Admax

Looking for Recommendations - FOSS WAF

https://lemmy.world/post/24620174

Looking for Recommendations - FOSS WAF - Lemmy.World

Hey everyone ! I’m looking into spinning up a WAF as the number of services I’m hosting is slowly growing. I want to have a better understanding of the traffic and also have a relative peace of mind that if there is a flaw in one of the services I’m hosting, the WAF could help mitigate it. I’ve seen two big names come up while searching : - SafeLine - BunkerWeb They are popular and look quite good all around but I don’t want to just mindlessly take the project with the most GitHub stars. What WAF are you using / have you used ? Which ones do you recommand ?

Jan 23, 2025 at 9:41amWeb
Show threadBlackEcoJan 23, 2025
I have been using BunkerWeb for the past 4 years and have been mostly happy with it. It’s default settings are sometimes a bit agressive but you can change those globally or service per service.
Show threadAdmaxJan 23, 2025
Thanks that’s good to know :)
Show threadTaasz/WoofJan 23, 2025
The fact that they lock Letsencrypt DNS-01 behind the pro version is so incredibly annoying.
Show threadBlackEcoJan 23, 2025
Yeah, I use Caddy for that, as I only use DNS-01 for local-only services.
Show threadjust_another_personJan 23, 2025
Crowdsec
Show threadAdmaxJan 23, 2025
I just read a bit about it and it sounds quite interesting with the community aspect of it all. I’ll give it a deeper look later, thanks !
Show threadAdmiral PatrickJan 23, 2025

I run a custom build of Nginx with a few extra modules compiled in:

Some guidance can be found here: docs.nginx.com/…/nginx-plus-modsecurity-waf-owasp…

That guidance is for NginxPlus, but you can compile the dynamic module yourself with the community versions.

GitHub - owasp-modsecurity/ModSecurity-nginx: ModSecurity v3 Nginx Connector

ModSecurity v3 Nginx Connector. Contribute to owasp-modsecurity/ModSecurity-nginx development by creating an account on GitHub.

GitHub
Show threadLoriaOct 15, 2025
I’ve been looking for a good self-hosted WAF for a while. I tried Open AppSec — way too buggy. Then I gave BunkerWeb a shot, but the setup was just too complicated (maybe I’m just not that good 😅). SafeLine has a lot of paid features, but honestly, the Lite version already covers most of what I need. $100/year is pretty reasonable, rich features, the setup and configs are super simple.
Show threadAdmaxOct 15, 2025

I ended up going with Crowdsec.

The setup was a bit of a challenge as I like to do it the RTFM way abd that there is a bunch of concepts to grasp before you really understand what you are doing, but since then it’s been working pretty great ! And it’s free (as in you are providing them with data on the occurence of threats etc, so you don’t pay)