# BunkerWeb — Open-Source Web Application Firewall > BunkerWeb is an NGINX-based reverse proxy and next-generation Web Application Firewall with ModSecurity rules, anti-bot challenges, and automatic Let's Encrypt for containerized apps. ## Install Save in your project root: # BunkerWeb — Open-Source Web Application Firewall ## Quick Use ```bash # Docker Compose — all-in-one cat > docker-compose.yml <<''EOF'' services: bunkerweb: image: bunkerity/bunkerweb:1.5 ports: [ '80:8080', '443:8443' ] environment: SERVER_NAME: 'app.example.com' AUTO_LETS_ENCRYPT: 'yes' USE_REVERSE_PROXY: 'yes' REVERSE_PROXY_URL: '/' REVERSE_PROXY_HOST: 'http://myapp:8080' restart: unless-stopped EOF docker compose up -d ``` ## Introduction BunkerWeb wraps NGINX with a curated security ruleset so any HTTP service can gain WAF protection, rate limiting, and TLS without becoming a security engineer. It is the free successor to bunkerized-nginx and is maintained by Bunkerity. ## What BunkerWeb Does - Terminates TLS and auto-renews certificates via Let's Encrypt - Blocks OWASP Top 10 attacks with ModSecurity CRS rules - Challenges suspicious traffic with JavaScript, captcha, or proof-of-work - Applies per-site rate limits, geo-blocking, and DNSBL checks - Integrates with CrowdSec and AbuseIPDB threat feeds ## Architecture Overview A scheduler container reads configuration (env vars, files, or UI), renders NGINX configs, and signals the bunkerweb container to reload. An optional bw-ui adds a web console. In Kubernetes, the Ingress controller variant runs the same engine as a daemonset. ## Self-Hosting & Configuration - Docker, Kubernetes Helm chart, or Linux `.deb`/`.rpm` packages - Environment variables map 1:1 to NGINX directives - Per-service config via `SERVER_NAME` multi-site pattern - Enable the UI container for a visual policy editor - Plugins published as Docker images, hot-loaded by the scheduler ## Key Features - Pre-tuned ModSecurity with Core Rule Set 3.3 - Anti-bot challenges that don't require external services - Automatic HTTPS plus HSTS, OCSP stapling, modern TLS defaults - Kubernetes IngressClass for gradual rollout alongside existing controllers - Community edition is AGPL-3, enterprise edition adds support and features ## Comparison with Similar Tools - **NGINX + ModSecurity** — same engine, manual wiring - **Cloudflare** — SaaS, no self-hosting option - **Traefik + Crowdsec** — less default security, more cloud-native - **ModSecurity on Apache** — mature but dated stack - **Wallarm/Fastly** — commercial managed WAFs ## FAQ **Q:** Does it replace my ingress controller? A: It can — the K8s edition acts as the IngressClass and enforces WAF rules. **Q:** How noisy is ModSecurity by default? A: BunkerWeb ships paranoia level 1, tuned to minimize false positives. Tune per site as needed. **Q:** Can I bring my own TLS certificates? A: Yes — mount `/data/certs` or disable auto-renew and provide cert+key env vars. **Q:** Is there vendor lock-in? A: No — the generated NGINX config is portable; you can exit at any time. ## Sources - https://github.com/bunkerity/bunkerweb - https://docs.bunkerweb.io/ --- Source: https://tokrepo.com/en/workflows/736fcfbd-38fa-11f1-9bc6-00163e2b0d79 Author: AI Open Source