caddy使用轻量防火墙corazawaf
xcaddy构建
FROM registry.cn-hangzhou.aliyuncs.com/jcleng/library-caddy:builder AS builder
# 先构建
RUN export GO111MODULE=on && export GOPROXY=https://goproxy.cn && xcaddy build \
--with github.com/corazawaf/coraza-caddy/v2 \
--with github.com/mholt/caddy-ratelimit
# --with github.com/Wafris/wafris-caddy
# 覆盖
FROM registry.cn-hangzhou.aliyuncs.com/jcleng/library-caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
# rule
ADD https://gitdl.cn/https://github.com/coreruleset/coreruleset/archive/refs/tags/nightly.tar.gz /nightly.tar.gz
RUN mkdir /coraza && tar xvf /nightly.tar.gz -C /coraza && rm -rf /nightly.tar.gz
COPY ./Caddyfile /etc/caddy/Caddyfile
CMD ["/bin/sh","-c","caddy run -c /etc/caddy/Caddyfile"]
# docker build . -t registry.cn-hangzhou.aliyuncs.com/jcleng/coraza-caddy:latest
# docker run --rm -p 8077:8077 -v $(pwd):$(pwd) -v ./Caddyfile:/etc/caddy/Caddyfile --name xcady registry.cn-hangzhou.aliyuncs.com/jcleng/coraza-caddy:latest
使用
{
order coraza_waf first
order rate_limit before basicauth
}
# 取反: !@rx
# 规则: https://github.com/coreruleset/coreruleset
:8077 {
coraza_waf {
directives `
Include /coraza/coreruleset-nightly/crs-setup.conf.example
Include /coraza/coreruleset-nightly/rules/*.conf
Include /home/wb/g/share/xcaddy/*.conf
`
}
rate_limit {
distributed
# 每分钟只允许 100 个 GET 请求通过所有客户端
zone static_example {
match {
method GET
}
key static
events 100
window 1m
}
# 在任何给定时间的最后 5 秒内,我们只允许每个客户端 IP 发出 2 个请求。
zone dynamic_example {
key {remote_host}
events 2
window 5s
}
}
root /home/wb/g/share/xcaddy
file_server
}
自定义.conf的ip黑名单
myrule.conf
SecRule REMOTE_ADDR "@rx ^(125.86.81.116|10.|192.168|172.1[6-9].|172.2[0-9].|172.3[01].).*$" "id:2200000,phase:1,deny,status:500"