REQUEST_COOKIES_NAMES rule makes all requests to caddy fail, no logging whatsoever.

[louis-lau]

This rule, taken directly out of the example docs of coraza:

SecRule &REQUEST_COOKIES_NAMES:JSESSIONID "@eq 0" "id:45"

Causes all requests to fail, while nothing is logged.

Caddyfile:

{
	order coraza_waf first
	log {
		output stdout
		format console
		level debug
		include "http.handlers.waf"
	}
}

:80 {
	coraza_waf {
		load_owasp_crs
		directives <<CONF
			Include @coraza.conf-recommended
			SecRule &REQUEST_COOKIES_NAMES:JSESSIONID "@eq 0" "id:45"
			SecRuleEngine On
		CONF
	}
	respond 200 {
		body "Hello World"
	}
}

Curl response:

> curl -v http://127.0.0.1
*   Trying 127.0.0.1:80...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server

When I remove that one line:

> curl -v http://127.0.0.1
*   Trying 127.0.0.1:80...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/plain; charset=utf-8
< Server: Caddy
< Date: Sat, 29 Nov 2025 13:04:59 GMT
< Content-Length: 11
< 
* Connection #0 to host 127.0.0.1 left intact
Hello World

Beyond the usual caddy startup logs, there's nothing else.

[louis-lau]

I do notice that https://playground.coraza.io/ also seems to crash on this rule. So perhaps this isn't an issue with coraza-caddy, but coraza-caddy should still log something.