Skip to content(if available)orjump to list(if available)

Show HN: BunkerWeb – the open-source and cloud-native WAF

Show HN: BunkerWeb – the open-source and cloud-native WAF

25 comments

·July 4, 2025
Visit

SbEpUBz2

I can't unban myself from the demo :)

jnettome

I just love this project! BunkerWeb was a huge help when I was self-hosting my products with Docker Swarm. It offers tons of configuration options—especially useful for those needing a WAF and dealing with heavy bot traffic.

Since moving to Kubernetes, I haven’t used or evaluated it there yet, but kudos to the team for continuing to update and improve the project. Keep up the great work!

bnkty

Thanks for the kind words!

Kubernetes integration is really awesome, you can use BunkerWeb ingress controller or mix it with an existing ingress controller.

seymon

What's the benefit of just using plain owasp modsecurity?

It also exists as a docker container as an nginx reverse proxy with modsecurity extension.

https://coreruleset.org/docs/6-development/6-6-useful_tools/...

bnkty

ModSecurity doesn't offer antibot, bad behavior, certificate management, ... You can find the full list of features here : https://docs.bunkerweb.io/latest/features/

chrismorgan

Your site talks of BunkerWeb PRO, which is, by the sound of it, not open source. But I have no idea what is actually different about it: https://panel.bunkerweb.io/knowledgebase/105/What-is-BunkerW... flatly doesn’t answer the question: “additional features and services responding to professional needs” is impressively vague.

bnkty

Features with a crown icon are PRO, you will find full list of free and PRO features here : https://docs.bunkerweb.io/latest/features/

chrismorgan

Might I suggest at the very least linking to that from https://panel.bunkerweb.io/knowledgebase/105/What-is-BunkerW... and https://panel.bunkerweb.io/store/bunkerweb-pro.

jqpabc123

How is this better than Caddy?

bnkty

Caddy does not offer full application protection besides HTTPS and basic stuff.

qmarchi

While neat, I feel like in the current age of "let's throw shitloads of packets and see how they like that", this solves _a problem_, but I feel that most of the security products solve it by anycasting IP ranges.

Neat to see another use case for NGNIX though!

lta

I'm still strongly suspecting this whole WAF thing is mostly complete bullshit intended for projects doing security works mostly from spreadsheets.

Could someone with a proper background in security confirm or invalidate my suspicion ?

mac-chaffee

I'd generally confirm that suspicion: https://www.macchaffee.com/blog/2023/wafs/

WAFs have a few valid uses in my opinion: "virtual patching" and the ability to create custom rules such as blocking/challenging/rate limiting obviously bad traffic. But the giant rulesets are actively harmful IMO. "Defense in depth" is not a valid justification for doing something actively harmful to both your users and the time budget of your security team.

ivanr

+1 Absolutely. (Source: Original author of ModSecurity.)

mmarian

Just wanted to say that it's a great blog post, thanks for writing it!

josephcsible

You are correct. Actual security needs to be inherently part of the application; you can't get it just by slapping something in front of it. And the way most WAFs work is basically just a fancier version of what https://thedailywtf.com/articles/Injection_Rejection does, which is horrifically bad on sites where people try to discuss HTML or SQL.

macNchz

In addition to defense-in-depth—simply adding a bunch of imperfect layers and acknowledging that no individual layer like this is all that effective on its own—there’s a component of creating signal: it can be pretty trivial for a motivated attacker to bypass a WAF, however it may not be trivial to do so without creating a paper trail of event logs, which can be used to trigger automated blocks or escalate alarms for a human to intervene.

ethan_smith

WAFs aren't bullshit but have limitations - they're effective against known attack patterns (SQLi, XSS) but can be bypassed with sophisticated techniques. They're best as one layer in a defense-in-depth strategy, not a complete security solution.

daeken

I mean ... You're not completely wrong, but you're not completely right either. For context: I've been working full-time in security for 15 years and on the fringes (reversing) for many more.

WAFs in and of themselves provide virtually zero security. They can block naive attacks -- catching the most obvious payloads -- and act as an early-warning signal that an attack may be underway (though the SNR on this is awful). But frankly, this is far less important in practice than the fact that it just makes things more difficult and annoying for attackers. Enough so that it can make a semi-attractive target into a no-go.

This is like defense-in-depth, but instead of layering protections in place so that the holes in the swiss cheese don't like up, you're making the cheese smell awful enough to ignore the juicy apple behind it.

If you're a valuable enough target, they're gonna go for the apple regardless of how bad the cheese is. ... And this analogy may have gotten away from me.

dontTREATonme

Is there a significant difference between this and nginx proxy manager?

justusthane

They're both reverse proxies built on nginx, but the whole point of BunkerWeb is that it's a WAF, which NPM is not, so that's a significant difference.

In short, NPM doesn't do any of the stuff listed under Security Features here: https://docs.bunkerweb.io/latest/#security-features

jeauxlb

NPM will automate Let's Encrypt certificate generation but you're right about the other listed features.

sreekanth850

How this compare against safeline?

noobcoder

Is the syntax same as nginx?

bnkty

Custom nginx configs are supported (more info here : https://docs.bunkerweb.io/latest/advanced/#custom-configurat...) but BunkerWeb also includes its own list of settings.