Overview
Coraza is an open-source Web Application Firewall (WAF) that integrates the OWASP Core Rule Set (CRS) for comprehensive protection against common web attacks. This template uses the Coraza Caddy image, which runs Coraza as a plugin inside the Caddy web server to handle request inspection and proxying. It sits in front of a target workload, filtering all incoming requests before forwarding them.What Gets Created
- Workload — A Coraza WAF container running with OWASP CRS, configured as a reverse proxy to your target workload.
- Secrets — A startup script secret that configures the Caddy reverse proxy, and a custom rules secret (suffixed
-coraza-custom-rules) containing an initial example rule, editable after installation to define your own WAF policies. - Identity & Policy — An identity bound to the workload with
revealaccess to the startup and custom rules secrets.
This template does not create a GVC. You must deploy it into an existing GVC alongside your target workload.
Prerequisites
The target workload must be reachable from the Coraza WAF workload. Before installing, ensure the target workload’s internal access is configured to allow traffic from the WAF:- Set the target workload’s
internal_accesstosame-gvc,same-org, or useworkload-listto explicitly allow the Coraza workload.
Installation
To install, follow the instructions for your preferred method:UI
Browse, install, and manage templates visually
CLI
Manage templates from your terminal
Terraform
Declare templates in your Terraform configurations
Pulumi
Declare templates in your Pulumi programs
Configuration
The defaultvalues.yaml for this template:
Target Workload
targetWorkload— The internal DNS name of the workload to proxy traffic to. Uses the formatWORKLOAD_NAME.GVC_NAME.cpln.local. This must be changed before deploying.targetPort— The port on the target workload that Coraza should forward requests to.WAFPort— The port on the Coraza workload exposed to the internet (default80).
Resources
resources.cpu/resources.memory— CPU and memory allocated to the WAF workload.multiZone— Whentrue, deploys replicas across multiple zones for higher availability.
Not all locations support multi-zone deployments. Confirm that your target location supports multi-zone before enabling this option.
Body Inspection
diskBodyInspection— Controls how request bodies larger than the 512KB in-memory limit are handled:
| Value | Behavior |
|---|---|
true (default) | Bodies exceeding 512KB are buffered to disk at /tmp/coraza, enabling full inspection up to 12.5MB |
false | All body inspection stays in memory; bodies up to 12.5MB are held in memory, avoiding disk I/O at the cost of higher memory pressure on large requests |
Custom Rules
After installation, custom WAF rules can be added by editing the secret named<release-name>-coraza-custom-rules. The secret includes an example rule to get started:
After modifying the custom rules secret, you must restart the workload replicas for the changes to take effect.
Logging
All Coraza logs are sent to/dev/stdout and are readable in the Control Plane built-in logging interface. Logging behavior can be adjusted through environment variables in the workload configuration after installation.