{
  grace_period 10s
  order coraza_waf first
{% if caddy_email | default(None) != None %}
  email "{{ caddy_email }}"
{% endif %}

{% if caddy_ca_root | default(None) != None %}
  tls {
    ca_root "{{ caddy_ca_root }}"
  }

{% endif %}
  log waf {
    format json
    include "http.handlers.waf"
    output file {{ caddy_log_dir }}/waf.log
  }
{% if caddy_local_ca_name | default(None) != None %}

  pki {
    ca local {
      name "{{ caddy_local_ca_name }}"
    }
  }
{% endif %}
}

{% for site in caddy_sites %}
{% if (site.redirect_from_aliases | default(true)) and (site.aliases | default([]) | length) > 0 %}
{{ site.aliases | join(', ') }} {
  redir https://{{ site.site }}{uri}
}

{% else %}
{% for alias in site.aliases | default([]) %}
{{ alias }},
{% endfor %}
{% endif %}
{{ site.site }} {
  encode gzip zstd

{% for path in site.paths %}
  handle {{ path.path | default('*') }} {
    reverse_proxy {
      to {{ path.addrs | join(' ') }}
      header_up X-Real-IP {remote}
      lb_policy ip_hash
      # Active checks
#     health_uri /
#     health_interval 10s
#     health_timeout 5s
#     health_status 200
      # Passive checks
      fail_duration 30s
      max_fails 3
      unhealthy_latency 2000ms
      transport http {
#       tls_server_name {host}
#       tls_insecure_skip_verify
      }
    }
  }
{% endfor %}

{% if site.custom_cert | default (false) %}
  tls {{ site.custom_cert_file }} {{ site.custom_key_file }}

{% endif %}
{% if site.blacklist | default([]) | length > 0 %}
  @blocked {
{% for ip in site.blacklist | default([]) %}
    remote_ip {{ ip }}
{% endfor %}
  }
  respond @blocked "Access Denied" 403

{% endif %}
{% if site.bot_barrier | default (false) %}
  bot_barrier {
     secret {{ caddy_bot_barrier_secret }}
     complexity 18
     valid_for 30m
     seed_cookie_name __chall_{{ site.name }}_seed
     solution_cookie_name __chall_{{ site.name }}_solution
     mac_cookie_name __chall_{{ site.name }}_mac
     template {{ caddy_config_dir }}/bot_barrier_template.html
  }

{% endif %}
  rate_limit {
#   distributed
    zone remote_ip {
      key {remote.ip}
      events {{ site.rate_events | default('1000') }}
      window {{ site.rate_window | default('1m') }}
    }
  }
{% if site.enable_crs | default(caddy_waf_defaults.enable_crs) %}

  coraza_waf {
    load_owasp_crs
    directives `
      Include "{{ caddy_config_dir }}/sites/{{ site.name }}/coraza.conf"
      Include "{{ caddy_config_dir }}/sites/{{ site.name }}/crs-setup.conf"
{% for plugin in site.crs_plugins | default(caddy_waf_defaults.crs_plugins) %}
      Include "{{ caddy_config_dir }}/crs-plugins/{{ plugin }}-config.conf"
      Include "{{ caddy_config_dir }}/crs-plugins/{{ plugin }}-before.conf"
{% endfor %}
      Include "{{ caddy_config_dir }}/sites/{{ site.name }}/exclusions-request-before.conf"
      Include "{{ caddy_config_dir }}/coreruleset-{{ caddy_owasp_crs_version }}/rules/*.conf"
      Include "{{ caddy_config_dir }}/sites/{{ site.name }}/exclusions-response-after.conf"
{% for plugin in site.crs_plugins | default(caddy_waf_defaults.crs_plugins) %}
      Include "{{ caddy_config_dir }}/crs-plugins/{{ plugin }}-after.conf"
{% endfor %}
      SecRuleEngine On
    `
  }
{% endif %}

  header {
    Content-Security-Policy      "{{ caddy_waf_defaults.header_content_security_policy | combine(site.header_content_security_policy | default({})) | dict2str(sep1=' ', sep2='; ', sep3=';') }}"
    Cross-Origin-Embedder-Policy "{{ site.header_cross_origin_embedder_policy | default(caddy_waf_defaults.header_cross_origin_embedder_policy) }}"
    Cross-Origin-Opener-Policy   "{{ site.header_cross_origin_opener_policy | default(caddy_waf_defaults.header_cross_origin_opener_policy) }}"
    Cross-Origin-Resource-Policy "{{ site.header_cross_origin_resource_policy | default(caddy_waf_defaults.header_cross_origin_resource_policy) }}"
    Feature-Policy               "{{ caddy_waf_defaults.header_feature_policy | combine(site.header_feature_policy | default({})) | dict2str(sep1=' ', sep2='; ', sep3=';') }}"
    Permissions-Policy           "{{ caddy_waf_defaults.header_permissions_policy | combine(site.header_permissions_policy | default({})) | dict2str(sep2=', ') }}"
    Referrer-Policy              "{{ site.header_referrer_policy | default(caddy_waf_defaults.header_referrer_policy) }}"
    Strict-Transport-Security    "{{ site.header_strict_transport_security | default(caddy_waf_defaults.header_strict_transport_security) }}"
    X-Content-Type-Options       "{{ site.header_x_content_type_options | default(caddy_waf_defaults.header_x_content_type_options) }}"
    X-Frame-Options              "{{ site.header_x_frame_options | default(caddy_waf_defaults.header_x_frame_options) }}"
    X-Robots-Tag                 "{{ site.header_x_robots_tag | default(caddy_waf_defaults.header_x_robots_tag) }}"
    ?Content-Type                "{{ site.default_content_type | default(caddy_waf_defaults.default_content_type) }}"
    >Set-Cookie          "(.*)"  "$1; {{ site.cookies_attributes | default(caddy_waf_defaults.cookies_attributes) }}"
{% for header in site.delete_headers | default(caddy_waf_defaults.delete_headers) %}
    -{{ header }}
{% endfor %}
{% for header in site.custom_headers | default(caddy_waf_defaults.custom_headers) %}
    {{ header.name }}            "{{ header.value }}"
{% endfor %}
  }

  handle_errors 403 {
    header X-Blocked "true"
    respond "Your request was blocked."
  }

  log {
    format json
    output file {{ caddy_log_dir }}/site_{{ site.name }}.log
  }
}

{% endfor %}
