza/owasp-crs/plugins/*-before.conf + # User plugins Setup + include /opt/coraza/plugins/*-config.conf + include /opt/coraza/plugins/*-before.conf + # OWASP Core Rule Set (CRS) include /opt/coraza/owasp-crs/rules/*.conf include /opt/coraza/owasp-crs/plugins/*-after.conf + # User plugins after + include /opt/coraza/plugins/*-after.conf + # Other baked in rule sets or configurations include /opt/coraza/rules/*.conf diff --git a/src/templates/coraza.conf b/src/templates/coraza.conf index 0c4ead5..bf615a5 100644 --- a/src/templates/coraza.conf +++ b/src/templates/coraza.conf @@ -40,28 +40,10 @@ SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRule REQUEST_HEADERS:Content-Type "^application/json" \ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" -SecRule &ARGS "@ge 1000" \ +SecRule &ARGS "@ge ${CORAZA_ARGUMENTS_LIMIT}" \ "id:'200007', phase:2,t:none,log,deny,status:400,msg:'Failed to fully parse request body due to large argument count',severity:2" SecRule REQBODY_ERROR "!@eq 0" \ "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "id:'200003',phase:2,t:none,log,deny,status:400, \ - msg:'Multipart request body failed strict validation: \ - PE %{REQBODY_PROCESSOR_ERROR}, \ - BQ %{MULTIPART_BOUNDARY_QUOTED}, \ - BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ - DB %{MULTIPART_DATA_BEFORE}, \ - DA %{MULTIPART_DATA_AFTER}, \ - HF %{MULTIPART_HEADER_FOLDING}, \ - LF %{MULTIPART_LF_LINE}, \ - SM %{MULTIPART_MISSING_SEMICOLON}, \ - IQ %{MULTIPART_INVALID_QUOTING}, \ - IP %{MULTIPART_INVALID_PART}, \ - IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ - FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" -SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \ - "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" - -# Additional rules -SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \ - "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" + msg:'Multipart request body failed strict validation." From 78e75c609d11d6eea43e14ade104149511a275b5 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sat, 3 Aug 2024 09:25:20 -0300 Subject: [PATCH 2/6] chore: use upstream org config Signed-off-by: Felipe Zipitria --- renovate.json | 39 +-------------------------------------- 1 file changed, 1 insertion(+), 38 deletions(-) diff --git a/renovate.json b/renovate.json index ded035d..bca0a75 100644 --- a/renovate.json +++ b/renovate.json @@ -1,49 +1,12 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "", + "local>coreruleset/renovate-config", "schedule:weekly" ], "enabledManagers": [ "custom.regex" ], - "packageRules": [ - { - "groupName": "all non-major dependencies", - "groupSlug": "all-minor-patch", - "matchPackagePatterns": [ - "*" - ], - "matchUpdateTypes": [ - "minor", - "patch" - ], - "prBodyColumns": [ - "Package", - "Type", - "Update", - "Change", - "Pending" - ] - }, - { - "groupName": "all major dependencies", - "groupSlug": "all-major", - "matchPackagePatterns": [ - "*" - ], - "matchUpdateTypes": [ - "major" - ], - "prBodyColumns": [ - "Package", - "Type", - "Update", - "Change", - "Pending" - ] - } - ], "customManagers": [ { "description": "Bake file", From 6c579bb3029d647d10bc0e21a3fc7d760da9ca8e Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sat, 3 Aug 2024 10:17:47 -0300 Subject: [PATCH 3/6] chore: add user hints that plugins are loaded Signed-off-by: Felipe Zipitria --- caddy/entrypoint.sh | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/caddy/entrypoint.sh b/caddy/entrypoint.sh index 488eb26..3102eca 100755 --- a/caddy/entrypoint.sh +++ b/caddy/entrypoint.sh @@ -31,6 +31,40 @@ else echo " - Done" fi +# Output the extra configuration files that will be read as hints to the user +if [ -z "$(ls -A /opt/coraza/config.d)" ]; then + echo " - No user configuration files found in /opt/coraza/config.d" +else + echo " - User configuration files loaded from /opt/coraza/config.d" + for f in /opt/coraza/config.d/*.conf + do + echo " -> $(basename $f)" + done + echo " - Done" +fi + +if [ -z "$(ls -A /opt/coraza/plugins)" ]; then + echo " - No user plugins found in /opt/coraza/plugins" +else + echo " - User plugins loaded from /opt/coraza/plugins" + for f in /opt/coraza/plugins/*.conf + do + echo " -> $(basename $f)" + done + echo " - Done" +fi + +if [ -z "$(ls -A /opt/coraza/rules.d)" ]; then + echo " - No user defined rule sets found in /opt/coraza/rules.d" +else + echo " - User defined rule sets loaded from /opt/coraza/rules.d" + for f in /opt/coraza/rules.d/*.conf + do + echo " -> $(basename $f)" + done + echo " - Done" +fi + # Launch Caddy echo "Launching $*" exec "$@" From 9cc20b3145ed09127f25b4ad172039ff54d57c86 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sat, 3 Aug 2024 10:54:00 -0300 Subject: [PATCH 4/6] docs: update readme Signed-off-by: Felipe Zipitria --- README.md | 98 +++++++++++++++++++++++++++++++++++------ src/templates/Caddyfile | 7 ++- 2 files changed, 90 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 4da29b1..f294f80 100644 --- a/README.md +++ b/README.md @@ -27,19 +27,58 @@ The following env variables may be set to control Caddy and Coraza. These values control Coraza. -| Variable | Default | Documentation | -| ----------------------------- | --------------- | ------------------------------------------------------------------------------------------------------------------- | -| `CORAZA_SECRULEENGINE` | `DetectionOnly` | [SecRuleEngine](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleEngine) | -| `CORAZA_SECREQUESTBODYACCESS` | `On` | [SecRequestBodyAccess](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRequestBodyAccess) | -| `CORAZA_REMOVERULEIDS` | `` | [SecRuleRemoveById](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secruleremovebyid) | +| Variable | Default | Documentation | +| - | - | - | +| CORAZA_ARGUMENTS_LIMIT | Default: `1000` | | +| CORAZA_AUDIT_ENGINE | Default: `"RelevantOnly"` | | +| CORAZA_AUDIT_LOG | Default: `/dev/stdout` | | +| CORAZA_AUDIT_LOG_FORMAT | Default: `JSON` | | +| CORAZA_AUDIT_LOG_PARTS | Default: `'ABIJDEFHZ'` | | +| CORAZA_AUDIT_LOG_RELEVANT_STATUS | Default: `"^(?:5\|4[0-9][0-35-9])"` | | +| CORAZA_AUDIT_LOG_TYPE | Default: `Serial` | | +| CORAZA_AUDIT_STORAGE_DIR | Default: `/var/log/coraza/audit/` | | +| CORAZA_DATA_DIR | Default: `/tmp/coraza/data` | | +| CORAZA_DEBUG_LOG | Default: `/dev/null` | | +| CORAZA_DEFAULT_PHASE1_ACTION | Default: `"phase:1,pass,log,tag:'\${CORAZA_TAG}'"` | | +| CORAZA_DEFAULT_PHASE2_ACTION | Default: `"phase:2,pass,log,tag:'\${CORAZA_TAG}'"` | | +| CORAZA_REQ_BODY_ACCESS | Default: `"On"` | | +| CORAZA_REQ_BODY_JSON_DEPTH_LIMIT | Default: `1024` | | +| CORAZA_REQ_BODY_LIMIT | Default: `13107200` | | +| CORAZA_REQ_BODY_LIMIT_ACTION | Default: `"Reject"` | | +| CORAZA_REQ_BODY_NOFILES_LIMIT | Default: `524288` | | +| CORAZA_RESP_BODY_ACCESS | Default: `"On"` | | +| CORAZA_RESP_BODY_LIMIT | Default: `1048576` | | +| CORAZA_RESP_BODY_LIMIT_ACTION | Default: `"ProcessPartial"` | | +| CORAZA_RESP_BODY_MIMETYPE | Default: `"text/plain text/html text/xml"` | | +| CORAZA_RULE_ENGINE | Default: `On` | | +| CORAZA_TAG | Default: `coraza` | | +| CORAZA_TMP_DIR | Default: `/tmp/coraza` | | +| CORAZA_TMP_SAVE_UPLOADED_FILES | Default: `"On"` | | +| CORAZA_UPLOAD_DIR | Default: `/tmp/coraza/upload` | | +| CORAZA_UPLOAD_KEEP_FILES | Default: `Off` | | + +### CRS Specific + +| Variable | Default | Documentation | +| - | - | - | +| PARANOIA | Default: `1` | | +| ANOMALY_INBOUND | Default: `5` | | +| ANOMALY_OUTBOUND | Default: `4` | | +| BLOCKING_PARANOIA | Default: `1` | | ### Caddy Specific These values control Caddy. +| Variable | Default | Documentation | +| - | - | - | +| ACCESSLOG | Default: `stderr` | Log to this file access logs. Use `/var/log/caddy/access.log` or similar if you want to store it in the filesystem | +| BACKEND | Default: `localhost:80` | Proxy traffic to this `host:port` | +| PORT | Default: `8080` | Port where the server listens. | + ## Important Notes -- The container is configured by default to run as a non-root user. The upstream Caddy containers run using root by default. To allow binding on ports <1024 `cap_net_bind_service` is added on the Caddy binary. +- The container is configured by default to run as a non-root user. The upstream Caddy containers run using root by default. To allow binding on ports <1024 `cap_net_bind_service` is added on the Caddy binary. The default port still is 8080. ## Configuration Files/Directories @@ -60,8 +99,8 @@ Various arguments can be provided if building the container yourself. The availa | Variable | Default | Description | | ------------------ | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `CADDY_VERSION` | `2.7.6` | The Caddy Docker container tag to use as a base. | -| `CRS_VERSION` | `v4.3.0` | The OWASP CRS release. | +| `CADDY_VERSION` | `2.8.1` | The Caddy Docker container tag to use as a base. | +| `CRS_VERSION` | `v4.5.0` | The OWASP CRS release. | | `LIBCAP` | `true` | Install libcap and add the `cap_net_bind_service` capability to the Caddy binary. Required for the container to bind to low ports when not running as root. | | `CADDY_USER` | `caddy` | The user name that will run Caddy. Can be set to `root` to run Caddy as root rather than a low privleged user. | | `CADDY_GROUP` | `caddy` | The group name for the Caddy user. Can be set to `root` to run Caddy as root rather than a low privleged user. | @@ -97,10 +136,6 @@ To build a specific target for a single platform only (replace target and platfo ```bash docker buildx bake -f docker-bake.hcl --set "*.platform=linux/amd64" caddy-alpine -## Adding CRS Plugins - -To add CRS Plugins, download and decompress the plugin to a directory of your choice. Then start the container bind mounting the directory to `/opt/coraza/owasp-crs/plugins`. - ## Advanced Configuration If you prefer to configure Caddy and/or Coraza yourself there are multiple options. @@ -114,6 +149,36 @@ To add Coraza configuration without overwriting any of the container default con As an example, you may want to create your own rules for Coraza. You would create a volume and mount it in the container at `/opt/coraza/rules.d`; the rules will then be loaded on server start automatically. +## Adding CRS Plugins + +To add CRS Plugins, download and decompress the plugin to a directory of your choice. The official plugin list is at https://github.com/coreruleset/plugin-registry. + +Create a volume or bind mount a directory of your choice to `/opt/coraza/plugins`; the rules will then be loaded on server start automatically. + +Example: +``` +curl -sSL https://github.com/coreruleset/wordpress-rule-exclusions-plugin/archive/refs/tags/v1.0.0.tar.gz -o wordpress.tar.gz +tar xvf wordpress.tar.gz --strip-components 1 'wordpress-rule-exclusions-plugin*/plugins' +❯ docker compose run -v $(pwd)/plugins:/opt/coraza/plugins coraza-crs +[+] Creating 1/0 + ✔ Container coraza-crs-docker-whoami-1 Running 0.0s +Generating configuration files... + - Caddyfile + - Generating Caddyfile from template /templates/Caddyfile + - Done + - Coraza configuration file + - Generating Caddyfile from template /templates/coraza.conf + - Done + - User configuration files loaded from /opt/coraza/config.d + - Done + - Loading user plugins from /opt/coraza/plugins + -> wordpress-rule-exclusions-before.conf + -> wordpress-rule-exclusions-config.conf + - Done + - Loading user defined rule sets from /opt/coraza/rules.d + - Done +``` + ### Replacement Configuration - Caddy If you prefer to use your own configuration file for Caddy, simply mount the configuration file as `/config/caddy/Caddyfile` or mount a volume at `/config/Caddy` with a `Caddyfile` inside. You will need to add the relevant Coraza configuration to Caddy yourself if you choose this option. The bare minimum recommended configuration is: @@ -133,10 +198,15 @@ If you prefer to use your own configuration file for Caddy, simply mount the con include /opt/coraza/config/coraza.conf # User defined configuration files include /opt/coraza/config.d/*.conf - # OWASP Core Rule Set (CRS) Setup + # OWASP CRS Setup include /opt/coraza/config/crs-setup.conf - # OWASP Core Rule Set (CRS) + # OWASP CRS Plugins Setup + include /opt/coraza/owasp-crs/plugins/*-config.conf + include /opt/coraza/owasp-crs/plugins/*-before.conf + # OWASP CRS include /opt/coraza/owasp-crs/*.conf + # OWASP CRS Plugins After + include /opt/coraza/owasp-crs/plugins/*-after.conf # Other baked in rule sets include /opt/coraza/rules/*.conf # User defined rule sets diff --git a/src/templates/Caddyfile b/src/templates/Caddyfile index 85b09c1..e822eb4 100644 --- a/src/templates/Caddyfile +++ b/src/templates/Caddyfile @@ -7,7 +7,7 @@ } # Create the HTTP listener -:80 { +:${PORT} { # Load Coraza configuration coraza_waf { @@ -51,4 +51,9 @@ trusted_proxies private_ranges } + log { + output file ${ACCESSLOG} + } + + } From 1dfcaf0940775b4d5ab90c2107c6a2ef45519482 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sat, 3 Aug 2024 10:55:33 -0300 Subject: [PATCH 5/6] fix: update dockerfile variables Signed-off-by: Felipe Zipitria --- caddy/Dockerfile | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/caddy/Dockerfile b/caddy/Dockerfile index 1a08604..bf796a9 100644 --- a/caddy/Dockerfile +++ b/caddy/Dockerfile @@ -143,12 +143,6 @@ ENV \ XDG_DATA_HOME="$CADDY_DATA_DIR" \ ACCESSLOG=/var/log/caddy/access.log \ BACKEND=localhost:80 \ - DNS_SERVER= \ - ERRORLOG=/var/log/caddy/error.log \ - KEEPALIVE_TIMEOUT=60s \ - METRICS_ALLOW_FROM='127.0.0.0/24' \ - METRICS_DENY_FROM='all' \ - METRICSLOG=/dev/null \ CORAZA_ARGUMENTS_LIMIT=1000 \ CORAZA_AUDIT_ENGINE="RelevantOnly" \ CORAZA_AUDIT_LOG=/dev/stdout \ @@ -156,16 +150,11 @@ ENV \ CORAZA_AUDIT_LOG_PARTS='ABIJDEFHZ' \ CORAZA_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4[0-9][0-35-9])" \ CORAZA_AUDIT_LOG_TYPE=Serial \ - CORAZA_COOKIE_FORMAT=0 \ CORAZA_AUDIT_STORAGE_DIR=/var/log/coraza/audit/ \ CORAZA_DATA_DIR=/tmp/coraza/data \ CORAZA_DEBUG_LOG=/dev/null \ - CORAZA_DEBUG_LOGLEVEL=0 \ CORAZA_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${CORAZA_TAG}'" \ CORAZA_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${CORAZA_TAG}'" \ - CORAZA_DISABLE_BACKEND_COMPRESSION="Off" \ - CORAZA_PCRE_MATCH_LIMIT=100000 \ - CORAZA_PCRE_MATCH_LIMIT_RECURSION=100000 \ CORAZA_REQ_BODY_ACCESS="On" \ CORAZA_REQ_BODY_JSON_DEPTH_LIMIT=1024 \ CORAZA_REQ_BODY_LIMIT=13107200 \ @@ -179,10 +168,8 @@ ENV \ CORAZA_TAG=coraza \ CORAZA_TMP_DIR=/tmp/coraza \ CORAZA_TMP_SAVE_UPLOADED_FILES="on" \ - CORAZA_UNICODE_MAPPING=20127 \ CORAZA_UPLOAD_DIR=/tmp/coraza/upload \ CORAZA_UPLOAD_FILE_MODE=0600 \ - CORAZA_UPLOAD_KEEP_FILES=Off \ PORT=8080 \ # CRS specific variables PARANOIA=1 \ From c0b6344b02aa214ba4f7494ae8de3a4ddd2b1adc Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sat, 3 Aug 2024 11:08:31 -0300 Subject: [PATCH 6/6] docs: add descriptions Signed-off-by: Felipe Zipitria --- README.md | 43 ++++++++++++++++++++----------------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index f294f80..5ba3751 100644 --- a/README.md +++ b/README.md @@ -29,42 +29,39 @@ These values control Coraza. | Variable | Default | Documentation | | - | - | - | -| CORAZA_ARGUMENTS_LIMIT | Default: `1000` | | +| CORAZA_ARGUMENTS_LIMIT | Default: `1000` | An integer indicating the maximum number of arguments that can be processed before setting the `REQBODY_ERROR` variable | | CORAZA_AUDIT_ENGINE | Default: `"RelevantOnly"` | | -| CORAZA_AUDIT_LOG | Default: `/dev/stdout` | | -| CORAZA_AUDIT_LOG_FORMAT | Default: `JSON` | | -| CORAZA_AUDIT_LOG_PARTS | Default: `'ABIJDEFHZ'` | | -| CORAZA_AUDIT_LOG_RELEVANT_STATUS | Default: `"^(?:5\|4[0-9][0-35-9])"` | | +| CORAZA_AUDIT_LOG | Default: `/dev/stdout` | A string indicating the path to the main audit log file or the concurrent logging index file | +| CORAZA_AUDIT_LOG_FORMAT | Default: `JSON` | A string indicating the output format of the AuditLogs (Default: `JSON`). Accepted values: `JSON`, `Native`. See [SecAuditLogFormat]() | +| CORAZA_AUDIT_LOG_PARTS | Default: `'ABIJDEFHZ'` | A string that defines which parts of each transaction are going to be recorded in the audit log (Default: `'ABIJDEFHZ'`). See [SecAuditLogParts]() for the accepted values. | +| CORAZA_AUDIT_LOG_RELEVANT_STATUS | Default: `"^(?:5\|4[0-9][0-35-9])"` | A regular expression string that defines the http error codes that are relevant for audit logging (Default: `"^(?:5|4(?!04))"`). See [SecAuditLogRelevantStatus]() | | CORAZA_AUDIT_LOG_TYPE | Default: `Serial` | | | CORAZA_AUDIT_STORAGE_DIR | Default: `/var/log/coraza/audit/` | | | CORAZA_DATA_DIR | Default: `/tmp/coraza/data` | | | CORAZA_DEBUG_LOG | Default: `/dev/null` | | -| CORAZA_DEFAULT_PHASE1_ACTION | Default: `"phase:1,pass,log,tag:'\${CORAZA_TAG}'"` | | -| CORAZA_DEFAULT_PHASE2_ACTION | Default: `"phase:2,pass,log,tag:'\${CORAZA_TAG}'"` | | -| CORAZA_REQ_BODY_ACCESS | Default: `"On"` | | +| CORAZA_DEFAULT_PHASE1_ACTION | Default: `"phase:1,pass,log,tag:'\${CORAZA_TAG}'"` | String with the contents for the default action in phase 1 | +| CORAZA_DEFAULT_PHASE2_ACTION | Default: `"phase:2,pass,log,tag:'\${CORAZA_TAG}'"` | String with the contents for the default action in phase 2 | +| CORAZA_REQ_BODY_ACCESS | Default: `"On"` | A string value allowing ModSecurity to access request bodies. Allowed values: `On`, `Off`. See [SecRequestBodyAccess]() | | CORAZA_REQ_BODY_JSON_DEPTH_LIMIT | Default: `1024` | | -| CORAZA_REQ_BODY_LIMIT | Default: `13107200` | | -| CORAZA_REQ_BODY_LIMIT_ACTION | Default: `"Reject"` | | +| CORAZA_REQ_BODY_LIMIT | Default: `13107200` | An integer value indicating the maximum request body size accepted for buffering. See [SecRequestBodyLimit]() | +| CORAZA_REQ_BODY_LIMIT_ACTION | Default: `"Reject"` | A string value for the action when `SecRequestBodyLimit` is reached. Accepted values: `Reject`, `ProcessPartial`. See [SecRequestBodyLimitAction]() | | CORAZA_REQ_BODY_NOFILES_LIMIT | Default: `524288` | | -| CORAZA_RESP_BODY_ACCESS | Default: `"On"` | | -| CORAZA_RESP_BODY_LIMIT | Default: `1048576` | | -| CORAZA_RESP_BODY_LIMIT_ACTION | Default: `"ProcessPartial"` | | +| CORAZA_RESP_BODY_ACCESS | Default: `"On"` | A string value allowing ModSecurity to access response bodies. Allowed values: `On`, `Off`. See [SecResponseBodyAccess]() | +| CORAZA_RESP_BODY_LIMIT | Default: `1048576` | An integer value indicating the maximum response body size accepted for buffering. | +| CORAZA_RESP_BODY_LIMIT_ACTION | Default: `"ProcessPartial"` | A string value for the action when `SecResponseBodyLimit` is reached. Accepted values: `Reject`, `ProcessPartial`. See [SecResponseBodyLimitAction]() | | CORAZA_RESP_BODY_MIMETYPE | Default: `"text/plain text/html text/xml"` | | -| CORAZA_RULE_ENGINE | Default: `On` | | -| CORAZA_TAG | Default: `coraza` | | -| CORAZA_TMP_DIR | Default: `/tmp/coraza` | | -| CORAZA_TMP_SAVE_UPLOADED_FILES | Default: `"On"` | | -| CORAZA_UPLOAD_DIR | Default: `/tmp/coraza/upload` | | -| CORAZA_UPLOAD_KEEP_FILES | Default: `Off` | | +| CORAZA_RULE_ENGINE | Default: `On` | A string value enabling Coraza itself. Accepted values: `On`, `Off`, `DetectionOnly`. See [SecRuleEngine]() | +| CORAZA_TAG | Default: `coraza` | A string indicating the default tag action, which will be inherited by the rules in the same configuration context. | +| CORAZA_TMP_DIR | Default: `/tmp/coraza` | A string indicating the path where temporary files will be created | ### CRS Specific | Variable | Default | Documentation | | - | - | - | -| PARANOIA | Default: `1` | | -| ANOMALY_INBOUND | Default: `5` | | -| ANOMALY_OUTBOUND | Default: `4` | | -| BLOCKING_PARANOIA | Default: `1` | | +| PARANOIA | Default: `1` | CRS Paranoia Level setting for logging. It could be different from the BLOCKING level, allowing you to log additional information. | +| ANOMALY_INBOUND | Default: `5` | The score used by CRS to block incoming requests. | +| ANOMALY_OUTBOUND | Default: `4` | The score used by CRS to block outgoing requests. | +| BLOCKING_PARANOIA | Default: `1` | CRS Paranoia Level setting used for blocking | ### Caddy Specific