How to Protect Nginx with Coraza WAF Using Docker

Because Coraza does not have a native Nginx module, the setup uses Caddy as a WAF reverse proxy. The request flow is:

Client -> Caddy + Coraza WAF (:8080) -> Nginx (:80) -> Your Application

Caddy handles TLS termination (if needed) and runs the Coraza WAF engine. Clean requests are forwarded to Nginx. Malicious requests are blocked before they reach your application.

This is a standard reverse proxy pattern. Your Nginx configuration stays exactly the same. You only need to add the Caddy+Coraza layer in front of it.

Create a directory structure for your setup:

mkdir -p coraza-nginx/{caddy,nginx} cd coraza-nginx

You will end up with three files:

• docker-compose.yml - orchestrates both containers
• caddy/Dockerfile - builds Caddy with the Coraza plugin
• caddy/Caddyfile - configures the WAF rules and reverse proxy

The official Caddy Docker image does not include the Coraza plugin. You need to build a custom image using xcaddy, which is Caddy's official build tool for adding plugins:

FROM caddy:2-builder AS builder
RUN xcaddy build \ --with github.com/corazawaf/coraza-caddy/v2
FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Save this as caddy/Dockerfile.

This multi-stage build compiles Caddy with the coraza-caddy plugin in the builder stage, then copies the binary into the slim runtime image. The resulting image is the same size as the standard Caddy image, just with WAF capabilities added.

Create the Caddyfile that configures Coraza WAF and proxies traffic to Nginx:

{ auto_https off order coraza_waf first }
:8080 { coraza_waf { load_owasp_crs directives ` Include @coraza.conf-recommended Include @crs-setup.conf.example Include @owasp_crs/*.conf SecRuleEngine On ` }
reverse_proxy nginx:80 }

Save this as caddy/Caddyfile.

Key configuration explained:

• order coraza_waf first - ensures WAF runs before any other handler
• load_owasp_crs - loads the bundled OWASP Core Rule Set (CRS v4)
• Include @coraza.conf-recommended - loads Coraza's recommended defaults
• Include @crs-setup.conf.example - loads CRS default configuration
• Include @owasp_crs/*.conf - loads all CRS detection rules
• SecRuleEngine On - enables request blocking (not just logging)
• reverse_proxy nginx:80 - forwards clean traffic to Nginx

Create the docker-compose file that runs both services:

services: caddy: build: context: ./caddy ports: - "8080:8080" volumes: - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro depends_on: - nginx
nginx: image: nginx:alpine volumes: - ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro - ./nginx/html:/usr/share/nginx/html:ro

Notice that Nginx does not expose any ports to the host. All traffic goes through Caddy+Coraza first. Only port 8080 is exposed, which is the WAF-protected entry point.

Create a simple test page to verify the setup works:

mkdir -p nginx/html
cat > nginx/default.conf <<'EOF' server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; location / { try_files $uri $uri/ =404; } } EOF
cat > nginx/html/index.html <<'EOF' <!DOCTYPE html> <html> <head><title>Protected by Coraza WAF</title></head> <body> <h1>It works!</h1> <p>This page is served by Nginx, protected by Coraza WAF.</p> </body> </html> EOF

Build the custom Caddy image and start both containers:

docker compose build docker compose up -d

The first build takes 1-2 minutes as it compiles Caddy with the Coraza plugin. Subsequent starts are instant because Docker caches the built image.

Verify both containers are running:

docker compose ps

You should see both caddy and nginx containers with status "Up".

Open your browser or use curl to verify normal requests work:

curl http://localhost:8080/

You should see your test page ("It works!"). This confirms that:

• Caddy is receiving traffic on port 8080
• Coraza WAF is inspecting the request and allowing it through
• Nginx is serving the page through Caddy's reverse proxy

Now test that the WAF actually blocks attacks. Try these common attack payloads:

# SQL injection attempt - should return 403 curl -o /dev/null -w "HTTP %{http_code}\n" "http://localhost:8080/?id=1 OR 1=1"
# XSS attempt - should return 403 curl -o /dev/null -w "HTTP %{http_code}\n" "http://localhost:8080/?q=<script>alert(1)</script>"
# Scanner detection - should return 403 curl -o /dev/null -w "HTTP %{http_code}\n" -H "User-Agent: nikto" http://localhost:8080/
# Command injection - should return 403 curl -o /dev/null -w "HTTP %{http_code}\n" "http://localhost:8080/?cmd=;cat /etc/passwd"

All of these should return HTTP 403 (Forbidden). If they return 200, check that SecRuleEngine On is set in your Caddyfile.

Check the Caddy logs to see what Coraza is blocking and why:

docker compose logs caddy | grep "waf"

Each blocked request generates a log entry showing:

• The CRS rule that triggered (e.g., REQUEST-941-APPLICATION-ATTACK-XSS)
• The rule ID and severity
• The matched data (what part of the request triggered the rule)
• The anomaly score and blocking threshold

This is the same OWASP CRS logging format used by ModSecurity, so existing log analysis tools and guides apply.

For a production deployment, make these changes to your Caddyfile:

{ order coraza_waf first }
yourdomain.com { coraza_waf { load_owasp_crs directives ` Include @coraza.conf-recommended Include @crs-setup.conf.example Include @owasp_crs/*.conf SecRuleEngine On SecAuditEngine On SecAuditLog /var/log/coraza/audit.log SecAuditLogFormat json ` }
reverse_proxy nginx:80 }

Changes from the test setup:

• Removed auto_https off so Caddy handles TLS automatically with Let's Encrypt
• Replaced :8080 with your actual domain name
• Added audit logging (SecAuditEngine) for security monitoring
• Added JSON audit log format for easier parsing

Also update docker-compose to expose ports 80 and 443 instead of 8080, and add a volume for audit logs.