Merge pull request #8 from meshcloud/feature/keycloak

Feature/keycloak

Author: florianow

.github/workflows/build-container.yml

@@ -25,7 +25,7 @@ on:
       caddy_version:
         description: 'Caddy version to build'
         required: false
-        default: '2.7'
+        default: '2.9.1'
         type: string
       coraza_version:
         description: 'Coraza version to build'
@@ -89,7 +89,7 @@ jobs:
       with:
         images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
         tags: |
-          type=raw,value=caddy-${{ github.event.inputs.caddy_version || '2.8' }}-coraza-${{ github.event.inputs.coraza_version || 'v2.0.0' }}
+          type=raw,value=caddy-${{ github.event.inputs.caddy_version || '2.9.1' }}-coraza-${{ github.event.inputs.coraza_version || 'v2.0.0' }}
           type=sha,prefix=build-
           type=raw,value=latest,enable={{is_default_branch}}
 
@@ -102,7 +102,7 @@ jobs:
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         build-args: |
-          CADDY_VERSION=${{ github.event.inputs.caddy_version || '2.8' }}
+          CADDY_VERSION=${{ github.event.inputs.caddy_version || '2.9.1' }}
           CORAZA_VERSION=${{ github.event.inputs.coraza_version || 'v2.0.0' }}
         cache-from: type=gha
         cache-to: type=gha,mode=max

.gitignore

@@ -80,3 +80,12 @@ helpers/foundation-deployer/.steps.json
 
 # Go multi-module workspace sum
 go.work.sum
+
+# Certificate files
+*.pem
+*.crt
+*.key
+
+# Docker compose - Azure-specific opkssh config (contains FQDNs)
+docker-compose/opk-providers-azure/providers
+docker-compose/opk-auth_id-azure/auth_id

Caddyfile

@@ -1,5 +1,6 @@
 {
     order coraza_waf first
+    auto_https disable_redirects
 }
 
 # --- WAF for MinIO UI (port 8080) ---
@@ -10,7 +11,7 @@
 
     # Handle WebSocket paths without WAF
     handle /ws/* {
-        reverse_proxy localhost:9001 {
+        reverse_proxy minio:9001 {
             header_up Host {http.request.host}
             header_up X-Real-IP {remote}
             header_up X-Forwarded-For {remote}
@@ -37,7 +38,7 @@
             `
         }
 
-        reverse_proxy localhost:9001 {
+        reverse_proxy minio:9001 {
             header_up Host {http.request.host}
             header_up X-Real-IP {remote}
             header_up X-Forwarded-For {remote}
@@ -60,6 +61,42 @@
     }
 }
 
+# --- Keycloak Proxy HTTP (port 8082) ---
+:8082 {
+    reverse_proxy keycloak:8083 {
+        header_up Host localhost:8082
+        header_up X-Real-IP {remote}
+        header_up X-Forwarded-Proto http
+        header_up X-Forwarded-Host localhost:8082
+        header_up X-Forwarded-Port 8082
+    }
+
+    log {
+        output stdout
+        format json
+        level INFO
+    }
+}
+
+# --- Keycloak Proxy HTTPS (port 8443) ---
+localhost:8443 {
+    tls internal
+
+    reverse_proxy keycloak:8083 {
+        header_up Host localhost:8443
+        header_up X-Real-IP {remote}
+        header_up X-Forwarded-Proto https
+        header_up X-Forwarded-Host localhost:8443
+        header_up X-Forwarded-Port 8443
+    }
+
+    log {
+        output stdout
+        format json
+        level INFO
+    }
+}
+
 # --- WAF for MinIO API (port 8081) ---
 :8081 {
     handle /health {
@@ -78,7 +115,7 @@
             `
         }
 
-        reverse_proxy localhost:9000 {
+        reverse_proxy minio:9000 {
             header_up Connection {http.request.header.connection}
             header_up Upgrade {http.request.header.upgrade}
         }

Caddyfile.azure

@@ -0,0 +1,116 @@
+{
+    order coraza_waf first
+    auto_https disable_redirects
+}
+
+# --- WAF for MinIO UI (port 8080) ---
+:8080 {
+    handle /health {
+        respond "WAF-UI-OK" 200
+    }
+
+    # Handle WebSocket paths without WAF
+    handle /ws/* {
+        reverse_proxy localhost:9001 {
+            header_up Host {http.request.host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up Connection {http.request.header.connection}
+            header_up Upgrade {http.request.header.upgrade}
+            header_up Sec-WebSocket-Key {http.request.header.sec-websocket-key}
+            header_up Sec-WebSocket-Version {http.request.header.sec-websocket-version}
+            transport http {
+                read_timeout 300s
+                dial_timeout 300s
+            }
+        }
+    }
+
+    route {
+        coraza_waf {
+          load_owasp_crs
+            directives `
+                SecAction "id:1,phase:1,pass,nolog,initcol:tx=tx"
+                SecAction "id:2,phase:1,pass,nolog,setvar:tx.bucket_ops=0"
+                SecRule REQUEST_METHOD "@rx ^(PUT|POST|DELETE)$" "id:1003,phase:1,pass,msg:'Bucket operation',setvar:tx.bucket_ops=+1,expirevar:tx.bucket_ops=60"
+                SecRule TX:bucket_ops "@gt 50" "id:1004,phase:1,deny,status:429,msg:'Bucket operation rate limit exceeded'"
+            `
+        }
+
+        reverse_proxy localhost:9001 {
+            header_up Host {http.request.host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up Connection {http.request.header.connection}
+            header_up Upgrade {http.request.header.upgrade}
+            header_up Sec-WebSocket-Key {http.request.header.sec-websocket-key}
+            header_up Sec-WebSocket-Version {http.request.header.sec-websocket-version}
+            transport http {
+                read_timeout 300s
+                dial_timeout 300s
+            }
+        }
+    }
+
+    log {
+        output stdout
+        format json
+        level INFO
+    }
+}
+
+# --- Keycloak Proxy HTTP (port 8082) ---
+:8082 {
+    reverse_proxy localhost:8083 {
+        header_up Host {http.request.host}
+        header_up X-Real-IP {remote}
+        header_up X-Forwarded-For {remote}
+        header_up X-Forwarded-Proto https
+        header_up X-Forwarded-Host {http.request.host}
+        header_up X-Forwarded-Port 8444
+        header_up Accept-Encoding identity
+    }
+
+    replace {
+        "http://localhost:8083" "https://testminio.germanywestcentral.cloudapp.azure.com:8444"
+    }
+
+    log {
+        output stdout
+        format json
+        level INFO
+    }
+}
+
+# --- WAF for MinIO API (port 8081) ---
+:8081 {
+    handle /health {
+        respond "WAF-API-OK" 200
+    }
+
+    route {
+        coraza_waf {
+          load_owasp_crs
+            directives `
+                SecAction "id:10,phase:1,pass,nolog,initcol:tx=tx"
+                SecAction "id:11,phase:1,pass,nolog,setvar:tx.bucket_ops=0"
+                SecRule REQUEST_METHOD "@streq DELETE" "id:2001,phase:1,log,msg:'DELETE operation logged'"
+                SecRule REQUEST_METHOD "@rx ^(PUT|POST|DELETE)$" "id:2002,phase:1,pass,msg:'Bucket operation',setvar:tx.bucket_ops=+1,expirevar:tx.bucket_ops=60"
+                SecRule TX:bucket_ops "@gt 50" "id:2003,phase:1,deny,status:429,msg:'Bucket operation rate limit exceeded'"
+            `
+        }
+
+        reverse_proxy localhost:9000 {
+            header_up Connection {http.request.header.connection}
+            header_up Upgrade {http.request.header.upgrade}
+        }
+    }
+
+    log {
+        output stdout
+        format json
+        level INFO
+    }
+}

Dockerfile

@@ -1,7 +1,7 @@
 # Multi-stage build for Coraza-Caddy WAF
 
 # --- Versions ---
-ARG CADDY_VERSION=2.9
+ARG CADDY_VERSION=2.9.1
 ARG CORAZA_VERSION=v2.0.0
 
 # --- Build stage ---

README-coraza.md

@@ -5,7 +5,7 @@ A modern Web Application Firewall built with [Coraza](https://coraza.io) and [Ca
 ## Features
 
 - ✅ **OWASP Core Rule Set v4** - Latest security rules
-- ✅ **Multi-backend routing** - Single WAF protects MinIO UI + API
+- ✅ **Multi-backend routing** - Single WAF protects MinIO UI + API + Keycloak
 - ✅ **Security headers** - Production-ready security configuration
 - ✅ **Health checks** - Built-in monitoring endpoints
 - ✅ **Rate limiting** - API protection against abuse
@@ -28,6 +28,7 @@ docker pull ghcr.io/YOUR_USERNAME/minio_azure_container_app/coraza-caddy:latest
 |----------|---------|-------------|
 | `MINIO_UI_BACKEND` | `localhost:9001` | MinIO Console backend |
 | `MINIO_API_BACKEND` | `localhost:9000` | MinIO S3 API backend |
+| `KEYCLOAK_BACKEND` | `localhost:8083` | Keycloak backend (Azure only) |
 
 ### Basic Usage
 
@@ -46,18 +47,39 @@ docker run -d \
 ```
 Caddy WAF (8080) → MinIO UI (9001)
           (8081) → MinIO API (9000)
+          (8082) → Keycloak (8083) [Azure only]
+          (8443) → Keycloak HTTPS (8083) [Local dev only]
 ```
 
+### Port Mapping
+
+| Port | Service | WAF Enabled | Environment |
+|------|---------|-------------|-------------|
+| 8080 | MinIO UI | ✅ Yes | Both |
+| 8081 | MinIO API | ✅ Yes | Both |
+| 8082 | Keycloak HTTP | ❌ No (proxy only) | Azure |
+| 8443 | Keycloak HTTPS | ❌ No (proxy only) | Local dev |
+
 ### Request Routing
 
+**MinIO UI (port 8080):**
 - **`/`** → MinIO Console (UI)
-- **`/api/*`** → MinIO S3 API
-- **`/s3/*`** → MinIO S3 API (direct bucket access)
+- **`/ws/*`** → WebSocket connections (WAF bypassed)
+- **`/health`** → Health check endpoint
+
+**MinIO API (port 8081):**
+- **All paths** → MinIO S3 API
 - **`/health`** → Health check endpoint
 
+**Keycloak (port 8082/8443):**
+- **All paths** → Keycloak authentication service
+
 ## Security Features
 
-### WAF Protection
+### WAF Protection (MinIO UI & API only)
+
+Keycloak endpoints use simple reverse proxy without WAF to avoid conflicts with authentication flows.
+
 - SQL injection prevention
 - XSS protection
 - Command injection blocking
@@ -86,10 +108,14 @@ env:
     value: "localhost:9001"
   - name: MINIO_API_BACKEND
     value: "localhost:9000"
+  - name: KEYCLOAK_BACKEND
+    value: "localhost:8083"
 ```
 
 ### Health Check
-The container exposes `/health` on port 8080 for health checks.
+The container exposes `/health` endpoints:
+- Port 8080: MinIO UI health check
+- Port 8081: MinIO API health check
 
 ## Development
 
@@ -125,7 +151,11 @@ docker logs minio-waf | jq '.audit'
 
 ### Health Check
 ```bash
+# MinIO UI health check
 curl http://localhost:8080/health
+
+# MinIO API health check
+curl http://localhost:8081/health
 ```
 
 ### WAF Status