Bunkerweb

App in the BluixApps catalog

What it is

BunkerWeb is a Web Application Firewall (WAF) and reverse proxy — combines nginx with ModSecurity, custom security rules, anti-bot, rate limiting, and a beautiful admin UI. Open-source, drop-in replacement for nginx + manual ModSecurity wiring.

For self-hosters running public-facing apps and worried about attacks, BunkerWeb is the all-in-one defense layer.

What it's for

  • Web Application Firewall — block OWASP Top 10 attacks
  • Reverse proxy + WAF — protected access to backend apps
  • DDoS mitigation — rate limiting + bad-bot blocking
  • TLS termination — Let's Encrypt + secure cipher suites
  • Anti-bot — CAPTCHA + behavior analysis

Who it's for

  • Self-hosters running public-facing apps with attack concerns
  • Small businesses protecting customer-facing sites
  • DevOps teams wanting WAF without commercial vendors
  • Privacy-conscious orgs rejecting Cloudflare's data handling
  • Compliance-bound apps requiring documented WAF

Why teams pick BunkerWeb over alternatives

  • AGPLv3 — fully open
  • All-in-one — nginx + ModSecurity + WAF rules + UI
  • OWASP CRS — Core Rule Set integrated
  • Anti-bot — behavior-based + CAPTCHA
  • Active development — backed by Bunkity
  • Easy config — YAML / UI vs manual nginx rules

Integrations

  • Reverse proxy — protect any backend HTTP service
  • TLS — Let's Encrypt + custom certs
  • WAF rules — OWASP CRS + custom
  • Rate limiting — per-IP, per-URI
  • Authentication — basic auth, OAuth via forward-auth
  • Notification — email + Slack on attacks
  • Cluster mode — multi-node deployments

Notable users & community

  • 7k+ GitHub stars
  • Active GitHub Discussions
  • Backed by Bunkity with commercial Pro support
  • Featured in self-hosted security tool roundups
  • Frequent releases

Tips & operations

  • Tune WAF rules — false positives common; tune for your app
  • Monitor blocked requests — investigate trends; adjust rules
  • TLS config — secure defaults but customize for compatibility
  • Persistent storage — config + cache
  • Test in monitor mode first — observe attacks before blocking
  • Backup config — your rules are valuable; backup

What we ship in BluixApps

  • Docker compose: BunkerWeb (latest stable)
  • Pinned bunkerity/bunkerweb:1.5 (release-tagged)
  • HTTPS via Let's Encrypt
  • OWASP CRS pre-configured
  • Admin UI with random password
  • Persistent volumes for config + cache
  • Backup hook covers config + rules
Read this app's deep dive on bluix.app ↗

Get this app — pick a BluixApps plan

Same catalog. Scaling tenant isolation, white-label and support tier.

TierTenantsCatalogSupportWhite-labelMonthly
Stacks119 curated stacksStandard$19/moDetailDeploy
Starter10Full catalogStandard+$15–25/mo$49/moDetailDeploy
Pro25Full catalogPriority bugfix+$15–25/mo$149/moDetailDeploy
Growth100Full catalogPriority bugfix+$15–25/mo$349/moDetailDeploy
Scale500Full catalog7-day window+$15–25/mo$799/moDetailDeploy
EnterpriseUnlimitedFull catalogPriority 7-dayBundled$1,499/moDetailDeploy

Powered by WHMCompleteSolution