A powerful free and open source WAF – UUSEC WAF
14 comments
·March 16, 2025ssddanbrown
The license used [1] would mean this very much wouldn't be widely considered open source, since the license sets limits on use and does not seem to provide open modification nor distribution.
[1] https://github.com/Safe3/uuWAF/blob/393262d525d0e35c14819bfa...
tomku
I don't think it's even source-available? The repo has docs, a bunch of Lua scripts (for what software?), a small PHP module and a compiled "geo-ip firewall" binary. Most of the features mentioned on the Github page appear to only be in the paid version of the software, and this limited "free" version is delivered as a mystery-meat Docker image pulled from Huawei Cloud.
At best this is an advertisement that lies about being open source.
ubrpwnzr
The docker images it builds from are on Huawei cloud? I’d approach this with caution.
chucky_z
I would take this as two things at once, from personal opinion:
- There is probably a PRC backdoor somewhere in this
- This is probably very high quality software
I've dealt with Huawei security a little bit and in general Huawei as a company is really serious about security and handles low-level/deep security software pretty well.
Also based on what the top commenter posted about the license... I don't know how usable this actually is for anyone, lol.
Sparkyte
I have growing concerns with the increased costs of WAFs. I am certainly not getting excited about how expensive things are getting from places like Akamai and Cloudfront. I'm just idly waiting to see where things land. An OpenSource solution is nice although the costs for infrastructure do crank up. Wonder how this compares to Fastly?
I see others mention it isn't a truly free even if Open Source, is this thread an ad?
sourtrident
It's wild to see machine learning baked right into a free WAF - feels like having an AI watchdog that never sleeps. Curious to see how this shifts the security landscape long-term, especially for startups that can't afford heavyweight protection systems.
HumanOstrich
All your comments read like they're generated by an LLM from a template.
arunc
Just curious, how do you test and benchmark the accuracy for such a product across different vendors, like CloudFlare?
pluto_modadic
how does this compare to, say, https://github.com/corazawaf/coraza (Apache licensed, either embeddable as a library, as an nginx or caddy plugin, or standalone?)
curtisszmania
[dead]
uusec
[flagged]
HumanOstrich
You already used this spam text in your spam issues you opened in other people's repos. Can't you get your LLM to generate some variety at least?
jacobmarble
This reads like LLM generated text.
Those guys are also opening "ad" issues on unrelated repositories[0]. Adding that to what others mentioned, it really doesn't inspire confidence in the software
https://github.com/goauthentik/authentik/issues/13521