coraza: add second Include for runtime-managed local-overrides.conf

2026-05-14 06:51:24 -07:00
parent 753743de20
commit 1f1bc1837e
4 changed files with 8 additions and 0 deletions
--- a/coraza-spoa/Dockerfile
+++ b/coraza-spoa/Dockerfile
@@ -39,6 +39,8 @@ LABEL org.opencontainers.image.title="coraza-spoa-whp" \
 COPY --from=build /out/coraza-spoa /coraza-spoa
 COPY config.yaml /etc/coraza-spoa/config.yaml
 COPY overrides.conf /etc/coraza/overrides.conf
 COPY local-overrides.conf /etc/coraza/local-overrides.conf
 COPY host-exceptions/ /etc/coraza/host-exceptions/
 # Audit log directory — bind-mount /var/log/coraza:/var/log/coraza from host
 # so logs persist across container restarts and AI Monitor can tail them.
--- a/coraza-spoa/config.yaml
+++ b/coraza-spoa/config.yaml
@@ -34,6 +34,9 @@ applications:
      # to see exactly what blocks vs what's detect-only.
      Include /etc/coraza/overrides.conf
      # Runtime-managed overrides written by WHP UI. Empty by default.
      Include /etc/coraza/local-overrides.conf
      # Global mode: log all alerts, block only what overrides.conf
      # explicitly promotes via ctl:ruleEngine=On.
      SecRuleEngine DetectionOnly
--- a/coraza-spoa/host-exceptions/.gitkeep
+++ b/coraza-spoa/host-exceptions/.gitkeep
--- a/coraza-spoa/local-overrides.conf
+++ b/coraza-spoa/local-overrides.conf
@@ -0,0 +1,3 @@
 # AUTOGENERATED by WHP — do not hand-edit.
 # Source of truth: whp.security_db coraza_rule_overrides table.
 # Empty file = no runtime overrides; baked-in overrides.conf governs.