Deploy and Host coraza-caddy-waf on Railway

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities.

About Hosting coraza-caddy-waf

This template deploys a production-ready Web Application Firewall (WAF) using Caddy server with Coraza and OWASP Core Rule Set (CRS). It provides comprehensive protection against common web vulnerabilities while intelligently handling different traffic types - bypassing WAF for WebSockets, supporting large file uploads up to 200MB, and implementing smart rate limiting. The configuration includes real IP detection, security headers, and automatic HTTPS with proper compression for optimal performance.

Common Use Cases

• API Security & Rate Limiting: Protect REST APIs from abuse with configurable rate limits (stricter for auth endpoints, lenient for uploads/downloads)
• WebSocket Applications: Seamlessly proxy WebSocket traffic without WAF interference for real-time applications
• Media Streaming & Large Files: Handle video streaming, range requests, and large file uploads with optimized settings
• OWASP Top 10 Protection: Defend against SQL injection, XSS, path traversal, and other common vulnerabilities using CRS v4
• Multi-tenant SaaS Applications: Secure authentication flows with strict rate limiting while supporting high-traffic legitimate use

Dependencies for coraza-caddy-waf Hosting

• Backend Service HOST:PORT (set via BACKEND environment variable, e.g., http://myapp.railway.internal:3000)

Deployment Dependencies

• OWASP Coraza WAF - Cloud Native Web Application Firewall
• OWASP Core Rule Set v4 - Generic attack detection rules
• Caddy Server - Fast, multi-platform web server with automatic HTTPS

Implementation Details

Set your backend service URL in Railway environment variables:

BACKEND=http://your-service.railway.internal:port

The WAF automatically:

• Bypasses protection for WebSocket connections
• Applies different rate limits based on request type:
  • Auth endpoints: 10 requests/minute
  • General traffic: 300 requests/minute
  • Streaming: 1000 requests/minute
  • Large uploads: 100 requests/minute
• Blocks requests exceeding anomaly threshold (score: 10)
• Adds comprehensive security headers (HSTS, CSP, etc.)

Health check endpoint available at /health for monitoring.

Why Deploy coraza-caddy-waf on Railway?

Railway is a singular platform to deploy your infrastructure stack. Railway will host your infrastructure so you don't have to deal with configuration, while allowing you to vertically and horizontally scale it.

By deploying Coraza Caddy WAF on the Railway, you are one step closer to supporting a complete full-stack application with minimal burden. Host your servers, databases, AI agents, and more on Railway.