Skip to content

Commit 78f0066

Browse files
fabriziosalmifabriziosalmi
committed
docs: update documentation for v0.1.2 (ASN, SOTA, Issues fixed)
1 parent 00c547e commit 78f0066

File tree

3 files changed

+12
-2
lines changed

3 files changed

+12
-2
lines changed

README.md

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ A robust, highly customizable, and feature-rich **Web Application Firewall (WAF)
77
## 🛡️ Core Protections
88

99
* **Regex-Based Filtering:** Deep URL, data & header inspection using powerful regex rules.
10-
* **Blacklisting:** Blocks malicious IPs, domains & optionally TOR exit nodes.
10+
* **Blacklisting:** Blocks malicious IPs, domains, ASNs & optionally TOR exit nodes.
1111
* **Geo-Blocking:** Restricts access by country using GeoIP.
1212
* **Rate Limiting:** Prevents abuse via customizable IP request limits.
1313
* **Anomaly Scoring:** Dynamically blocks requests based on cumulative rule matches.
@@ -23,6 +23,13 @@ A robust, highly customizable, and feature-rich **Web Application Firewall (WAF)
2323
_Simple at a glance UI :)_
2424
![demo](https://github.com/fabriziosalmi/caddy-waf/blob/main/docs/caddy-waf-ui.png?raw=true)
2525

26+
## Security & Performance (SOTA)
27+
* **Zero-Copy Networking**: Uses `unsafe.String` to eliminate memory allocations during request body inspection.
28+
* **Wait-Free Concurrency**: Atomic counters ensure accurate metrics and rule hit counting without lock contention.
29+
* **Circuit Breaker**: `geoip_fail_open` prevents database failures from causing service outages.
30+
* **DoS Protection**: `io.LimitReader` enforces strict request body limits to prevent memory exhaustion.
31+
* **ReDoS Safety**: Built on top of Go's `regexp` (RE2), guaranteeing linear time execution for all regex rules.
32+
2633
## 🚀 Quick Start
2734

2835
```bash

caddywaf.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ var (
5050
)
5151

5252
// Add or update the version constant as needed
53-
const wafVersion = "v0.1.0" // update this value to the new release version when tagging
53+
const wafVersion = "v0.1.2" // update this value to the new release version when tagging
5454

5555
// ==================== Initialization and Setup ====================
5656

docs/configuration.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,9 @@ The WAF provides a variety of configuration options to control its behavior. The
140140
| **`log_path`** | Specifies the path for the WAF log file. | `log_path /var/log/waf/access.log` |
141141
| **`redact_sensitive_data`** | Redacts sensitive data from the request query string in logs. | `redact_sensitive_data` |
142142
| **`custom_response`** | Defines custom HTTP responses for blocked requests. Requires status code, content type, and response content or file path. | `custom_response 403 application/json error.json` |
143+
| **`max_request_body_size`**| Configures request body size limit (default 10MB). Uses `io.LimitReader` for protection. | `max_request_body_size 20MB` |
144+
| **`block_asns`** | Blocks requests from specified Autonomous Systems (ASNs) using the MaxMind GeoIP2 ASN database. | `block_asns GeoLite2-ASN.mmdb 12345 67890` |
145+
| **`geoip_fail_open`** | Configures the WAF to allow requests if GeoIP/ASN lookup fails (Circuit Breaker pattern). Default is false (Fail Closed). | `geoip_fail_open` |
143146

144147
---
145148

0 commit comments

Comments
 (0)