caddy-waf
Caddy-WAF is a middleware module for the Caddy web server that provides Web Application Firewall capabilities including regex-based rule matching, IP/DNS filtering, GeoIP blocking, rate limiting, and Tor exit-node detection. It is written in Go and licensed under AGPL-3.0, requiring careful review for commercial deployment.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | fabriziosalmi/caddy-waf |
| Owner | fabriziosalmi |
| Primary language | Go |
| License | AGPL-3.0 — OSI-approved |
| Stars | 787 |
| Forks | 30 |
| Open issues | 11 |
| Latest release | v0.3.3 (2026-04-29) |
| Last updated | 2026-07-03 |
| Source | https://github.com/fabriziosalmi/caddy-waf |
What caddy-waf is
A Caddy HTTP handler module (ID: http.handlers.waf) implementing four-phase request/response inspection with RE2 regex rules, anomaly scoring, IP prefix-trie blacklists, MaxMind GeoLite2 integration, sliding-window rate limiting, and JSON metrics export. Uses atomic counters for thread-safe operation and hot-reloading of configuration files.
Get the caddy-waf source
Clone the repository and explore it locally.
git clone https://github.com/fabriziosalmi/caddy-waf.gitcd caddy-waf# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Go 1.25+ and Caddy 2.11.x+ are hard requirements; build via xcaddy (not registered in Caddy's add-package registry).
- MaxMind GeoLite2 MMDB files must be downloaded separately and kept current; GeoIP failures can block or pass through depending on geoip_fail_open setting.
- Regex rule compilation is cached per rule ID; large rule sets (100+) may increase startup time and memory footprint. RE2 guarantees linear time, preventing ReDoS attacks.
- Asynchronous logging with buffered channels; under extreme load, fallback to synchronous logging may impact throughput. Monitor metrics endpoint for dropped events.
- Hot-reload via fsnotify watchers on rule, IP-blacklist, and DNS-blacklist files; timing windows exist between file change and reload where stale rules apply.
When to avoid it — and what to weigh
- Closed-Source or Proprietary Production Deployments — AGPL-3.0 requires source disclosure and derivative-work compliance. Proprietary products shipping this module must open-source modifications or seek explicit exemption.
- High-Performance Streaming or Large-Body Traffic — Bounded body reads (default 10 MiB) and full-request inspection may create latency bottlenecks. Not suitable for video streaming or gigabyte-scale uploads without tuning.
- Enterprise SLA Expectations Without in-House Go Expertise — Project is community-driven; no commercial support, SLA, or vendor guarantees. Debugging Caddy module issues requires Go proficiency or reliance on community forums.
- Real-Time Threat Intelligence Requirements — GeoIP and Tor blocklists require manual downloads or cron-based updates; no built-in feed integration or subscription model for real-time threat feeds.
License & commercial use
AGPL-3.0: Copyleft license requiring all derivative works (including modifications and linked code in distribution) to be released under AGPL-3.0. Network use is considered distribution. Requires explicit license review for commercial deployment.
AGPL-3.0 is not a permissive OSI license suitable for closed-source products without modification. If the module is used in any SaaS, proprietary, or commercial application, either (1) all source code must be open-sourced under AGPL-3.0, (2) a commercial license exception must be negotiated with the author, or (3) the module must not be distributed to end users. Requires legal review before commercial adoption.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Module performs request/response inspection using RE2 regex (linear-time guarantee prevents ReDoS). Panic recovery in ServeHTTP prevents cascade failures. Bounded body reads prevent unbounded memory consumption. Sensitive query-parameter redaction available. No audit of supply-chain dependencies beyond Go standard library. AGPL-3.0 license terms apply to distribution. GeoIP failures are configurable (fail-open vs. fail-closed). IP prefix-trie uses go-iptrie; no known vulnerabilities reported. Threat-detection rules are user-supplied; quality depends on rule authorship. No cryptographic authentication between Caddy and WAF (co-located process). Tor list fetched over HTTPS; no pinning or signature verification described.
Alternatives to consider
ModSecurity (Apache/Nginx)
Mature, vendor-backed OWASP CRS rules, broader ecosystem, but heavier footprint and C-based (not Go). Requires Apache or Nginx, not Caddy.
Coraza (OWASP)
Modern, portable WAF engine with Go bindings; actively maintained. Can be integrated into Caddy but requires custom integration layer; less opinionated configuration than caddy-waf.
Managed service with real-time threat feeds, DDoS mitigation, and SLA. Eliminates operational burden but adds egress costs and vendor lock-in; not self-hosted.
Build on caddy-waf with DEV.co software developers
Evaluate caddy-waf for API protection, rate limiting, and geo-enforcement. Ensure your legal and compliance teams review AGPL-3.0 terms before production deployment.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
caddy-waf FAQ
Can I use caddy-waf in a proprietary, closed-source product?
Is there commercial support or a vendor SLA?
Does caddy-waf support distributed rate limiting across multiple servers?
How often should I update GeoLite2 databases?
Work with a software development agency
Need help beyond evaluating caddy-waf? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Ready to Secure Your Caddy Deployment?
Evaluate caddy-waf for API protection, rate limiting, and geo-enforcement. Ensure your legal and compliance teams review AGPL-3.0 terms before production deployment.