DEV.co
Open-Source Security · fabriziosalmi

caddy-waf

Caddy-WAF is a middleware module for the Caddy web server that provides Web Application Firewall capabilities including regex-based rule matching, IP/DNS filtering, GeoIP blocking, rate limiting, and Tor exit-node detection. It is written in Go and licensed under AGPL-3.0, requiring careful review for commercial deployment.

Source: GitHub — github.com/fabriziosalmi/caddy-waf
787
GitHub stars
30
Forks
Go
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryfabriziosalmi/caddy-waf
Ownerfabriziosalmi
Primary languageGo
LicenseAGPL-3.0 — OSI-approved
Stars787
Forks30
Open issues11
Latest releasev0.3.3 (2026-04-29)
Last updated2026-07-03
Sourcehttps://github.com/fabriziosalmi/caddy-waf

What caddy-waf is

A Caddy HTTP handler module (ID: http.handlers.waf) implementing four-phase request/response inspection with RE2 regex rules, anomaly scoring, IP prefix-trie blacklists, MaxMind GeoLite2 integration, sliding-window rate limiting, and JSON metrics export. Uses atomic counters for thread-safe operation and hot-reloading of configuration files.

Quickstart

Get the caddy-waf source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/fabriziosalmi/caddy-waf.gitcd caddy-waf# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

API Gateway Protection

Deploy as Caddy middleware to inspect and block malicious API requests in real-time using regex rules, rate limiting, and per-path matching before requests reach backend services.

DDoS Mitigation and Geo-Enforcement

Combine IP blacklisting, Tor exit-node blocking, and country/ASN-based geo-blocking with token-bucket rate limiting to reduce attack surface and enforce geographic access policies.

Compliance-Driven Log Aggregation

Capture granular request/response events with anomaly scoring and sensitive-data redaction, exporting to ELK or Prometheus for audit trails and security dashboards.

Implementation considerations

  • Go 1.25+ and Caddy 2.11.x+ are hard requirements; build via xcaddy (not registered in Caddy's add-package registry).
  • MaxMind GeoLite2 MMDB files must be downloaded separately and kept current; GeoIP failures can block or pass through depending on geoip_fail_open setting.
  • Regex rule compilation is cached per rule ID; large rule sets (100+) may increase startup time and memory footprint. RE2 guarantees linear time, preventing ReDoS attacks.
  • Asynchronous logging with buffered channels; under extreme load, fallback to synchronous logging may impact throughput. Monitor metrics endpoint for dropped events.
  • Hot-reload via fsnotify watchers on rule, IP-blacklist, and DNS-blacklist files; timing windows exist between file change and reload where stale rules apply.

When to avoid it — and what to weigh

  • Closed-Source or Proprietary Production Deployments — AGPL-3.0 requires source disclosure and derivative-work compliance. Proprietary products shipping this module must open-source modifications or seek explicit exemption.
  • High-Performance Streaming or Large-Body Traffic — Bounded body reads (default 10 MiB) and full-request inspection may create latency bottlenecks. Not suitable for video streaming or gigabyte-scale uploads without tuning.
  • Enterprise SLA Expectations Without in-House Go Expertise — Project is community-driven; no commercial support, SLA, or vendor guarantees. Debugging Caddy module issues requires Go proficiency or reliance on community forums.
  • Real-Time Threat Intelligence Requirements — GeoIP and Tor blocklists require manual downloads or cron-based updates; no built-in feed integration or subscription model for real-time threat feeds.

License & commercial use

AGPL-3.0: Copyleft license requiring all derivative works (including modifications and linked code in distribution) to be released under AGPL-3.0. Network use is considered distribution. Requires explicit license review for commercial deployment.

AGPL-3.0 is not a permissive OSI license suitable for closed-source products without modification. If the module is used in any SaaS, proprietary, or commercial application, either (1) all source code must be open-sourced under AGPL-3.0, (2) a commercial license exception must be negotiated with the author, or (3) the module must not be distributed to end users. Requires legal review before commercial adoption.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Module performs request/response inspection using RE2 regex (linear-time guarantee prevents ReDoS). Panic recovery in ServeHTTP prevents cascade failures. Bounded body reads prevent unbounded memory consumption. Sensitive query-parameter redaction available. No audit of supply-chain dependencies beyond Go standard library. AGPL-3.0 license terms apply to distribution. GeoIP failures are configurable (fail-open vs. fail-closed). IP prefix-trie uses go-iptrie; no known vulnerabilities reported. Threat-detection rules are user-supplied; quality depends on rule authorship. No cryptographic authentication between Caddy and WAF (co-located process). Tor list fetched over HTTPS; no pinning or signature verification described.

Alternatives to consider

ModSecurity (Apache/Nginx)

Mature, vendor-backed OWASP CRS rules, broader ecosystem, but heavier footprint and C-based (not Go). Requires Apache or Nginx, not Caddy.

Coraza (OWASP)

Modern, portable WAF engine with Go bindings; actively maintained. Can be integrated into Caddy but requires custom integration layer; less opinionated configuration than caddy-waf.

Managed service with real-time threat feeds, DDoS mitigation, and SLA. Eliminates operational burden but adds egress costs and vendor lock-in; not self-hosted.

Software development agency

Build on caddy-waf with DEV.co software developers

Evaluate caddy-waf for API protection, rate limiting, and geo-enforcement. Ensure your legal and compliance teams review AGPL-3.0 terms before production deployment.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

caddy-waf FAQ

Can I use caddy-waf in a proprietary, closed-source product?
Not without legal review and likely a commercial license agreement. AGPL-3.0 requires source code disclosure. Consult legal counsel before deployment.
Is there commercial support or a vendor SLA?
No. This is a community-driven open-source project. Support relies on GitHub issues, discussions, or hiring a Go consultant familiar with Caddy modules.
Does caddy-waf support distributed rate limiting across multiple servers?
No. Rate limiting is per-Caddy-instance, per-IP. Multiple instances do not share state. Consider external rate-limiting (e.g., Redis) or a load balancer with built-in limits.
How often should I update GeoLite2 databases?
MaxMind updates GeoLite2-Country and GeoLite2-ASN regularly. No automatic download mechanism is built-in; manage updates via cron, container rebuild, or manual download. Stale data may block/allow incorrect IPs.

Work with a software development agency

Need help beyond evaluating caddy-waf? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Ready to Secure Your Caddy Deployment?

Evaluate caddy-waf for API protection, rate limiting, and geo-enforcement. Ensure your legal and compliance teams review AGPL-3.0 terms before production deployment.