BunkerWeb

BunkerWeb is a next-generation, open-source web application firewall (WAF) that runs as an NGINX-based reverse proxy in front of your web services. It aims to provide secure-by-default protection for websites, applications, and APIs while staying easy to integrate into common deployment environments.

Key Features

• Reverse proxy web server built on NGINX for fronting multiple web services
• Built-in web security hardening (TLS configuration, HTTP security headers)
• Automated HTTPS certificate management with ACME/Let’s Encrypt
• Integrated ModSecurity WAF with OWASP Core Rule Set support
• Rate limiting and request/connection limiting to reduce abuse
• Automatic banning based on suspicious behavior and HTTP status patterns
• Bot protection with challenge mechanisms (for example JavaScript, cookie, CAPTCHA)
• IP reputation blocking via external lists and DNSBL
• Extensible plugin system for adding or customizing security capabilities
• Optional web UI for managing instances and configuration

Use Cases

• Protecting self-hosted websites and web apps behind a hardened reverse proxy
• Shielding APIs from common web attacks, abusive clients, and automated bots
• Standardizing HTTPS/TLS and baseline security policies across environments

Limitations and Considerations

• Some advanced capabilities are reserved for the commercial PRO offering
• As with any WAF, effective protection requires careful tuning to minimize false positives

BunkerWeb is a strong fit when you want an auditable, configurable WAF that can be deployed across Linux, containers, and Kubernetes. Its secure-by-default approach, NGINX foundation, and plugin model make it suitable for both homelabs and production environments.