Bunkerweb
App in the BluixApps catalog
What it is
BunkerWeb is a Web Application Firewall (WAF) and reverse proxy — combines nginx with ModSecurity, custom security rules, anti-bot, rate limiting, and a beautiful admin UI. Open-source, drop-in replacement for nginx + manual ModSecurity wiring.
For self-hosters running public-facing apps and worried about attacks, BunkerWeb is the all-in-one defense layer.
What it's for
- Web Application Firewall — block OWASP Top 10 attacks
- Reverse proxy + WAF — protected access to backend apps
- DDoS mitigation — rate limiting + bad-bot blocking
- TLS termination — Let's Encrypt + secure cipher suites
- Anti-bot — CAPTCHA + behavior analysis
Who it's for
- Self-hosters running public-facing apps with attack concerns
- Small businesses protecting customer-facing sites
- DevOps teams wanting WAF without commercial vendors
- Privacy-conscious orgs rejecting Cloudflare's data handling
- Compliance-bound apps requiring documented WAF
Why teams pick BunkerWeb over alternatives
- AGPLv3 — fully open
- All-in-one — nginx + ModSecurity + WAF rules + UI
- OWASP CRS — Core Rule Set integrated
- Anti-bot — behavior-based + CAPTCHA
- Active development — backed by Bunkity
- Easy config — YAML / UI vs manual nginx rules
Integrations
- Reverse proxy — protect any backend HTTP service
- TLS — Let's Encrypt + custom certs
- WAF rules — OWASP CRS + custom
- Rate limiting — per-IP, per-URI
- Authentication — basic auth, OAuth via forward-auth
- Notification — email + Slack on attacks
- Cluster mode — multi-node deployments
Notable users & community
- 7k+ GitHub stars
- Active GitHub Discussions
- Backed by Bunkity with commercial Pro support
- Featured in self-hosted security tool roundups
- Frequent releases
Tips & operations
- Tune WAF rules — false positives common; tune for your app
- Monitor blocked requests — investigate trends; adjust rules
- TLS config — secure defaults but customize for compatibility
- Persistent storage — config + cache
- Test in monitor mode first — observe attacks before blocking
- Backup config — your rules are valuable; backup
What we ship in BluixApps
- Docker compose: BunkerWeb (latest stable)
- Pinned
bunkerity/bunkerweb:1.5(release-tagged) - HTTPS via Let's Encrypt
- OWASP CRS pre-configured
- Admin UI with random password
- Persistent volumes for config + cache
- Backup hook covers config + rules
Get this app — pick a BluixApps plan
Same catalog. Scaling tenant isolation, white-label and support tier.
| Tier | Tenants | Catalog | Support | White-label | Monthly | |
|---|---|---|---|---|---|---|
| Stacks | 1 | 19 curated stacks | Standard | — | $19/mo | DetailDeploy |
| Starter | 10 | Full catalog | Standard | +$15–25/mo | $49/mo | DetailDeploy |
| Pro | 25 | Full catalog | Priority bugfix | +$15–25/mo | $149/mo | DetailDeploy |
| Growth | 100 | Full catalog | Priority bugfix | +$15–25/mo | $349/mo | DetailDeploy |
| Scale | 500 | Full catalog | 7-day window | +$15–25/mo | $799/mo | DetailDeploy |
| Enterprise | Unlimited | Full catalog | Priority 7-day | Bundled | $1,499/mo | DetailDeploy |