G
Show HN
Show HN: BunkerWeb – The Open-Source Web Application Firewall (WAF)
Please stop these types of headlines.

A commercial closed sourced web application firewall, where some parts / features open source and free.

Promium sourced web application firewall.

> Whether it's enhanced security, an enriched user experience, or technical supervision, the BunkerWeb PRO version will allow you to fully benefit from BunkerWeb and respond to your professional needs.

Is it open core? I see that the license is AGPL. Can I just edit the code to enable the "pro" features, or are they in another repo?

"enhanced security" sounds a bit like the open source version is gutted to encourage people paying for it. If so, it's a bit of a shame. Wouldn't it be better if everyone used this waf and the web would be more secure as possible for everyone?

  • bnkty
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
You are right, this is an open-core model. The PRO features are proprietary and, to be precise, they are actually modules that integrate into the core of the solution. In addition to these features, the PRO version gives you access to technical support. We completely agree with you that BunkerWeb can be used by everyone to make the web more secure. We sincerely believe that the features offered in the community version contribute significantly to this goal. Thank you for your feedback.
"live threatmap of live cyber attacks blocked by BunkerWeb instances all around the world"

So this sketchy looking thing is also equipped with telemetry that phones home all the time?

No thanks.

  • bnkty
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
The BunkerNet feature is completely optional. You can disable it at any time, however, you will not be able to take advantage of crowdsourcing on threats if you do so. More information here : https://docs.bunkerweb.io/latest/security-tuning/#bunkernet
Enterprises pay a shitload of cash for that functionality of commercial WAF systems. Some allow that at a low let cost of you send your own data, and more expensive if you don't.
A WAF looks sketchy? OSINT is sketchy?
An open source WAF at that.
I'll have to check it out! The popular option for homelab or other indie scale is to just use the cloudflare's free-tier setup, which includes WAF, but I see a privacy hole where cloudflare needs to see your unencrypted HTTP traffic so that they can apply their WAF rules.

I've also been checking out CrowdSec. I appreciate it's modular architecture but it definitely deviates away from the folks that just wants to expose an HTTP service and get on with their lives. I've enjoyed the Caddy server for this reason, but yeah, not as secure-as-default when it comes to attacks a WAF would mitigate.

Check out SafeLine.
thanks for the tip! At a glance, the SafeLine looks very opaque.. not clear why it starts up so many docker containers and how they are built. I can appreciate that bunkerweb illustrated its architecture a bit more with their docs and descriptive image names.... E.g. `bunkerweb-scheduler` vs `safeline-luigi`
Why should I be using BunkerWeb, e.g. if running my own SaaS?
  • bnkty
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
You can use BunkerWeb to protect your own SaaS against malicious actors.
I feel reminded of brawndo.

https://fictionalcompanies.fandom.com/wiki/Brawndo

Its got what SaaS craves!
But it has electrolytes.
Is this just LUA modules? Whats the performance hit like vs a fresh install of nginx? Whats the performance like on something like ten thousand server blocks?
  • bnkty
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
Performance will indeed decrease compared to a web server without security features. However, this largely depends on the BunkerWeb features you choose to enable.
  • KomoD
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
Can it block based on TLS fingerprints? Like JA3, etc.
  • bnkty
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
Not at the moment but we plan to work on it. Thanks for your feedback.
  • KomoD
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
Okay, could be a nice feature.
Looks very good, thx for sharing!

Can it be integrated with an existing large nginx config with multiple domains, server and client certificates, websockets, other custom settings and different apps deployed with ansible or does it need to run the nginx process by itself?

  • bnkty
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
You will need to migrate to BunkerWeb. But since BunkerWeb is based on NGINX it might be easier than you think. As an example, it supports custom NGINX configs : https://docs.bunkerweb.io/latest/quickstart-guide/#custom-co...

Maybe you can join our Discord to discuss further about your use case.

I recently joined a new company, and one of my first tasks is to secure a simple web API using a WAF. I’d like to explore some free and open-source options to help our office avoid licensing headaches. Do you have any recommendations?
Does it handle content security policies ?
  • bnkty
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
Yes you can configure your own CSP, more info here : https://docs.bunkerweb.io/latest/security-tuning/#security-h...

Please note that we plan to improve it in the future with automation.

For Fucks Sake offering "dark mode" is the 3rd or 4th highlight in the promo video.

You could dark mode application in X Windows way back in the day with just a bit of configuration.

This may be two style sheets you can swap between or whatever. It is not impressive.

What about "Blue letters available" ohhhh .

I keep seeing apps being update and the major change being "dark mode now available".

I agree it might not be worth promoting as a main feature at all. But from experience, there are users that will be very vocal about it and request a dark mode.
PSA: needs 'proper' NGINX
  • bnkty
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
Indeed, we use NGINX as the base web server. NGINX + LUA to be precise.