Is BunkerWeb — Open-Source Web Application Firewall free to use?

Yes. BunkerWeb — Open-Source Web Application Firewall is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install BunkerWeb — Open-Source Web Application Firewall?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

ConfigsApr 15, 2026·2 min read

BunkerWeb — Open-Source Web Application Firewall

BunkerWeb is an NGINX-based reverse proxy and next-generation Web Application Firewall with ModSecurity rules, anti-bot challenges, and automatic Let's Encrypt for containerized apps.

AI Open Source · Community

TL;DR

BunkerWeb is an NGINX-based WAF with ModSecurity rules, rate limiting, bot detection, and automatic HTTPS in one package.

§01

What it is

BunkerWeb is an open-source Web Application Firewall (WAF) built on NGINX. It functions as a reverse proxy that adds security layers including ModSecurity OWASP Core Rule Set, rate limiting, bot detection, country blocking, automatic HTTPS via Let's Encrypt, and custom security plugins. BunkerWeb protects any web application regardless of its tech stack.

DevOps engineers and development teams who need to secure web applications against common attacks (SQL injection, XSS, CSRF, DDoS) without purchasing commercial WAF products benefit most.

§02

How it saves time or tokens

BunkerWeb bundles security features that typically require configuring multiple tools separately: NGINX for reverse proxy, ModSecurity for WAF rules, Certbot for TLS certificates, fail2ban for rate limiting, and custom scripts for bot detection. BunkerWeb provides all of these through a single configuration file or web UI. Deployment takes minutes with Docker, and the OWASP Core Rule Set provides baseline protection without writing custom rules.

§03

How to use

Deploy BunkerWeb with Docker:

docker run -p 80:8080 -p 443:8443 \
  -e SERVER_NAME=app.example.com \
  -e REVERSE_PROXY_URL=/ \
  -e REVERSE_PROXY_HOST=http://backend:8080 \
  -e AUTO_LETS_ENCRYPT=yes \
  -e USE_MODSECURITY=yes \
  bunkerity/bunkerweb:latest

BunkerWeb sits in front of your application, handling TLS termination, WAF filtering, and reverse proxying.

Access the web UI at https://app.example.com:7000 to manage settings and view security logs.

§04

Example

# docker-compose.yml with BunkerWeb protecting a web app
services:
  bunkerweb:
    image: bunkerity/bunkerweb:latest
    ports:
      - '80:8080'
      - '443:8443'
    environment:
      - SERVER_NAME=app.example.com
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myapp:3000
      - AUTO_LETS_ENCRYPT=yes
      - USE_MODSECURITY=yes
      - USE_BAD_BEHAVIOR=yes
      - LIMIT_REQ_RATE=10r/s
      - USE_COUNTRY=yes
      - BLACKLIST_COUNTRY=CN RU

  myapp:
    image: my-web-app:latest
    expose:
      - '3000'

§05

Related on TokRepo

Security Tools -- Web security and vulnerability scanning tools
DevOps Tools -- Infrastructure and deployment tools

§06

Common pitfalls

ModSecurity rules can produce false positives, blocking legitimate requests. Start with the OWASP rules in detection-only mode, review logs, then switch to blocking mode after tuning.
Rate limiting settings need calibration for your traffic patterns. Too aggressive settings block real users; too lenient settings do not stop attacks.
BunkerWeb adds latency as a reverse proxy layer. For latency-sensitive applications, benchmark the overhead and adjust worker/connection settings.

Frequently Asked Questions

Is BunkerWeb free?+

Yes. BunkerWeb is open source. The community edition includes all core security features. A PRO version adds advanced features like a management UI, clustering, and premium support.

Does BunkerWeb handle HTTPS automatically?+

Yes. Set AUTO_LETS_ENCRYPT=yes and BunkerWeb obtains and renews TLS certificates from Let's Encrypt automatically. No manual certificate management required.

What attacks does BunkerWeb protect against?+

BunkerWeb protects against SQL injection, cross-site scripting (XSS), CSRF, directory traversal, bot traffic, DDoS (via rate limiting), and other OWASP Top 10 vulnerabilities through ModSecurity rules.

Can BunkerWeb protect multiple applications?+

Yes. Configure multiple SERVER_NAME entries and REVERSE_PROXY rules in the config. Each application gets its own security settings. BunkerWeb routes requests to the correct backend based on hostname.

Does BunkerWeb work with Kubernetes?+

Yes. BunkerWeb provides a Kubernetes Ingress Controller that integrates with K8s clusters. Security policies are applied via annotations on Ingress resources.

Citations (3)

BunkerWeb GitHub Repository— BunkerWeb is an NGINX-based open-source WAF
BunkerWeb Documentation— OWASP ModSecurity Core Rule Set integration
OWASP Top 10— OWASP Top 10 web application security risks

Related on TokRepo

Security tools DevOps tools Featured workflows

Discussion

No comments yet. Be the first to share your thoughts.

BunkerWeb — Open-Source Web Application Firewall

What it is

How it saves time or tokens

How to use

Example

Related on TokRepo

Common pitfalls

Frequently Asked Questions

Citations (3)

Related on TokRepo

Discussion

Related Assets

HumHub — Open-Source Enterprise Social Network

Dolibarr — Open-Source ERP & CRM for Business Management

PrestaShop — Open-Source PHP E-Commerce Platform