DEV.co
Open-Source DevOps · bunkerity

bunkerweb

BunkerWeb is an open-source Web Application Firewall (WAF) built on NGINX that operates as a reverse proxy to protect web services. It integrates into Linux, Docker, Kubernetes, and other environments with built-in security features like ModSecurity, Let's Encrypt automation, bot blocking, and IP blacklisting, plus an optional web UI for management.

Source: GitHub — github.com/bunkerity/bunkerweb
10.7k
GitHub stars
632
Forks
Python
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorybunkerity/bunkerweb
Ownerbunkerity
Primary languagePython
LicenseAGPL-3.0 — OSI-approved
Stars10.7k
Forks632
Open issues176
Latest releasev1.6.12 (2026-07-02)
Last updated2026-07-07
Sourcehttps://github.com/bunkerity/bunkerweb

What bunkerweb is

Python-based WAF leveraging NGINX as the core web server, integrating ModSecurity with OWASP Core Rule Set, HTTP security headers, TLS hardening, rate limiting, challenge-based bot mitigation, and DNSBL blocking. Deployable as reverse proxy across multiple orchestration platforms with a plugin system for extensibility.

Quickstart

Get the bunkerweb source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/bunkerity/bunkerweb.gitcd bunkerweb# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Multi-environment WAF deployment

Organizations running workloads across Linux, Docker, Kubernetes, and Docker Swarm that need a single WAF solution with consistent security posture and centralized configuration management.

Secure-by-default web service hardening

Teams wanting immediate protection against common web attacks (OWASP Top 10) without extensive security tuning, with sensible defaults for HTTPS, headers, and rate limiting out of the box.

Bot and DDoS mitigation at ingress

Applications experiencing bot traffic or reconnaissance attacks that benefit from integrated challenge mechanisms (JavaScript, CAPTCHA, hCaptcha, reCAPTCHA) and IP blacklist integration.

Implementation considerations

  • Plan for AGPL-3.0 compliance: any modifications or hosting must provide source code access to users; review whether this aligns with your software distribution model.
  • Validate ModSecurity rule compatibility with your backend services to avoid false positives; test bot-challenge integrations (reCAPTCHA, hCaptcha) and rate limits in non-production first.
  • Architect NGINX configuration and TLS certificate management (Let's Encrypt automation) into your provisioning; determine if centralized web UI or CLI-based config suits your team workflow.
  • Provision resources for WAF instance redundancy and failover; NGINX reverse proxy becomes a critical path component and must be highly available.
  • Evaluate plugin ecosystem maturity and community support; assess whether built-in security features cover your threat model or if custom plugins are needed.

When to avoid it — and what to weigh

  • Closed-source commercial WAF requirement — If your organization's policy mandates proprietary, vendor-supported WAF solutions with guaranteed SLAs and dedicated commercial support; BunkerWeb is AGPL-licensed and community-driven.
  • Non-reverse-proxy use cases — If you need a WAF that operates in out-of-band or inline modes without acting as a full web server/reverse proxy; BunkerWeb's architecture is tightly coupled to NGINX as a reverse proxy.
  • Stateless, zero-touch deployments — If your infrastructure cannot tolerate operational overhead of managing WAF configuration, plugin system updates, or security tuning; BunkerWeb requires active configuration and maintenance.
  • Extremely low-latency edge filtering — If sub-millisecond latency at global edge is critical, BunkerWeb's NGINX-based architecture may introduce measurable overhead compared to CDN-native WAF appliances.

License & commercial use

Licensed under GNU Affero General Public License v3.0 (AGPL-3.0), a strong copyleft license requiring that any modifications or instances providing network access must provide source code to users. This differs from permissive licenses (MIT, Apache 2.0) and even weaker copyleft (GPL-3.0).

Commercial deployment is permitted under AGPL-3.0, but only if you provide source code to all network users and comply with copyleft obligations. If you modify BunkerWeb or integrate it into a SaaS/managed service, you must offer source to end-users or face license violation. Project maintainers offer a paid 'PRO' version and 'BunkerWeb Cloud' SaaS; these likely carry separate commercial licenses. Consult legal counsel before commercial deployment. Requires review of your use case against AGPL obligations.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

BunkerWeb acts as a security proxy but does not eliminate backend application vulnerabilities. ModSecurity rules (OWASP CRS) are well-maintained but require tuning and monitoring for false positives/negatives. HTTPS/TLS hardening and automatic Let's Encrypt integration improve baseline posture. Bot challenges (CAPTCHA, JS) raise UX trade-offs. No claim made here about exploit immunity; like all WAFs, evasion and zero-day risks exist. Reverse proxy placement makes it a critical component—compromise could expose all downstream services. Regularly audit plugin ecosystem and upstream NGINX/ModSecurity CVEs.

Alternatives to consider

ModSecurity standalone (nginx module)

Lighter-weight, no copyleft license, but requires manual NGINX compilation and lacks the all-in-one UX, plugin system, and multi-platform deployment automation of BunkerWeb.

Cloudflare WAF / AWS WAF

Managed SaaS, vendor-backed SLAs, CDN integration, but closed-source, cloud-lock-in, licensing costs, and no on-premises or self-hosted option; suitable for different risk/cost profiles.

OWASP ModSecurity with Apache/IIS

Alternative core web servers for WAF deployment, but narrower reverseproxy ecosystem, different operational maturity, and less active community innovation than BunkerWeb.

Software development agency

Build on bunkerweb with DEV.co software developers

Review the full documentation, test the demo environment, and assess AGPL-3.0 compliance and deployment complexity for your team. Consider whether reverse-proxy-only architecture and community support align with your SLA and operational model.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

bunkerweb FAQ

Can we run BunkerWeb in production without legal risk under AGPL-3.0?
Yes, production use is permitted. You must ensure that you comply with AGPL copyleft: if you modify code or offer BunkerWeb as a service, you must provide source to end-users. If you run an unmodified instance and do not distribute it, risk is lower, but consult legal counsel for your specific deployment model.
Does BunkerWeb protect my backend application code?
No. BunkerWeb is a reverse proxy WAF that inspects inbound HTTP traffic and applies rules (ModSecurity, rate limiting, bot challenges). It does not secure application logic, APIs, or data at rest. It reduces attack surface and common web exploits (SQLi, XSS, etc.) but is not a substitute for secure coding.
What happens if BunkerWeb fails or is compromised?
Since BunkerWeb sits as the ingress reverse proxy, failure means traffic cannot reach backends. Plan for HA (multiple instances, load balancing, failover). Compromise exposes all downstream services and potentially SSL/TLS certificates. Treat it as a critical infrastructure component requiring strong access controls and monitoring.
Does BunkerWeb integrate with our Kubernetes cluster out of the box?
Yes. BunkerWeb provides Kubernetes integration documented in the docs and includes helm charts or container templates. Integration level and automatic discovery features depend on your Kubernetes networking and ingress controller setup; review deployment examples for your version.

Custom software development services

DEV.co helps companies turn open-source tools like bunkerweb into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.

Evaluate BunkerWeb for Your WAF Needs

Review the full documentation, test the demo environment, and assess AGPL-3.0 compliance and deployment complexity for your team. Consider whether reverse-proxy-only architecture and community support align with your SLA and operational model.