Core Rule Set: Install Caddy with Coraza and the Core Rule Set on Debian 12

Equip your web applications with the OWASP Core Rule Set 3, Caddy Web Server, and Coraza for a secure, reliable, and resilient digital future. This tutorial shows you how.

Core Rule Set: Install Caddy with Coraza and the Core Rule Set on Debian 12
FYI: This post is part of a series where we're covering how to use and implement the Core Rule Set. Check our all of our special articles and tutorials for Cybersecurity Month 2023.
Core Rule Set 3 poster by Hugo Costa, unmodified, original located here: 

How to Install Caddy and Coraza WAF on Debian with CRS3

In the bustling hub of the digital era, ensuring airtight security for web applications is no longer a luxury, but a necessity. Among the arsenal of tools available for fortifying web security, the OWASP (Open Web Application Security Project) Core Rule Set (CRS) shines brightly. It acts as a protective shield, detecting and deflecting malicious attempts aimed at your web applications. The CRS is a set of generic attack detection rules that identify a wide range of potential threats, making it a crucial asset for any cybersecurity strategy.

Caddy Web Server, known for its simplicity and effectiveness, emerges as a compelling choice for hosting web applications. Its modern architecture, ease of use, and the flexibility to extend functionality through modules make it a darling among developers and system administrators alike. However, like any other web server, Caddy isn't impervious to the multitude of web application attacks lurking in the digital shadows.

Enter Coraza, a module designed to seamlessly integrate with Caddy, bringing the prowess of the OWASP CRS3 to the Caddy ecosystem. By harnessing Coraza, implementing the Core Rule Set on your Caddy server becomes a breeze. This union empowers you with robust security measures, guarding against SQL Injection, Cross-Site Scripting (XSS), Local File Inclusion (LFI), and a horde of other menacing threats.

Why should you consider marching under the banner of CRS3 with Caddy and Coraza leading the charge? Here are some compelling reasons:

  1. Ease of Implementation:
  • With Coraza as your vanguard, integrating CRS3 with Caddy is straightforward. A few tweaks in the configuration, and you're armed with a formidable defense against a broad spectrum of web application attacks.
  1. Automated Protection:
  • CRS3 operates tirelessly, scrutinizing traffic to and from your web applications, identifying and intercepting malicious requests before they can wreak havoc.
  1. Customizability:
  • Coraza offers the leeway to customize the rule set, allowing you to fine-tune the protection to meet the unique demands of your applications and operational environment.
  1. Comprehensive Security:
  • With a well-maintained and regularly updated rule set, CRS3 provides a wide-angle lens to spot and stop a myriad of attack vectors, keeping your digital assets safe and sound.
  1. Community-Driven:
  • Being part of the esteemed OWASP project, the Core Rule Set benefits from the collective wisdom and vigilance of a global community of cybersecurity experts.
  1. Regulatory Compliance:
  • Employing CRS3 can also aid in aligning with various regulatory compliance mandates, bolstering your posture in the face of legal and industry standards.

The alliance of Caddy, Coraza, and CRS3 orchestrates a robust security framework, significantly reducing the surface area for potential attacks. It's not just about thwarting known threats; it's about building a resilient infrastructure capable of weathering the evolving storm of cyber threats. By choosing this trio, you're not just opting for a security solution; you're investing in a secure, reliable, and resilient digital future for your web applications.

Tutorial: Use Xcaddy to Compile Caddy with Coraza

You can find the official tutorial and documentation for Caddy at this link.

Coraza WAF is technically a separate module and does not come with the default installation of Caddy. As a result, we need to generate a custom build of Caddy. This is made really easy, using a tool called xcaddy.

  1. First, install prerequisites:

debian-keyring, debian-archive-keyring, apt-transport-https

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https

2. Add the xcaddy package repository:

curl -1sLf '' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg

curl -1sLf '' | sudo tee /etc/apt/sources.list.d/caddy-xcaddy.list

3. Install xcaddy

sudo apt update

sudo apt install xcaddy

That was easy, right? Next, we get to run xcaddy to compile our custom binary for Caddy.

4. Compile a Caddy binary with the Coraza WAF module using xcaddy:

xcaddy build --with

Yes, xcaddy really makes it this easy to compile custom binaries with non-standard modules. You can add several at once, and there's an extensive list of modules to check out here.

5. Download the OWASP CRS Rules from Github:

You can download the Core Rule Set for Coraza specifically from their repository, or you can pull it straight from the official Core Rule Set Github Repository.

git clone

6. Create a basic Caddyfile with new directives for Coraza WAF:

The official Coraza Caddy Module documentation can be found on GitHub.

:80 {
 coraza_waf {
  directives `
   Include @coraza.conf-recommended
   Include @crs-setup.conf.example
   Include @owasp_crs/*.conf
   SecRuleEngine On
 root * /var/www

 reverse_proxy httpbin:8081

7. Adjacent to the Caddyfile, paste the files from the coraza-coreruleset/rules folder. Your directory should look like this:

8. Run Caddy

caddy run

That's all! You've successfully configured Caddy with Coraza WAF and the Core Rule Set on Debian. Now it's time to test your security and guarantee things are working as expected.

Any Site, to Scale

Skip2's state-of-the-art CDN solutions are designed to adapt and accelerate, ensuring your website meets the demands of today's digital users. With us, experience a world where your website's performance is no longer a barrier but a catalyst to your success. Ready to unlock unparalleled web acceleration? Your route to a faster, secure, and scalable online presence awaits.

Get Started