Production-Grade Architecture Overview

edge-stack is a lightweight edge gateway architecture that combines:

• Caddy for TLS termination and reverse proxying
• CrowdSec for IP reputation blocking
• Coraza (OWASP CRS) for WAF protections
• A Go auth/quota agent backed by SQLite

Instead of embedding large static code/config dumps here, this README now points to the source files directly.

---

Architecture

Traffic flow:

1. Request reaches caddy
2. CrowdSec bouncer applies threat-intel based decisions
3. Coraza WAF evaluates requests against CRS rules
4. forward_auth calls the Go agent (/v1/tenant-check)
5. Agent returns X-Backend-Target when access is allowed
6. Caddy proxies to the target Unix socket backend

---

Key Files

• Orchestration: docker-compose.yml
• Caddy config: caddy/Caddyfile
• Caddy image build: caddy/Dockerfile
• Agent source: agent/main.go
• Agent module file: agent/go.mod
• Agent image build: agent/Dockerfile

---

Data Model (SQLite)

The agent uses three primary tables:

• http: host config + quota state + rolling counters
• http_now: current aggregation window
• http_history: hour-based long-term history

See schema creation/migration logic in agent/main.go.

---

Test Coverage

• Handler-focused E2E tests: agent/main_e2e_test.go
• Full Caddy+agent E2E tests (tagged): agent/caddy_e2e_test.go

Run from agent/

go test ./... 
go test -tags=e2e ./... 

---

Notes

• Keep production config in source files, not duplicated docs.
• Update links above if files are renamed or moved.