[HN Gopher] Show HN: BunkerWeb - the open-source and cloud-nativ...
___________________________________________________________________
Show HN: BunkerWeb - the open-source and cloud-native WAF
Author : bnkty
Score : 81 points
Date : 2025-07-04 11:55 UTC (11 hours ago)
(HTM) web link (docs.bunkerweb.io)
(TXT) w3m dump (docs.bunkerweb.io)
| qmarchi wrote:
| While neat, I feel like in the current age of "let's throw
| shitloads of packets and see how they like that", this solves _a
| problem_, but I feel that most of the security products solve it
| by anycasting IP ranges.
|
| Neat to see another use case for NGNIX though!
| jqpabc123 wrote:
| How is this better than Caddy?
| bnkty wrote:
| Caddy does not offer full application protection besides HTTPS
| and basic stuff.
| dontTREATonme wrote:
| Is there a significant difference between this and nginx proxy
| manager?
| justusthane wrote:
| They're both reverse proxies built on nginx, but the whole
| point of BunkerWeb is that it's a WAF, which NPM is not, so
| that's a significant difference.
|
| In short, NPM doesn't do any of the stuff listed under Security
| Features here: https://docs.bunkerweb.io/latest/#security-
| features
| jeauxlb wrote:
| NPM will automate Let's Encrypt certificate generation but
| you're right about the other listed features.
| lta wrote:
| I'm still strongly suspecting this whole WAF thing is mostly
| complete bullshit intended for projects doing security works
| mostly from spreadsheets.
|
| Could someone with a proper background in security confirm or
| invalidate my suspicion ?
| daeken wrote:
| I mean ... You're not completely wrong, but you're not
| completely right either. For context: I've been working full-
| time in security for 15 years and on the fringes (reversing)
| for many more.
|
| WAFs in and of themselves provide virtually zero security. They
| can block naive attacks -- catching the most obvious payloads
| -- and act as an early-warning signal that an attack may be
| underway (though the SNR on this is awful). But frankly, this
| is far less important in practice than the fact that it just
| makes things more difficult and annoying for attackers. Enough
| so that it can make a semi-attractive target into a no-go.
|
| This is like defense-in-depth, but instead of layering
| protections in place so that the holes in the swiss cheese
| don't like up, you're making the cheese smell awful enough to
| ignore the juicy apple behind it.
|
| If you're a valuable enough target, they're gonna go for the
| apple regardless of how bad the cheese is. ... And this analogy
| may have gotten away from me.
| macNchz wrote:
| In addition to defense-in-depth--simply adding a bunch of
| imperfect layers and acknowledging that no individual layer
| like this is all that effective on its own--there's a component
| of creating signal: it can be pretty trivial for a motivated
| attacker to bypass a WAF, however it may _not_ be trivial to do
| so without creating a paper trail of event logs, which can be
| used to trigger automated blocks or escalate alarms for a human
| to intervene.
| mac-chaffee wrote:
| I'd generally confirm that suspicion:
| https://www.macchaffee.com/blog/2023/wafs/
|
| WAFs have a few valid uses in my opinion: "virtual patching"
| and the ability to create custom rules such as
| blocking/challenging/rate limiting obviously bad traffic. But
| the giant rulesets are actively harmful IMO. "Defense in depth"
| is not a valid justification for doing something actively
| harmful to both your users and the time budget of your security
| team.
| ivanr wrote:
| +1 Absolutely. (Source: Original author of ModSecurity.)
| mmarian wrote:
| Just wanted to say that it's a great blog post, thanks for
| writing it!
| ethan_smith wrote:
| WAFs aren't bullshit but have limitations - they're effective
| against known attack patterns (SQLi, XSS) but can be bypassed
| with sophisticated techniques. They're best as one layer in a
| defense-in-depth strategy, not a complete security solution.
| josephcsible wrote:
| You are correct. Actual security needs to be inherently part of
| the application; you can't get it just by slapping something in
| front of it. And the way most WAFs work is basically just a
| fancier version of what
| https://thedailywtf.com/articles/Injection_Rejection does,
| which is horrifically bad on sites where people try to discuss
| HTML or SQL.
| doublerebel wrote:
| A properly configured WAF is arguably necessary to maintain
| SLAs on an API available on the web. Bad actors will hammer any
| open API endlessly unless the API shows signs of defense. This
| can affect connection latency for good users and cost for the
| business. Why would you ever bother processing (and cause
| server and database load and charges) for a million bogus login
| or search requests if the WAF can handle it automatically and
| basically for free?
|
| Most bad actors are looking for easy targets and will move on
| when seeing minimal defenses. If we want to continue enjoying
| an open and accessible internet where any client that speaks
| the protocol can connect, then WAFs are an integral part of
| maintaining that public service.
| noobcoder wrote:
| Is the syntax same as nginx?
| bnkty wrote:
| Custom nginx configs are supported (more info here :
| https://docs.bunkerweb.io/latest/advanced/#custom-
| configurat...) but BunkerWeb also includes its own list of
| settings.
| chrismorgan wrote:
| Your site talks of BunkerWeb PRO, which is, by the sound of it,
| _not_ open source. But I have no idea what is actually different
| about it: https://panel.bunkerweb.io/knowledgebase/105/What-is-
| BunkerW... flatly doesn't answer the question: "additional
| features and services responding to professional needs" is
| impressively vague.
| bnkty wrote:
| Features with a crown icon are PRO, you will find full list of
| free and PRO features here :
| https://docs.bunkerweb.io/latest/features/
| chrismorgan wrote:
| Might I suggest at the very least linking to that from
| https://panel.bunkerweb.io/knowledgebase/105/What-is-
| BunkerW... and https://panel.bunkerweb.io/store/bunkerweb-
| pro.
| sreekanth850 wrote:
| How this compare against safeline?
| jnettome wrote:
| I just love this project! BunkerWeb was a huge help when I was
| self-hosting my products with Docker Swarm. It offers tons of
| configuration options--especially useful for those needing a WAF
| and dealing with heavy bot traffic.
|
| Since moving to Kubernetes, I haven't used or evaluated it there
| yet, but kudos to the team for continuing to update and improve
| the project. Keep up the great work!
| bnkty wrote:
| Thanks for the kind words!
|
| Kubernetes integration is really awesome, you can use BunkerWeb
| ingress controller or mix it with an existing ingress
| controller.
| seymon wrote:
| What's the benefit of just using plain owasp modsecurity?
|
| It also exists as a docker container as an nginx reverse proxy
| with modsecurity extension.
|
| https://coreruleset.org/docs/6-development/6-6-useful_tools/...
| bnkty wrote:
| ModSecurity doesn't offer antibot, bad behavior, certificate
| management, ... You can find the full list of features here :
| https://docs.bunkerweb.io/latest/features/
| SbEpUBz2 wrote:
| I can't unban myself from the demo :)
| AgentMatrixAI wrote:
| What % of cloudflare's protection can this provide? I've been
| looking at bunkerweb + anubis as alternative to cloudflare tunnel
| (im actually not sure if this provides WAF)
| SkyPuncher wrote:
| This isn't really comparable to any of the SaaS based products.
|
| While this offers many of the same technical capabilities as
| Cloudflare, a lot of Cloudflare's value is in having high-
| level, aggregate insight into threats.
___________________________________________________________________
(page generated 2025-07-04 23:01 UTC)