diff --git a/coraza-spoa/Dockerfile b/coraza-spoa/Dockerfile index 4261155..105ae64 100644 --- a/coraza-spoa/Dockerfile +++ b/coraza-spoa/Dockerfile @@ -49,6 +49,7 @@ LABEL org.opencontainers.image.title="coraza-spoa-whp" \ COPY --from=build /out/coraza-spoa /coraza-spoa COPY config.yaml /etc/coraza-spoa/config.yaml COPY overrides.conf /etc/coraza/overrides.conf +COPY pre-overrides.conf /etc/coraza/pre-overrides.conf COPY local-overrides.conf /etc/coraza/local-overrides.conf COPY host-exceptions/ /etc/coraza/host-exceptions/ COPY --from=catalog /out/rules-catalog.json /etc/coraza/rules-catalog.json diff --git a/coraza-spoa/config.yaml b/coraza-spoa/config.yaml index 7d72e6d..53a281e 100644 --- a/coraza-spoa/config.yaml +++ b/coraza-spoa/config.yaml @@ -27,6 +27,14 @@ applications: # the rule pack itself (~16 MB of rules embedded in the binary). Include @coraza.conf-recommended Include @crs-setup.conf.example + + # Runtime-managed PRE-CRS exclusions written by WHP UI. Empty by default. + # Loaded BEFORE the CRS rules so per-host ctl:ruleRemoveById exemptions + # fire in phase:1 BEFORE the CRS rule they're trying to exempt would + # otherwise match. Server-wide overrides live in local-overrides.conf + # (loaded after CRS) instead. + Include /etc/coraza/pre-overrides.conf + Include @owasp_crs/*.conf # WHP-specific overrides — day-one enforce list, plus tuning for @@ -34,7 +42,7 @@ applications: # to see exactly what blocks vs what's detect-only. Include /etc/coraza/overrides.conf - # Runtime-managed overrides written by WHP UI. Empty by default. + # Runtime-managed POST-CRS overrides written by WHP UI. Empty by default. Include /etc/coraza/local-overrides.conf # Global mode: log all alerts, block only what overrides.conf diff --git a/coraza-spoa/pre-overrides.conf b/coraza-spoa/pre-overrides.conf new file mode 100644 index 0000000..fada84f --- /dev/null +++ b/coraza-spoa/pre-overrides.conf @@ -0,0 +1,3 @@ +# AUTOGENERATED by WHP — do not hand-edit. +# Source of truth: whp.security_db coraza_rule_host_exceptions table. +# Loaded BEFORE the CRS rules. Empty file = no per-host exemptions active.