bunkerweb

BunkerWeb is an open-source web application firewall, which is a security layer that sits in front of your web services and blocks malicious traffic before it reaches your application. It is built on top of NGINX, a widely used web server, and adds a large set of security protections that are turned on by default.

The core idea is that most web servers are not secure out of the box, and developers have to configure security manually or forget about it entirely. BunkerWeb tries to flip that by making the safe configuration the default, so a site running behind it gets protection without the developer needing to write custom firewall rules.

Out of the box, BunkerWeb handles HTTPS setup automatically using Let's Encrypt certificates, enforces strict HTTP security headers to reduce browser-level attacks, integrates ModSecurity (a well-known open-source WAF engine) with the OWASP Core Rule Set to catch common attack patterns like SQL injection and cross-site scripting, blocks known bad IP addresses using external blocklists, and can challenge suspicious visitors with CAPTCHA or JavaScript puzzles before letting them through.

It can be deployed on a regular Linux server, inside Docker containers, across Docker Swarm clusters, or on Kubernetes. It acts as a reverse proxy, meaning it receives incoming web traffic, checks it, and passes clean requests through to the actual application running behind it. Configuration can be done through a web interface rather than the command line, which the README describes as a key feature for users who are not comfortable with terminal commands.

The plugin system lets users add extra security modules beyond what ships in the core. A paid PRO version and a hosted cloud option called BunkerWeb Cloud are also available for teams that want managed hosting or additional features. The open-source version is licensed under AGPLv3.