What is BunkerWeb — Open-Source Web Application Firewall?

BunkerWeb is an NGINX-based reverse proxy and next-generation Web Application Firewall with ModSecurity rules, anti-bot challenges, and automatic Let's Encrypt for containerized apps.

Is BunkerWeb — Open-Source Web Application Firewall free to use?

Yes. BunkerWeb — Open-Source Web Application Firewall is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install BunkerWeb — Open-Source Web Application Firewall?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

BunkerWeb — Open-Source Web Application Firewall

Introduction

BunkerWeb wraps NGINX with a curated security ruleset so any HTTP service can gain WAF protection, rate limiting, and TLS without becoming a security engineer. It is the free successor to bunkerized-nginx and is maintained by Bunkerity.

What BunkerWeb Does

Terminates TLS and auto-renews certificates via Let's Encrypt
Blocks OWASP Top 10 attacks with ModSecurity CRS rules
Challenges suspicious traffic with JavaScript, captcha, or proof-of-work
Applies per-site rate limits, geo-blocking, and DNSBL checks
Integrates with CrowdSec and AbuseIPDB threat feeds

Architecture Overview

A scheduler container reads configuration (env vars, files, or UI), renders NGINX configs, and signals the bunkerweb container to reload. An optional bw-ui adds a web console. In Kubernetes, the Ingress controller variant runs the same engine as a daemonset.

Self-Hosting & Configuration

Docker, Kubernetes Helm chart, or Linux .deb/.rpm packages
Environment variables map 1:1 to NGINX directives
Per-service config via SERVER_NAME multi-site pattern
Enable the UI container for a visual policy editor
Plugins published as Docker images, hot-loaded by the scheduler

Key Features

Pre-tuned ModSecurity with Core Rule Set 3.3
Anti-bot challenges that don't require external services
Automatic HTTPS plus HSTS, OCSP stapling, modern TLS defaults
Kubernetes IngressClass for gradual rollout alongside existing controllers
Community edition is AGPL-3, enterprise edition adds support and features

Comparison with Similar Tools

NGINX + ModSecurity — same engine, manual wiring
Cloudflare — SaaS, no self-hosting option
Traefik + Crowdsec — less default security, more cloud-native
ModSecurity on Apache — mature but dated stack
Wallarm/Fastly — commercial managed WAFs

FAQ

Q: Does it replace my ingress controller? A: It can — the K8s edition acts as the IngressClass and enforces WAF rules.

Q: How noisy is ModSecurity by default? A: BunkerWeb ships paranoia level 1, tuned to minimize false positives. Tune per site as needed.

Q: Can I bring my own TLS certificates? A: Yes — mount /data/certs or disable auto-renew and provide cert+key env vars.

Q: Is there vendor lock-in? A: No — the generated NGINX config is portable; you can exit at any time.

BunkerWeb — Open-Source Web Application Firewall

Introduction

What BunkerWeb Does

Architecture Overview

Self-Hosting & Configuration

Key Features

Comparison with Similar Tools

FAQ

Sources

讨论

相关资产

Citus — Distributed PostgreSQL for Sharding and HTAP

Trino — Fast Distributed SQL Query Engine for Data Lakes

BadgerDB — Fast Embeddable Key-Value Store in Pure Go