add caddy waf docs

2026-02-25 12:15:49 -05:00
parent f3c313e610
commit 416321206d
4 changed files with 137 additions and 37 deletions
--- a/active/container_caddy/caddy.md
+++ b/active/container_caddy/caddy.md
@@ -6,6 +6,8 @@
    - [Ansible](#ansible)
    - [Manual](#manual)
  - [Adding a new Caddy Record](#adding-a-new-caddy-record)
+  - [Logs](#logs)
+  - [Caddy WAF](#caddy-waf)

 ## Custom Caddy Image

@@ -137,4 +139,67 @@ ddns service:

 1. Update the [ddns caddy records](/active/container_ddns/secrets/caddy_records.yaml)
 2. (Optional) Update the Caddyfile at `active/container_caddy/secrets/Caddyfile`
-3. Run the [caddy ansible playbook](/active/container_caddy/caddy.md#install-caddy)
+3. Run the [caddy ansible playbook](/active/container_caddy/caddy.md#install-caddy)
+
+## Logs
+
+```bash
+# Follow remote connections
+podman logs -f caddy | grep -e '^{' | jq -c '.request | {remote_ip,host}'
+
+# Filter out noisy hosts
+podman logs -f caddy | grep -e '^{' | jq -c '.request | {remote_ip,host} | select(.host != "gitea.reeseapps.com")'
+
+# Focus on user agents
+podman logs -f caddy | grep -e '^{' | jq -c '
+  {
+    "User-Agent":   .request.headers["User-Agent"],
+    remote_ip:      .request.remote_ip,
+    host:           .request.host,
+    status:         .status
+  }
+'
+```
+
+## Caddy WAF
+
+<https://github.com/fabriziosalmi/caddy-waf>
+
+1. Copy the rules.json to `/etc/caddy/rules.json`
+2. Update the Caddyfile to something like this:
+
+    ```Caddyfile
+    gitea.reeseapps.com:443 {
+        log {
+            output stdout
+            format json {
+                message_key     msg           # Key for the log message
+                level_key      severity       # Key for the log level
+                time_key       timestamp      # Key for the timestamp
+                name_key       logger         # Key for the logger name
+                caller_key     function       # Key for the caller information
+                stacktrace_key stack          # Key for error stacktraces
+                time_format    "2006-01-02 15:04:05 MST"  # RFC3339-like format
+                time_local                    # Use local timezone
+                duration_format "ms"          # Show durations in milliseconds
+                level_format   "upper"        # Uppercase log levels
+            }
+        }
+        route {
+            waf {
+                metrics_endpoint   /waf_metrics
+                rule_file          rules.json
+            }
+
+            @wafmetrics {
+                path /waf_metrics
+            }
+
+            handle @wafmetrics { }   # empty → let the WAF serve the metrics
+
+            handle {
+                reverse_proxy gitea.reeselink.com:3000
+            }
+        }
+    }
+    ```