BunkerWeb Open Source WAF

BunkerWeb uses ModSecurity under the hood as its core WAF engine, with full OWASP Core Rule Set support. What it adds on top is substantial: a web-based management UI, pre-configured security defaults that work out of the box, native Docker and Kubernetes integration (both as an ingress controller and a gateway API controller), a plugin system for extending functionality, and automated rule updates.

Think of it as ModSecurity packaged for modern infrastructure. You get the same CRS protection without needing to manually configure NGINX, compile ModSecurity, or write SecRule directives. The trade-off is that BunkerWeb is an additional abstraction layer. If you need full control over every ModSecurity directive, running ModSecurity directly gives you that. See the full BunkerWeb vs ModSecurity comparison.

Cloudflare and AWS WAF are cloud-based services where traffic is filtered at the provider's edge network before reaching your server. BunkerWeb is self-hosted, meaning it runs on your own infrastructure and you retain full control over your data and configuration.

Cloud WAFs have advantages in DDoS absorption (massive global networks) and ease of setup (DNS change and you are done). BunkerWeb wins on data sovereignty, cost at scale (no per-request pricing), and customization depth. Many production setups use both: a cloud WAF at the edge for DDoS and caching, with BunkerWeb protecting the origin server for defense in depth. See the BunkerWeb vs Cloudflare and AWS WAF vs BunkerWeb comparisons.

Yes. BunkerWeb is used in production by MSPs, hosting providers, hospitals, public organizations, and city governments, particularly in Europe where data sovereignty requirements make self-hosted WAFs attractive. The project follows semantic versioning with regular security updates.

For mission-critical deployments, BunkerWeb offers a Pro version with enterprise SLA support (including 1-hour response time options), licensed per FQDN with unlimited servers. The Pro license is customer-hosted, so you keep full control of your infrastructure.

Yes. BunkerWeb runs natively in Kubernetes as both an Ingress Controller and a Gateway API controller (the Gateway API integration is still in beta). You deploy it as a pod in your cluster and it handles WAF inspection at the ingress layer, so there is no need to bolt a separate proxy onto your architecture or configure ModSecurity manually inside NGINX containers.

In practice this means you define your WAF policies alongside your Kubernetes manifests, which fits well into GitOps workflows. The web UI is available inside the cluster for managing rules and monitoring. For teams already running Kubernetes with NGINX ingress, switching to BunkerWeb adds WAF protection without changing your deployment patterns significantly. If you are also evaluating other Kubernetes-native WAFs, see the BunkerWeb vs open-appsec comparison.

BunkerWeb and open-appsec are both open source WAFs with NGINX and Kubernetes support, but they use fundamentally different detection approaches. BunkerWeb relies on ModSecurity with the OWASP CRS (signature and rule-based detection). open-appsec uses a machine learning engine that learns application behavior and detects attacks based on context, without signatures.

BunkerWeb gives you full transparency into what rules are firing and why (important for compliance and debugging). open-appsec's ML approach requires less tuning but is more opaque. One consideration: open-appsec's ML engine sends telemetry data to Check Point's cloud, which may be a concern for sovereignty-focused deployments where BunkerWeb's fully self-contained architecture is preferred. See the full BunkerWeb vs open-appsec comparison.

BunkerWeb is a free, open source web application firewall (WAF) that runs on your own servers. It is built on top of NGINX and uses ModSecurity with the OWASP Core Rule Set for attack detection. What makes it different from running raw ModSecurity is the packaging: BunkerWeb comes with a web-based management UI, pre-configured security defaults, Docker and Kubernetes support, a plugin system, and automated updates.

Think of it as a self-hosted alternative to cloud WAFs like Cloudflare or AWS WAF. You get similar protection (SQL injection, XSS, bot blocking, rate limiting) without sending your traffic through a third party. The project is maintained by Bunkerity, a company based in France, and released under the AGPLv3 license.

The Community Edition is completely free and open source under the AGPLv3 license. It includes the full WAF engine, web UI, Docker/Kubernetes support, plugin system, and all core features. There are no traffic limits or feature restrictions on the free version.

BunkerWeb Pro is a paid tier for organizations that need enterprise support. It is licensed per FQDN (domain) with unlimited servers, and includes SLA-backed support with response time options down to 1 hour. Pro pricing is not publicly listed. Contact Bunkerity for a quote. The Pro version is still self-hosted, so you keep full control of your infrastructure and data.

BunkerWeb runs on Linux and is designed to be lightweight. Minimum requirements depend on your deployment method:

• Docker: any system that runs Docker. The official image is based on Alpine Linux and uses minimal resources
• Kubernetes: runs as a standard pod. Resource requests depend on traffic volume, but a typical setup starts at 256MB RAM and 0.5 CPU
• Bare metal / VM: Linux with NGINX installed. BunkerWeb installs as an NGINX configuration layer

For production workloads, allocate based on your traffic. BunkerWeb is essentially NGINX with ModSecurity, so the resource profile is similar to any ModSecurity deployment: more complex rule sets and higher traffic need more CPU and memory.

The best alternative depends on what you are looking for:

• ModSecurity: the WAF engine BunkerWeb uses under the hood. Run it directly if you want maximum control and do not need a web UI
• Coraza: modern ModSecurity alternative written in Go, same CRS rules, better for Caddy/Traefik/Kubernetes setups
• SafeLine: another self-hosted WAF with a web UI, uses semantic analysis instead of signatures. See the BunkerWeb vs SafeLine comparison
• CrowdSec: crowd-sourced threat intelligence with a WAF component. Different approach, often used alongside BunkerWeb rather than replacing it. See the BunkerWeb vs CrowdSec comparison
• Cloud WAFs (Cloudflare, AWS WAF): managed services, no self-hosting, but ongoing costs and less control over your data

Yes. BunkerWeb has a CrowdSec plugin that connects to the CrowdSec Security Engine. This lets BunkerWeb use CrowdSec's crowd-sourced IP reputation data to block known malicious IPs, on top of the ModSecurity/CRS rule-based detection that BunkerWeb already provides.

The two tools complement each other: BunkerWeb handles request-level WAF inspection (SQL injection, XSS, etc.) while CrowdSec adds network-level threat intelligence (blocklists of IPs flagged by the CrowdSec community). You can run both in Docker or Kubernetes. See the BunkerWeb vs CrowdSec comparison for a deeper look at how they differ.

BunkerWeb Community Edition uses the AGPLv3 (GNU Affero General Public License v3) license. This means you can use, modify, and distribute BunkerWeb freely, but if you modify the source code and provide it as a service to others, you must share your modifications under the same license.

For most use cases (running BunkerWeb as a WAF for your own applications), the AGPLv3 has no practical restrictions. The AGPL clause primarily affects companies that want to embed or resell BunkerWeb as part of a commercial product or service. In that case, BunkerWeb Pro offers a commercial license.