BunkerWeb

BunkerWeb is a next‑generation, open‑source Web Application Firewall (WAF) that doubles as a full‑featured reverse proxy built on top of NGINX. It is designed to sit in front of any web service—static sites, APIs, micro‑services or legacy applications—and provide a “secure by default” posture without requiring developers to write custom security rules. The core engine is written in Go, which compiles into a single static binary, making distribution lightweight and enabling native support for containerized deployments (Docker, Swarm, Kubernetes) as well as bare‑metal Linux installations.

Architecture

• NGINX Core – The WAF logic is injected into NGINX through custom modules and configuration snippets generated by BunkerWeb. This allows developers to leverage the full performance and feature set of NGINX while adding WAF layers such as OWASP rule sets, rate limiting, and bot mitigation.
• Go Runtime – The application orchestrates configuration generation, certificate management (Let’s Encrypt integration), and plugin execution. It exposes a RESTful API for dynamic reconfiguration, status querying, and health checks.
• Database Layer – Optional persistence via a lightweight embedded database (SQLite) or external PostgreSQL for storing user‑defined policies, logs, and analytics. The database schema is versioned and migrations are applied automatically during startup.
• Plugin Engine – Plugins are packaged as Go plugins or external executables that can hook into request/response cycles. The engine loads them at runtime, exposing a well‑defined interface for rule injection, custom headers, or external threat intelligence feeds.

Core Capabilities

• WAF Rule Sets – Built‑in OWASP Top 10 protection, SQLi/XXE detection, XSS filtering, and custom regex rules. Rules can be toggled per domain or globally.
• Rate Limiting & Bot Detection – Fine‑grained control over requests per IP, per endpoint, or per user agent. Integration with external bot‑lists (e.g., Project Honey Pot) is available via plugins.
• DDoS Mitigation – Traffic shaping, connection throttling, and integration with Cloudflare’s Argo Tunnel for edge protection.
• HTTPS & ACME – Automatic Let’s Encrypt certificate issuance, renewal, and wildcard support. HTTP/2 and TLS 1.3 are enabled by default.
• Dynamic Configuration API – Endpoints to add/remove domains, update rules, and trigger reloads without downtime. The API also exposes metrics in Prometheus format.
• Web UI – A Vue.js‑based dashboard (served by the same binary) that visualizes traffic, logs, and policy states. The UI communicates with the Go backend via secure WebSocket connections.

Deployment & Infrastructure

• Container Friendly – A single Dockerfile builds a minimal image (≈ 60 MB). BunkerWeb can run as a sidecar in Kubernetes or as a standalone container behind an ingress controller.
• Scalability – Horizontal scaling is straightforward: replicas share a common configuration store (e.g., ConfigMap or shared DB) and use NGINX’s upstream load‑balancing. The Go process is stateless except for the configuration file, so it can be restarted or replaced without losing state.
• Self‑Hosting Requirements – Requires Linux (kernel ≥ 3.10) or any OCI‑compatible runtime. For high availability, expose a single entry point (e.g., HAProxy or MetalLB) that forwards to BunkerWeb instances.
• Observability – Exposes Prometheus metrics, structured JSON logs, and integrates with ELK/EFK stacks via a built‑in log shipper.

Integration & Extensibility

• Plugin System – Developers can write plugins in Go or any language that exposes a simple HTTP endpoint. Plugins receive the request context and can modify headers, block requests, or trigger external services (e.g., Slack alerts).
• Webhooks – Outgoing webhooks are available for event notifications (e.g., new threat detected, certificate renewal). The webhook payload is customizable via templates.
• API Hooks – The REST API supports OAuth2 and JWT authentication, allowing integration with CI/CD pipelines to push new policies automatically.
• Custom Modules – Advanced users can compile custom NGINX modules and inject them through the configuration generator.

Developer Experience

• Configuration DSL – Policies are expressed in a declarative YAML format, which the Go engine compiles into NGINX directives. This makes version control and diffing trivial.
• Documentation & Community – Comprehensive docs (examples, tutorials, API reference) are hosted on docs.bunkerweb.io. A Discord channel and GitHub Discussions provide rapid support. The project follows semantic versioning and CI/CD pipelines with automated tests on every PR.
• Licensing – AGPLv3 ensures that any derivative work remains open source, encouraging community contributions while protecting the core from proprietary forks.

Use Cases

1. Micro‑service Gateways – Deploy BunkerWeb as a sidecar or standalone reverse proxy to secure an entire Kubernetes cluster with minimal configuration.
2. Legacy Application Protection – Wrap existing Apache or IIS applications behind BunkerWeb to add WAF capabilities without refactoring code.
3. API Management – Combine rate limiting, bot detection, and OAuth enforcement in a single layer for public APIs.
4. Edge Security – Use BunkerWeb with Cloudflare or Fastly to provide an additional security fence before traffic reaches the edge.

Advantages

• Performance – Leveraging NGINX’s event‑driven architecture and a compiled Go binary yields low latency and high