Esta página se muestra en inglés. Una traducción al español está en curso.
SkillsApr 15, 2026·2 min de lectura

BunkerWeb — Open-Source Web Application Firewall

BunkerWeb is an NGINX-based reverse proxy and next-generation Web Application Firewall with ModSecurity rules, anti-bot challenges, and automatic Let's Encrypt for containerized apps.

AI Open Source
AI Open Source · Community
Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
BunkerWeb WAF
Comando de instalación directa
npx -y tokrepo@latest install 736fcfbd-38fa-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

TL;DR
BunkerWeb is an NGINX-based WAF with ModSecurity rules, rate limiting, bot detection, and automatic HTTPS in one package.
§01

What it is

BunkerWeb is an open-source Web Application Firewall (WAF) built on NGINX. It functions as a reverse proxy that adds security layers including ModSecurity OWASP Core Rule Set, rate limiting, bot detection, country blocking, automatic HTTPS via Let's Encrypt, and custom security plugins. BunkerWeb protects any web application regardless of its tech stack.

DevOps engineers and development teams who need to secure web applications against common attacks (SQL injection, XSS, CSRF, DDoS) without purchasing commercial WAF products benefit most.

§02

How it saves time or tokens

BunkerWeb bundles security features that typically require configuring multiple tools separately: NGINX for reverse proxy, ModSecurity for WAF rules, Certbot for TLS certificates, fail2ban for rate limiting, and custom scripts for bot detection. BunkerWeb provides all of these through a single configuration file or web UI. Deployment takes minutes with Docker, and the OWASP Core Rule Set provides baseline protection without writing custom rules.

§03

How to use

  1. Deploy BunkerWeb with Docker:
docker run -p 80:8080 -p 443:8443 \
  -e SERVER_NAME=app.example.com \
  -e REVERSE_PROXY_URL=/ \
  -e REVERSE_PROXY_HOST=http://backend:8080 \
  -e AUTO_LETS_ENCRYPT=yes \
  -e USE_MODSECURITY=yes \
  bunkerity/bunkerweb:latest
  1. BunkerWeb sits in front of your application, handling TLS termination, WAF filtering, and reverse proxying.
  1. Access the web UI at https://app.example.com:7000 to manage settings and view security logs.
§04

Example

# docker-compose.yml with BunkerWeb protecting a web app
services:
  bunkerweb:
    image: bunkerity/bunkerweb:latest
    ports:
      - '80:8080'
      - '443:8443'
    environment:
      - SERVER_NAME=app.example.com
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myapp:3000
      - AUTO_LETS_ENCRYPT=yes
      - USE_MODSECURITY=yes
      - USE_BAD_BEHAVIOR=yes
      - LIMIT_REQ_RATE=10r/s
      - USE_COUNTRY=yes
      - BLACKLIST_COUNTRY=CN RU

  myapp:
    image: my-web-app:latest
    expose:
      - '3000'
§05

Related on TokRepo

§06

Common pitfalls

  • ModSecurity rules can produce false positives, blocking legitimate requests. Start with the OWASP rules in detection-only mode, review logs, then switch to blocking mode after tuning.
  • Rate limiting settings need calibration for your traffic patterns. Too aggressive settings block real users; too lenient settings do not stop attacks.
  • BunkerWeb adds latency as a reverse proxy layer. For latency-sensitive applications, benchmark the overhead and adjust worker/connection settings.

Preguntas frecuentes

Is BunkerWeb free?+

Yes. BunkerWeb is open source. The community edition includes all core security features. A PRO version adds advanced features like a management UI, clustering, and premium support.

Does BunkerWeb handle HTTPS automatically?+

Yes. Set AUTO_LETS_ENCRYPT=yes and BunkerWeb obtains and renews TLS certificates from Let's Encrypt automatically. No manual certificate management required.

What attacks does BunkerWeb protect against?+

BunkerWeb protects against SQL injection, cross-site scripting (XSS), CSRF, directory traversal, bot traffic, DDoS (via rate limiting), and other OWASP Top 10 vulnerabilities through ModSecurity rules.

Can BunkerWeb protect multiple applications?+

Yes. Configure multiple SERVER_NAME entries and REVERSE_PROXY rules in the config. Each application gets its own security settings. BunkerWeb routes requests to the correct backend based on hostname.

Does BunkerWeb work with Kubernetes?+

Yes. BunkerWeb provides a Kubernetes Ingress Controller that integrates with K8s clusters. Security policies are applied via annotations on Ingress resources.

Referencias (3)
Relacionados en TokRepo
Security toolsDevOps toolsFeatured workflows

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados

Istio — Open Source Service Mesh for Microservices

Istio is the leading open-source service mesh. Connect, secure, control, and observe services with mTLS encryption, traffic management, and observability — all without changing application code.

Skills
AI Open Source

Authentik — Open Source Identity Provider & SSO Platform

Authentik is a flexible open-source identity provider with SSO, MFA, user enrollment flows, and application proxy — the authentication glue for your self-hosted stack.

Skills
AI Open Source

Reactive Resume — AI-Powered Open-Source Resume Builder

Free open-source resume builder with AI integration. Supports Claude, GPT, Gemini for content generation. Drag-and-drop, PDF export, self-hostable, privacy-first. MIT, 36,000+ stars.

Skills
AI Open Source

Documenso — Open Source Document Signing Platform

Documenso is an open-source DocuSign alternative for self-hosted document signing with PDF e-signatures, audit trails, and Next.js stack.

Skills
AI Open Source
Inicio🔍Buscar👤Yo