Bunkerweb

BunkerWeb is a containerized suite of infrastructure tools that functions as a cloud-native web application firewall and Nginx reverse proxy. It provides a security layer for web applications, combining traffic routing with automated SSL certificate management and a web-based security dashboard for monitoring and configuration.

The project distinguishes itself through its deep integration with container orchestrators, serving as a Kubernetes ingress controller that automates security settings and service discovery via container labels. It features a plugin-based extension model and a management interface for real-time IP banning and attack monitoring.

The system covers a broad range of security and traffic capabilities, including signature-based threat detection, challenge-based bot mitigation, and identity-based access control. It manages network flow through load balancing, request rate limiting, and multi-tenant site isolation, while hardening browser-side security via HTTP response header configuration.

Features

Reverse Proxies - Functions as a high-performance Nginx reverse proxy for routing traffic to backend services.

Web Application Firewalls - Provides a cloud-native web application firewall that protects services from malicious traffic using signature-based filtering.

Dynamic Event Synchronization - Synchronizes security settings in real-time by monitoring container orchestrator events.

Ingress Controllers - Acts as a Kubernetes ingress controller managing external access and SSL termination.

Reverse Proxies - Routes incoming web traffic to backend services with integrated load balancing and SSL termination.

Service Discovery Orchestrators - Automatically discovers and configures services using container labels and annotations.

Ingress Controllers - Automates security and routing for services within container orchestrators via ingress resources.

Proxy Traffic Management - Provides a reverse proxy that manages external requests and secures network connections via header control and buffering.

Traffic Routing - Directs incoming web traffic to backend services using a high-performance reverse proxy.

Configuration Syncing - Keeps security settings synchronized across distributed services by listening to cluster events.

HTTP Request Filtering - Inspects HTTP request and response headers to enforce security policies and rate limits.

Automated Certificate Management - Automates the issuance and renewal of HTTPS certificates via DNS integration.

Signature-Based Filtering - Filters malicious traffic by matching request patterns against known attack signatures.

SSL Certificate Automation - Provides automated workflows for obtaining and installing SSL/TLS certificates.

SSL Certificate Managers - Automates the issuance and renewal of HTTPS certificates via integrated DNS verification and trusted authorities.

Traffic Filtering - Filters malicious web traffic using signature-based engines and behavioral analysis.

Load Balancing - Distributes incoming requests across multiple backend servers to ensure high availability and performance.

Connection Rate Limiting - Enforces thresholds on concurrent client connections to protect system resource capacity.

Automated IP Banning - Automatically bans IP addresses based on suspicious behavioral patterns and known blacklists.

Bot Detection - Identifies and blocks automated traffic using behavioral analysis and challenge tests.

Challenge-Response Tests - Implements JavaScript and CAPTCHA challenges to mitigate automated bot traffic.

Server Configuration Overrides - Allows injection of custom server configurations to handle complex use cases or false positives.

Traffic Interrogation Challenges - Mitigates bot traffic by requiring human verification through JavaScript tests and CAPTCHAs.

Multi-Site Network Management - Isolates security configurations and routing rules for multiple distinct applications.

Identity-Based Access Control - Implements network-level access control using blacklists, whitelists, geoblocking, and mutual TLS.

Rate Limiting & Abuse Prevention - Prevents API abuse by capping the number of requests permitted per client over specific time windows.

Security Headers - Injects security-focused HTTP response headers to harden browser-side security and implement CORS policies.

Security Policy Management - Manages global and service-specific security rules through standard plugins and custom configuration files.

Plugin-Based Logic Extensions - Allows adding custom security logic and background tasks via a modular plugin system.

Lifecycle Plugin Systems - Extends request processing and background tasks through a scriptable lifecycle plugin system.

WebSocket and Protocol Proxying - Ships native support for routing WebSocket traffic and standard proxy protocols to backend services.

Web Management Dashboards - Provides a web-based dashboard for monitoring attacks and managing firewall configurations.

Monitoring Dashboards - Includes a visual dashboard for monitoring blocked attacks and analyzing network performance metrics.

Security Event Monitoring - Logs security events and visualizes blocked requests on a map for attack analysis.

Web Dashboards - Provides a web-based administrative interface for real-time IP banning and firewall configuration.

API Gateways - Secure-by-default web app hosting and reverse proxy.

Networking And Proxies - Next-generation web application firewall for containers.

API Firewalls - Next-generation WAF with integrated security rules and bot protection.

Network Security and Proxies - Next-generation web application firewall.

Threat Detection Tools - Provides open-source web application firewall protection.

Web Application Firewalls - Web server integrated with WAF and automated security.

bunkeritybunkerweb

Features

Star history