BunkerWeb Open Source WAF

BunkerWeb uses ModSecurity under the hood as its core WAF engine, with full OWASP Core Rule Set support. What it adds on top is substantial: a web-based management UI, pre-configured security defaults that work out of the box, native Docker and Kubernetes integration (both as an ingress controller and a gateway API controller), a plugin system for extending functionality, and automated rule updates.

Think of it as ModSecurity packaged for modern infrastructure. You get the same CRS protection without needing to manually configure NGINX, compile ModSecurity, or write SecRule directives. The trade-off is that BunkerWeb is an additional abstraction layer. If you need full control over every ModSecurity directive, running ModSecurity directly gives you that. See the full BunkerWeb vs ModSecurity comparison.

Cloudflare and AWS WAF are cloud-based services where traffic is filtered at the provider's edge network before reaching your server. BunkerWeb is self-hosted, meaning it runs on your own infrastructure and you retain full control over your data and configuration.

Cloud WAFs have advantages in DDoS absorption (massive global networks) and ease of setup (DNS change and you are done). BunkerWeb wins on data sovereignty, cost at scale (no per-request pricing), and customization depth. Many production setups use both: a cloud WAF at the edge for DDoS and caching, with BunkerWeb protecting the origin server for defense in depth. See the BunkerWeb vs Cloudflare and AWS WAF vs BunkerWeb comparisons.

Yes. BunkerWeb is used in production by MSPs, hosting providers, hospitals, public organizations, and city governments, particularly in Europe where data sovereignty requirements make self-hosted WAFs attractive. The project follows semantic versioning with regular security updates.

For mission-critical deployments, BunkerWeb offers a Pro version with enterprise SLA support (including 1-hour response time options), licensed per FQDN with unlimited servers. The Pro license is customer-hosted, so you keep full control of your infrastructure.

Yes. BunkerWeb runs natively in Kubernetes as both an Ingress Controller and a Gateway API controller (the Gateway API integration is still in beta). You deploy it as a pod in your cluster and it handles WAF inspection at the ingress layer, so there is no need to bolt a separate proxy onto your architecture or configure ModSecurity manually inside NGINX containers.

In practice this means you define your WAF policies alongside your Kubernetes manifests, which fits well into GitOps workflows. The web UI is available inside the cluster for managing rules and monitoring. For teams already running Kubernetes with NGINX ingress, switching to BunkerWeb adds WAF protection without changing your deployment patterns significantly. If you are also evaluating other Kubernetes-native WAFs, see the BunkerWeb vs open-appsec comparison.

BunkerWeb and open-appsec are both open source WAFs with NGINX and Kubernetes support, but they use fundamentally different detection approaches. BunkerWeb relies on ModSecurity with the OWASP CRS (signature and rule-based detection). open-appsec uses a machine learning engine that learns application behavior and detects attacks based on context, without signatures.

BunkerWeb gives you full transparency into what rules are firing and why (important for compliance and debugging). open-appsec's ML approach requires less tuning but is more opaque. One consideration: open-appsec's ML engine sends telemetry data to Check Point's cloud, which may be a concern for sovereignty-focused deployments where BunkerWeb's fully self-contained architecture is preferred. See the full BunkerWeb vs open-appsec comparison.