fix: correct SecRuleEngine ordering in Caddyfile WAF snippet; docs for per-Ingress WAF rules

brdelphus · claude · brdelphus · commit a4f9212dedf8 · 2026-04-01T10:01:15.000-03:00
- _helpers.tpl: move SecRuleEngine after all CRS Includes (was incorrectly
  placed between @coraza.conf-recommended and @crs-setup/@owasp_crs)
- README: add caddy.ingress/waf-rules-configmap annotation reference and
  per-Ingress WAF rules section with migration guide from nginx-ingress
- CHANGELOG: add 1.0.1 entry documenting both WAF bug fixes
- Chart.yaml: bump to 0.9.1

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Changelog
 
+## [1.0.1] - 2026-03-31
+
+### Bug Fixes
+
+- **WAF: OWASP CRS rules were never loaded** — `wafHandler()` in caddy-k8s was missing the three mandatory `Include` directives (`@coraza.conf-recommended`, `@crs-setup.conf.example`, `@owasp_crs/*.conf`). `load_owasp_crs: true` only makes the virtual paths available; without the Includes, zero CRS rules were evaluated on any Ingress with `caddy.ingress/waf: on`.
+- **WAF: `SecRuleEngine` ordering fixed** — In both caddy-k8s and the Helm Caddyfile snippet, `SecRuleEngine` was placed before the CRS Includes. Since `@coraza.conf-recommended` resets it to `DetectionOnly`, our `On` override must come *after* all Includes.
+
+### Helm chart: 0.9.1
+
+---
+
 Versions track the `ingress-caddy` image. The Helm chart version is independent
 but its `appVersion` always matches the image version.
 
diff --git a/README.md b/README.md
@@ -264,6 +264,7 @@ Per-Ingress behaviour is controlled via `caddy.ingress/` annotations on individu
 | `caddy.ingress/cors-max-age` | Preflight cache duration in seconds |
 | `caddy.ingress/limit-rps` | Max requests/second per client IP |
 | `caddy.ingress/waf: "off"\|"on"\|"detection"` | Per-route WAF override |
+| `caddy.ingress/waf-rules-configmap` | ConfigMap name (same namespace) containing custom Coraza directives for this Ingress. Auto-created with a commented template when `waf: on/detection` is first set. |
 | `caddy.ingress/whitelist-source-range` | CIDRs to allow; all others 403 |
 | `caddy.ingress/blocklist-source-range` | CIDRs to deny; all others pass |
 | `caddy.ingress/basic-auth-secret` | Secret with `auth` htpasswd key |
@@ -349,6 +350,31 @@ metadata:
     caddy.ingress/waf: "on"
 ```
 
+**Per-Ingress WAF rules (auto-created ConfigMap):**
+
+When an Ingress is created with `caddy.ingress/waf: "on"` or `"detection"`, caddy-k8s automatically creates a ConfigMap named `<ingress-name>-waf-rules` in the same namespace and sets the `caddy.ingress/waf-rules-configmap` annotation on the Ingress. The ConfigMap is owned by the Ingress and will be garbage-collected when the Ingress is deleted.
+
+Edit the ConfigMap to add per-Ingress Coraza directives:
+
+```yaml
+# kubectl edit configmap myapp-waf-rules -n mynamespace
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: myapp-waf-rules
+  namespace: mynamespace
+data:
+  directives: |
+    # Disable a false-positive rule for this app
+    SecRuleRemoveById 920350
+    # Restrict a rule to specific args only
+    SecRuleUpdateTargetById 942100 "!ARGS:search"
+    # Add a custom block rule
+    SecRule ARGS "@contains badword" "id:1001,phase:2,deny,status:400"
+```
+
+Directives are injected after the OWASP CRS Includes so `SecRuleRemoveById` and `SecRuleUpdateTargetById` work against already-loaded rules. The `SecRuleEngine` mode is always controlled by the `caddy.ingress/waf` annotation and cannot be overridden in the ConfigMap.
+
 ### CrowdSec
 
 ```yaml
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: caddy
 description: Caddy ingress with WAF, TCP/UDP, CertMagic ACME (HTTP/TLS-ALPN/DNS/On-Demand), cert-manager CSI, CrowdSec, GeoIP, authentication/SSO, rate limiting and caching
 type: application
-version: 0.9.0
+version: 0.9.1
 appVersion: "1.0.0"
 icon: https://caddyserver.com/resources/images/caddy-circle-lock.svg
 
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
@@ -336,12 +336,12 @@ Generate the Caddyfile content
     load_owasp_crs
     directives `
       Include @coraza.conf-recommended
-      SecRuleEngine {{ .Values.plugins.coraza.ruleEngine }}
       Include @crs-setup.conf.example
       Include @owasp_crs/*.conf
       {{- range .Values.plugins.coraza.customRules }}
       {{ . }}
       {{- end }}
+      SecRuleEngine {{ .Values.plugins.coraza.ruleEngine }}
     `
   }
   {{- end }}

Original file line number	Diff line number	Diff line change
`@@ -336,12 +336,12 @@ Generate the Caddyfile content`
`336`	`336`	`load_owasp_crs`
`337`	`337`	directives `
`338`	`338`	`Include @coraza.conf-recommended`
`339`		`- SecRuleEngine {{ .Values.plugins.coraza.ruleEngine }}`
`340`	`339`	`Include @crs-setup.conf.example`
`341`	`340`	`Include @owasp_crs/*.conf`
`342`	`341`	`{{- range .Values.plugins.coraza.customRules }}`
`343`	`342`	`{{ . }}`
`344`	`343`	`{{- end }}`
	`344`	`+ SecRuleEngine {{ .Values.plugins.coraza.ruleEngine }}`
`345`	`345`	`
`346`	`346`	`}`
`347`	`347`	`{{- end }}`