How to whitelist rule Or ID log?

[vncloudsco]

we run waf test but there was a problem with the whitelist rule they couldn't find any instructions on how to do this, in the logging section I also don't find information about the log it only has the following

{"level":"error","ts":1668137651.9967813,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"1.1.1.1","remote_port":"60290","proto":"HTTP/1.1","method":"GET","host":"caddy.manhtuong.net","uri":"/test5","headers":{"Connection":["close"],"Accept-Encoding":["identity"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/605.1.15 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/605.1.15"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"caddy.manhtuong.net"}},"user_id":"","duration":0.001161757,"size":0,"status":403,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}

{"level":"error","ts":1668137271.2399333,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"1.1.1.1","remote_port":"58887","proto":"HTTP/2.0","method":"GET","host":"caddy.manhtuong.net","uri":"/a=%3Cscript%3Ealert(1)%3C/script%3E","headers":{"Sec-Ch-Ua-Platform":["\"Windows\""],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Accept-Language":["vi"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\""],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"caddy.manhtuong.net"}},"user_id":"","duration":0.007092084,"size":0,"status":403,"resp_headers":{"Alt-Svc":["h3=\":443\"; ma=2592000"],"Server":["Caddy"]}}

we have a problem if the rules mistakenly blocked a valid application then other than removing the rule we can't whitelist. it has no information about the blocked rule so tracking is really a bad thing

[vncloudsco]

I found the error information I found error information when I run journalctl command.

now i need to save these logs to file, is there any solution to solve this problem?

[jptosso]

Hey, coraza-caddy uses the caddy error handler, please refer to https://caddyserver.com/docs/caddyfile/directives/log

[vncloudsco]

dear: @jptosso
i tried but it doesn't seem to work with realtime log from app when i run as service. I used the solution to configure the service file as follows

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
#After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
StandardOutput=append:/home/caddy/log/xxxxxxxxxx.error
StandardError=append:/home/caddy/log/xxxxxxxxxx.error
[Install]
WantedBy=multi-user.target

I config StandardOutput and StandardError

I realize it's not really a good solution yet

[jptosso]

Hey sorry for the super late reply, but this is the working config I use for error logs:

{
    log {
        format console
        output file /logs/errors.log
        level error
    }
    order coraza_waf first
}

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale.