bunkerweb
BunkerWeb is an open-source Web Application Firewall (WAF) built on NGINX that operates as a reverse proxy to protect web services. It integrates into Linux, Docker, Kubernetes, and other environments with built-in security features like ModSecurity, Let's Encrypt automation, bot blocking, and IP blacklisting, plus an optional web UI for management.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | bunkerity/bunkerweb |
| Owner | bunkerity |
| Primary language | Python |
| License | AGPL-3.0 — OSI-approved |
| Stars | 10.7k |
| Forks | 632 |
| Open issues | 176 |
| Latest release | v1.6.12 (2026-07-02) |
| Last updated | 2026-07-07 |
| Source | https://github.com/bunkerity/bunkerweb |
What bunkerweb is
Python-based WAF leveraging NGINX as the core web server, integrating ModSecurity with OWASP Core Rule Set, HTTP security headers, TLS hardening, rate limiting, challenge-based bot mitigation, and DNSBL blocking. Deployable as reverse proxy across multiple orchestration platforms with a plugin system for extensibility.
Get the bunkerweb source
Clone the repository and explore it locally.
git clone https://github.com/bunkerity/bunkerweb.gitcd bunkerweb# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Plan for AGPL-3.0 compliance: any modifications or hosting must provide source code access to users; review whether this aligns with your software distribution model.
- Validate ModSecurity rule compatibility with your backend services to avoid false positives; test bot-challenge integrations (reCAPTCHA, hCaptcha) and rate limits in non-production first.
- Architect NGINX configuration and TLS certificate management (Let's Encrypt automation) into your provisioning; determine if centralized web UI or CLI-based config suits your team workflow.
- Provision resources for WAF instance redundancy and failover; NGINX reverse proxy becomes a critical path component and must be highly available.
- Evaluate plugin ecosystem maturity and community support; assess whether built-in security features cover your threat model or if custom plugins are needed.
When to avoid it — and what to weigh
- Closed-source commercial WAF requirement — If your organization's policy mandates proprietary, vendor-supported WAF solutions with guaranteed SLAs and dedicated commercial support; BunkerWeb is AGPL-licensed and community-driven.
- Non-reverse-proxy use cases — If you need a WAF that operates in out-of-band or inline modes without acting as a full web server/reverse proxy; BunkerWeb's architecture is tightly coupled to NGINX as a reverse proxy.
- Stateless, zero-touch deployments — If your infrastructure cannot tolerate operational overhead of managing WAF configuration, plugin system updates, or security tuning; BunkerWeb requires active configuration and maintenance.
- Extremely low-latency edge filtering — If sub-millisecond latency at global edge is critical, BunkerWeb's NGINX-based architecture may introduce measurable overhead compared to CDN-native WAF appliances.
License & commercial use
Licensed under GNU Affero General Public License v3.0 (AGPL-3.0), a strong copyleft license requiring that any modifications or instances providing network access must provide source code to users. This differs from permissive licenses (MIT, Apache 2.0) and even weaker copyleft (GPL-3.0).
Commercial deployment is permitted under AGPL-3.0, but only if you provide source code to all network users and comply with copyleft obligations. If you modify BunkerWeb or integrate it into a SaaS/managed service, you must offer source to end-users or face license violation. Project maintainers offer a paid 'PRO' version and 'BunkerWeb Cloud' SaaS; these likely carry separate commercial licenses. Consult legal counsel before commercial deployment. Requires review of your use case against AGPL obligations.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
BunkerWeb acts as a security proxy but does not eliminate backend application vulnerabilities. ModSecurity rules (OWASP CRS) are well-maintained but require tuning and monitoring for false positives/negatives. HTTPS/TLS hardening and automatic Let's Encrypt integration improve baseline posture. Bot challenges (CAPTCHA, JS) raise UX trade-offs. No claim made here about exploit immunity; like all WAFs, evasion and zero-day risks exist. Reverse proxy placement makes it a critical component—compromise could expose all downstream services. Regularly audit plugin ecosystem and upstream NGINX/ModSecurity CVEs.
Alternatives to consider
ModSecurity standalone (nginx module)
Lighter-weight, no copyleft license, but requires manual NGINX compilation and lacks the all-in-one UX, plugin system, and multi-platform deployment automation of BunkerWeb.
Cloudflare WAF / AWS WAF
Managed SaaS, vendor-backed SLAs, CDN integration, but closed-source, cloud-lock-in, licensing costs, and no on-premises or self-hosted option; suitable for different risk/cost profiles.
OWASP ModSecurity with Apache/IIS
Alternative core web servers for WAF deployment, but narrower reverseproxy ecosystem, different operational maturity, and less active community innovation than BunkerWeb.
Build on bunkerweb with DEV.co software developers
Review the full documentation, test the demo environment, and assess AGPL-3.0 compliance and deployment complexity for your team. Consider whether reverse-proxy-only architecture and community support align with your SLA and operational model.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
bunkerweb FAQ
Can we run BunkerWeb in production without legal risk under AGPL-3.0?
Does BunkerWeb protect my backend application code?
What happens if BunkerWeb fails or is compromised?
Does BunkerWeb integrate with our Kubernetes cluster out of the box?
Custom software development services
DEV.co helps companies turn open-source tools like bunkerweb into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.
Evaluate BunkerWeb for Your WAF Needs
Review the full documentation, test the demo environment, and assess AGPL-3.0 compliance and deployment complexity for your team. Consider whether reverse-proxy-only architecture and community support align with your SLA and operational model.