PickYourTechPickYourTech home
Caddy WAF logo

Caddy WAF

Advanced, customizable WAF middleware for Caddy web server

WAF & API Security

A feature‑rich middleware that adds regex filtering, blacklisting, geo‑blocking, rate limiting, anomaly scoring and observability to Caddy, with dynamic reloads and easy configuration.

Overview

Overview

The Caddy WAF middleware extends the Caddy web server with a comprehensive, rule‑driven firewall. It inspects URLs, headers, query strings and bodies using powerful regex patterns, applies IP/DNS/TOR blacklists, enforces geo‑IP restrictions, and throttles abusive traffic through configurable rate limits. Anomaly scoring aggregates rule matches to dynamically block suspicious requests.

Deployment & Operations

Installation is a single script or manual build using xcaddy. Once compiled, the middleware is activated in a Caddyfile block, pointing to rule, IP blacklist, DNS blacklist and metrics endpoints. File watchers automatically reload updated rule or blacklist files, providing zero‑downtime protection updates. Metrics are exposed as JSON for Prometheus, ELK or custom dashboards, and custom response handling lets you tailor block messages.

Who Benefits

Ideal for DevOps teams and security engineers running APIs, microservices, or static sites behind Caddy who need granular, programmable request inspection without adding a separate appliance. The solution balances deep security controls with the simplicity of Caddy’s configuration model.

Highlights

Regex‑based deep inspection across request phases
Integrated IP/DNS/TOR blacklisting with file watchers
Geo‑IP country blocking and customizable rate limiting
Real‑time metrics endpoint compatible with Prometheus and ELK

Pros

  • Highly configurable rule engine
  • Zero‑downtime rule updates
  • Rich observability (JSON metrics, Prometheus, ELK)
  • Works natively within Caddy's handler chain

Considerations

  • Requires Caddy build with module
  • Complex rule syntax may steepen learning curve
  • Geo‑IP blocking depends on external database
  • Performance impact proportional to rule count

Managed products teams compare with

When teams consider Caddy WAF, these hosted platforms usually appear on the same shortlist.

AWS WAF logo

AWS WAF

Web Application Firewall that protects web applications and APIs from common exploits and attacks by defining security rules

Azure Web Application Firewall logo

Azure Web Application Firewall

Cloud-native WAF service that protects web apps from common attacks (SQL injection, XSS) by filtering malicious HTTP/S traffic

Sophos logo

Sophos

Unified threat management and endpoint security

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • Teams needing granular request inspection on Caddy
  • Enterprises requiring integrated blacklists and rate limiting
  • Ops that want built‑in Prometheus metrics
  • Projects that prefer code‑level configurability over external WAF appliances

Not ideal when

  • Environments that cannot rebuild Caddy binary
  • Simple static sites with minimal security needs
  • Users seeking a GUI‑only firewall solution
  • Deployments where latency overhead must be negligible

How teams use it

Prevent brute‑force login attempts

Rate limiting blocks excessive requests to authentication endpoints, reducing credential stuffing.

Block malicious traffic from known sources

IP and DNS blacklists automatically drop requests from attackers and TOR exit nodes.

Comply with regional access policies

Geo‑blocking restricts or allows traffic based on country, supporting GDPR or licensing requirements.

Monitor attack patterns in real time

Metrics endpoint feeds Prometheus dashboards, enabling alerts on anomaly scores and blocked request spikes.

Tech snapshot

Go47%
Python44%
HTML7%
Shell3%
Dockerfile1%
Makefile1%

Tags

rate-limiterweb-application-firewallwafip-filteringcaddy-moduledns-filteringcaddyserverip-blacklistcaddy-securitycaddy-plugindns-blacklistrate-limitingsecurity-toolsweb-securitygeo-blockingcaddyowaspgeoip2

Frequently asked questions

How do I update rules without restarting Caddy?

Place updated JSON or blacklist files in the configured paths; the file watcher reloads them automatically.

Do I need a separate license for the GeoIP database?

The middleware uses MaxMind’s free GeoLite2 database; you must download it yourself as shown in the installation steps.

Can the WAF block specific request headers?

Yes, regex rules can inspect any part of the request, including headers, URL, query strings and body.

Is there support for Prometheus scraping?

The /waf_metrics endpoint exposes JSON that can be scraped or transformed for Prometheus metrics.

What languages or frameworks does this work with?

It runs inside Caddy, so any application served through Caddy (static sites, APIs, microservices) benefits from the protection.

Project at a glance

Active
View repo
Stars
713
Watchers
713
Forks
27
LicenseAGPL-3.0
Repo age1 year old
Last commit4 days ago
Primary languageGo

Last synced 3 hours ago