Self-Hosted Web Application Firewalls

SafeLine is a containerized web application firewall and reverse proxy designed to secure web services by inspecting incoming HTTP traffic. It acts as a security gateway that sits in front of backend infrastructure to filter malicious requests and enforce access policies before they reach the application server. The platform distinguishes itself through advanced bot mitigation and content protection capabilities. It employs challenge-response mechanisms to verify human users and dynamically obfuscates HTML and JavaScript content to prevent unauthorized scraping and code tampering. These featu

BunkerWeb is a containerized suite of infrastructure tools that functions as a cloud-native web application firewall and Nginx reverse proxy. It provides a security layer for web applications, combining traffic routing with automated SSL certificate management and a web-based security dashboard for monitoring and configuration. The project distinguishes itself through its deep integration with container orchestrators, serving as a Kubernetes ingress controller that automates security settings and service discovery via container labels. It features a plugin-based extension model and a manageme

Bunkerized Nginx is a containerized security automation system that provides a secure reverse proxy and web application firewall. It focuses on protecting web applications by monitoring container labels within cloud-native orchestration systems to automatically update security settings and firewall rules. The system distinguishes itself through automated security operations, including the automatic management of SSL certificates and an automated client banning mechanism that blocks IP addresses based on HTTP status codes. It features bot challenge mechanisms using CAPTCHAs, JavaScript, or coo

CrowdSec is a collaborative, distributed security engine designed for threat detection and infrastructure protection. It functions as an intrusion detection system that parses logs and network traffic to identify malicious patterns, utilizing a bucket-based threshold detection model to aggregate events and trigger alerts. The platform is built on a modular architecture that includes a centralized local API server for managing security signals and a relational database for persistent storage of remediation decisions. What distinguishes the project is its decoupled enforcement model, which offl

This project is a Docker-based web gateway and Nginx reverse proxy manager. It functions as a containerized network edge designed to route incoming HTTP and HTTPS traffic to backend services using subdomains and subfolders. The system automates the procurement and renewal of Let's Encrypt SSL certificates via the ACME protocol and various DNS plugins. It includes a mechanism to export and share these certificates through persistent volumes so other containers can utilize the same encryption keys. Security is handled through a combination of server intrusion prevention, using Fail2Ban to moni

Fail2ban is an intrusion prevention system that monitors system log files to detect malicious activity and automatically enforce security policies. By parsing log data in real time, the tool identifies patterns of unauthorized access or repeated authentication failures and responds by dynamically updating network access control lists to restrict offending sources. The software functions as a firewall automation tool that maintains stateful tracking of suspicious behavior across various network services. It utilizes a regex-driven pattern matching engine to identify specific attack signatures,

nginxconfig.io is a web-based NGINX configuration generator designed to build and optimize server configuration files through a visual interface. It functions as a management tool to help avoid manual syntax errors when defining server blocks. The project provides specialized utilities for implementing Gzip and Brotli compression, configuring caching strategies, and managing the deployment and renewal of SSL certificates. It also includes a reverse proxy configurator for defining routing rules and backend application server mappings to distribute network traffic. Additional capabilities cove

Xray_onekey is an automated Linux network proxy deployer and installation script. It is designed to install and configure Xray proxy servers on Debian or Ubuntu systems to create secure, encrypted network tunnels. The tool specifically implements VLESS XTLS proxy servers, utilizing a stateless transmission protocol and a specialized encryption layer to secure and obfuscate internet traffic. It incorporates an Nginx reverse proxy setup to mask proxy traffic, making incoming requests appear as standard web server activity. The deployment process is handled via bash scripts that automate the in

Traefik is a cloud-native load balancer and dynamic reverse proxy designed for microservices traffic routing. It automatically discovers services and generates network routes by listening to infrastructure changes in orchestrators and service registries. The project distinguishes itself through auto-configuring service routing, which eliminates manual configuration by updating routing rules in real time as infrastructure scales. It also provides automated SSL certificate management, utilizing ACME-based automation to request and renew certificates from remote authorities. Additional capabili

Nginx Proxy Manager is a containerized gateway controller that provides a graphical interface for managing web server routing, security certificates, and access control lists. It functions as a centralized dashboard for directing incoming web traffic to internal services, allowing users to map domain names to specific network ports without manual configuration file edits. The project distinguishes itself by automating the lifecycle of SSL certificates through integrated certificate authority clients and ACME challenges. It utilizes a dynamic routing engine based on high-performance web server

This project is a Kubernetes Ingress Controller that functions as a layer 7 traffic router and NGINX reverse proxy. It serves as a secure network gateway, directing external HTTP and HTTPS traffic to backend services within a cluster based on declarative routing rules. The controller acts as a TLS termination gateway to secure traffic and integrates with Prometheus to expose request metrics and latency data for cluster monitoring. It supports canary deployment workflows by implementing weight-based traffic splitting between different versions of a service. The system manages external access

1Panel is a centralized server management and container orchestration platform designed to simplify the administration of Linux-based infrastructure. It provides a unified web interface for managing containerized workloads, automating system maintenance, and configuring server resources. By acting as a comprehensive control plane, the platform streamlines the deployment of applications, databases, and web services while offering granular control over host system internals and security settings. What distinguishes this platform is its integrated support for private artificial intelligence infr

Coraza is a web application firewall engine designed to filter malicious HTTP traffic using standardized security directives. It functions as a library for embedding request filtering and security transaction processing directly into web servers or reverse proxies. The engine implements the ModSecurity WAF engine and the OWASP Core Rule Set to identify and block common web attack patterns. It utilizes a library-first integration model, allowing security capabilities to be embedded into a host process as a dependency rather than running as a standalone proxy. The project covers rule-based pat

Nginx is a high-performance HTTP server and reverse proxy designed to handle high-concurrency traffic through an efficient, event-driven architecture. It functions as a versatile traffic management gateway and content delivery accelerator, providing the infrastructure necessary to route client requests, balance loads across backend servers, and serve static assets with minimal resource consumption. The project distinguishes itself through a master-worker process model that separates configuration management from request processing, ensuring stable operations under heavy load. Its modular requ