BunkerWeb (bunkerized-nginx): The Free, Open-Source WAF That Gives SMBs Enterprise-Grade nginx Security

TL;DR

  • BunkerWeb (formerly bunkerized-nginx) is a free, open-source, 9,600+ GitHub-star project that wraps nginx in a security-by-default hardened shell — ModSecurity WAF, automatic HTTPS, HTTP security headers, IP blacklisting, rate limiting, and bot challenges, all pre-configured out of the box.
  • Why it matters for SMBs: The average data breach cost for businesses under 500 employees is now $2.98 million [1]. Most SMBs run stock nginx with default settings and zero WAF protection — BunkerWeb closes that gap for $0 in licensing.
  • It's not just nginx config tricks — it's a full reverse-proxy platform with a web UI, Docker/Kubernetes/Linux integrations, and a plugin ecosystem, now maintained under the bunkerity/bunkerweb project.
  • The catch: AGPLv3 license means if you modify and deploy it as a service, you must open-source your changes. For internal use and self-hosting, it's completely free.
  • Bottom line: If you're running nginx and not running BunkerWeb (or something like it), you're leaving the front door unlocked.

Why "Secure nginx by Default" Is Harder Than It Sounds

nginx is the world's most popular web server, powering an estimated 34% of all websites [2]. It's fast, efficient, and endlessly configurable. It's also installed with virtually no security hardening by default.​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

Out of the box, a vanilla nginx install will:

  • Advertise its ver sion number in HTTP response headers (making automated exploit targeting trivial)
  • Accept all HTTP methods, including dangerous ones like TRACE and DELETE
  • Serve responses without critical security headers like Content-Security-Policy, X-Frame-Options, or Strict-Transport-Security
  • Have no rate limiting, no bot detection, no WAF layer, and no IP reputation blocking
  • Configure TLS permissively, potentially allowing deprecated protocols like TLS 1.0

Manually hardening nginx to a reasonable security baseline requires configuring ModSecurity, writing OWASP Core Rule Set rules, tuning HTTP security headers, implementing rate limiting, setting up fail2ban integration, automating Let's Encrypt certificates, and more. According to the OWASP Testing Guide, a properly hardened web server configuration can mitigate the majority of the OWASP Top 10 attack categories [3] — but getting there manually takes dozens of hours and ongoing maintenance expertise.​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

That's the problem BunkerWeb was built to solve.

What Is BunkerWeb (formerly bunkerized-nginx)?

BunkerWeb is a next-generation open-source Web Application Firewall built on nginx. Originally released as bunkerized-nginx by the French security company Bunkerity, the project has grown into a comprehensive security-by-default web platform with over 9,600 GitHub stars and an active community.

The core philosophy: every security best practice should be enabled by default, not an afterthought.

Instead of handing you a bare nginx and a 40-page hardening guide, BunkerWeb ships with all the hard work done:

  • ModSecurity WAF pre-integrated with the OWASP Core Rule Set
  • HTTP security headers applied automatically
  • TLS configured to current standards (TLS 1.2/1.3 only)
  • Server version information suppressed
  • Bot challenges and rate limiting ready to enable with a single environment variable
  • IP reputation blacklisting from external feeds
  • Automatic Let's Encrypt certificate issuance and renewal
  • A web UI for operators who don't want to touch config files

It deploys as a reverse proxy in front of your existing web applications — whether they're Docker containers, bare metal apps, or Kubernetes services. Your apps don't need to change at all. BunkerWeb sits in front and handles security.

ELI10: How Does BunkerWeb Work?

Imagine your web app is a shop on a busy street. Without security, anyone can walk straight in — including shoplifters, vandals, and people who just want to break things.

nginx is like your shop door. It controls who gets in. But out of the box, it's an unlocked glass door with a sign that says "Push to enter — and by the way, we use Schlage brand locks, model 3000."

BunkerWeb is like hiring a professional security team to stand in front of your door. They:

  • Check everyone's ID against a list of known troublemakers (IP blacklisting)
  • Spot when someone's trying to pick the lock and block them (ModSecurity WAF)
  • Make sure nobody can stare through your windows at your private stuff (security headers)
  • Lock the door properly with a modern padlock (TLS 1.3 only)
  • Ask suspicious-looking visitors to prove they're human before entering (bot challenges like CAPTCHA)
  • Track if someone keeps trying to open the door too many times and kick them out (rate limiting)

And they do all this automatically, without you having to train them. You just tell them which shops to protect, and they get to work.

That's BunkerWeb. Security team, included. $0/month.

Core Security Features: What You Actually Get

1. Integrated ModSecurity WAF with OWASP Core Rule Set

ModSecurity is the gold standard open-source WAF engine, and the OWASP Core Rule Set (CRS) is the ruleset that powers it. Together, they detect and block SQL injection, cross-site scripting (XSS), remote code execution attempts, path traversal, and dozens of other attack vectors defined in the OWASP Top 10 [3].

BunkerWeb ships with ModSecurity and CRS pre-integrated. You don't compile anything. You flip USE_MODSECURITY=yes and you have a WAF.

A 2019 study published in IEEE Access found that ModSecurity with the OWASP CRS detected and blocked 97.4% of SQL injection attacks and 96.1% of XSS attacks in empirical testing — numbers that dramatically reduce your risk surface compared to unprotected endpoints [4].

2. HTTP Security Headers (All of Them, Pre-Configured)

BunkerWeb automatically applies a comprehensive suite of security headers that browsers rely on to protect users:

Header Purpose BunkerWeb Default
Content-Security-Policy Prevent XSS, clickjacking, code injection Pre-configured restrictive policy
Strict-Transport-Security Force HTTPS, prevent SSL stripping max-age=31536000
X-Frame-Options Prevent clickjacking via iframes SAMEORIGIN
X-Content-Type-Options Prevent MIME-type sniffing attacks nosniff
Referrer-Policy Control data sent in Referer header strict-origin-when-cross-origin
Permissions-Policy Restrict browser API access All sensitive APIs denied
X-XSS-Protection Legacy XSS filter for older browsers 1; mode=block

It also removes verbose headers that aid attackers: Server, X-Powered-By, X-AspNet-Version. Attackers use these headers to fingerprint your stack and target known exploits for specific versions [5].

3. Automatic HTTPS with Let's Encrypt

Set AUTO_LETS_ENCRYPT=yes and BunkerWeb handles certificate issuance and auto-renewal. No certbot cron jobs, no manual renewals, no certificate expiry alerts at 2am. TLS is configured to enforce TLS 1.2 minimum (TLS 1.3 preferred), disabling deprecated protocols and weak cipher suites in line with NIST SP 800-52 guidelines [6].

4. Bot Challenges and Anti-Automation Protection

BunkerWeb's USE_ANTIBOT feature challenges suspicious automated clients before they reach your application. Challenge methods include:

  • Cookie challenge: Verify the client stores cookies (eliminates simple bots)
  • JavaScript challenge: Verify the client executes JavaScript (eliminates headless scrapers)
  • CAPTCHA / hCaptcha / reCAPTCHA: Human verification for high-risk endpoints

This is particularly valuable for protecting login pages, registration forms, and APIs from credential stuffing and brute-force attacks — attack types that accounted for 86% of web application breaches in 2024 according to the Verizon Data Breach Investigations Report [7].

5. IP Blacklisting with External Threat Intelligence Feeds

BunkerWeb integrates multiple IP reputation sources and DNSBL (DNS Blackhole Lists) to automatically block known malicious IPs before they even hit your application. Sources include Tor exit nodes, known botnet command-and-control infrastructure, and community threat intelligence feeds.

You can layer custom IP whitelists and blacklists on top — so your VPN ranges are always let through, and your known bad actors are always blocked.

6. Rate Limiting and Connection Controls

BunkerWeb enforces configurable rate limits on connections and HTTP requests, protecting against:

  • DDoS amplification — too many connections from a single IP get cut off
  • API scraping — request-per-second limits prevent bulk data harvesting
  • Brute force — login endpoints can be rate-limited independently
  • Bad behavior banning — clients generating abnormal 4xx/5xx rates get automatically banned

7. Security Mode: Detect vs Block

A thoughtful feature for ops teams is the SECURITY_MODE toggle. Set to detect, BunkerWeb logs threats without blocking — perfect for tuning rules without disrupting production traffic. Switch to block when you're confident in your ruleset. This two-phase approach is considered a security operations best practice [3].

Architecture: How BunkerWeb Fits Into Your Stack

BunkerWeb operates as a reverse proxy at the network edge. The architecture is clean:

Internet → [BunkerWeb / WAF] → [Your App / API / Backend]

BunkerWeb handles TLS termination, applies all security policies, and forwards clean traffic to your backend over a trusted internal network. Your backend doesn't need to know anything about security — that's BunkerWeb's job.

Supported deployment environments:

  • Docker — single container, plug in with docker-compose
  • Docker Autoconf — labels on your app containers automatically configure BunkerWeb protection (zero manual config per new service)
  • Kubernetes — Ingress controller mode
  • Docker Swarm — cluster-aware deployment
  • Linux native — direct install on Debian/Ubuntu/RHEL

The multisite mode lets a single BunkerWeb instance protect multiple domains with per-domain security policies. You can run different CAPTCHA requirements, different CSP headers, and different WAF rules for each domain in your fleet.

BunkerWeb vs. Manual nginx Hardening: Real Comparison

If you're considering whether to configure nginx security manually or use BunkerWeb, here's an honest comparison:

Capability Manual nginx BunkerWeb
HTTP security headers Configure by hand (~30 min) Automatic, sane defaults
ModSecurity + OWASP CRS Compile, integrate, tune (days) USE_MODSECURITY=yes
Let's Encrypt auto-renewal certbot cron, manual tuning Built-in
TLS hardening Research cipher suites, test Defaults follow NIST SP 800-52
IP reputation blocking Self-source feeds, cron updates Built-in multi-source feeds
Bot challenge / CAPTCHA Build or integrate third-party USE_ANTIBOT=captcha
Rate limiting Write nginx lua / limit_req Environment variable
Web UI for config None Included
Kubernetes Ingress Build your own Supported
Time to baseline security 20-40 hours + expertise < 1 hour
Ongoing maintenance Manual Automated
Cost $0 + your time $0

The manual approach isn't wrong — skilled teams who understand nginx deeply may prefer it for maximum control. But for SMBs without a dedicated security engineer, BunkerWeb collapses weeks of work into an afternoon.

Quick Start: BunkerWeb with Docker Compose

Here's a minimal working example protecting a backend app. This gets you HTTPS, ModSecurity, security headers, and rate limiting in one file:

version: "3"

services:
  bunkerweb:
    image: bunkerity/bunkerweb:latest
    ports:
      - "80:8080"
      - "443:8443"
    environment:
      - SERVER_NAME=yourdomain.com
      - AUTO_LETS_ENCRYPT=yes
      - USE_MODSECURITY=yes
      - USE_BAD_BEHAVIOR=yes
      - USE_BLACKLIST=yes
      - USE_LIMIT_REQ=yes
      - USE_ANTIBOT=javascript
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myapp:3000
    volumes:
      - bw_data:/var/cache/bunkerweb
    networks:
      - bw_net

  myapp:
    image: your-app-image:latest
    networks:
      - bw_net

volumes:
  bw_data:

networks:
  bw_net:
    driver: bridge

That's it. Your application is now protected by a WAF, HTTP hardening headers, rate limiting, IP blacklisting, bot challenge, and automatic HTTPS — with a single docker-compose up.

For production, review the official documentation at docs.bunkerweb.io for tuning guidance, especially around ModSecurity false positives for your specific application stack.

Licensing: What SMBs Need to Know

BunkerWeb is released under the AGPLv3 license. This is a strong copyleft license with one important implication: if you modify BunkerWeb and provide it as a network service to others, you must release your modifications under AGPLv3.

For most SMBs, this doesn't apply. If you're:

  • Self-hosting BunkerWeb to protect your own websites and apps
  • Using it internally within your company
  • Using the standard, unmodified Docker image

...then AGPLv3 places no restrictions on you whatsoever. You can use it freely, commercially, without cost.

If your business model involves offering modified BunkerWeb as a managed service to clients, you'll need to either release your modifications or purchase a commercial license from Bunkerity via their Panel.

Who Should Use BunkerWeb?

Best fit for:

  • SMBs running Docker stacks (WordPress, custom apps, APIs)
  • Dev teams deploying multiple services behind a single reverse proxy
  • Startups that need "good enough" security fast without a dedicated security engineer
  • Businesses in regulated industries (health, finance, legal) who need documented WAF coverage
  • Self-hosters who want a step up from stock nginx without writing 500 lines of config

Not ideal if:

  • You need deep custom WAF rules that conflict with OWASP CRS defaults (consider manual ModSecurity tuning)
  • You're under compliance frameworks requiring commercial WAF vendor certification
  • Your ops team already has mature nginx hardening automation (Ansible, Terraform) — BunkerWeb may duplicate effort

What Does This Actually Cost Your Business?

Nothing in licensing. The real cost is your time for initial setup (a few hours) and your server resources (BunkerWeb is lightweight — it adds minimal overhead to nginx's already-efficient footprint).

Compare that to the alternative. According to IBM's 2024 Cost of a Data Breach Report, the global average breach cost reached $4.88 million in 2024, up 10% from 2023 [1]. For businesses with fewer than 500 employees, the average drops to $2.98 million — still catastrophic for an SMB [8].

A properly configured WAF like BunkerWeb isn't a guarantee against all attacks. But it eliminates the lowest-effort attacks that automation tools run constantly against every internet-facing server. Those attacks — script-kiddie SQLi, credential stuffing, path traversal — are what take down SMBs, because enterprise targets have defenses and SMBs typically don't.

One afternoon's worth of work to deploy BunkerWeb is the single highest-ROI security investment most SMBs can make this year.

Limitations and Honest Caveats

BunkerWeb is powerful, but not magic. Know these before you deploy:

  1. ModSecurity false positives are real. Custom web apps, complex form submissions, and unusual content types can trigger WAF rules. Start in SECURITY_MODE=detect and review logs before switching to block.

  2. The web UI is optional but helpful. The CLI/environment-variable approach is powerful, but complex multi-domain setups benefit from the UI. The free tier includes it.

  3. Plugin ecosystem requires attention. Community plugins vary in quality and maintenance. Vet any third-party plugins before production use.

  4. HTTPS termination means traffic is decrypted at BunkerWeb. Understand your trust boundary — traffic between BunkerWeb and your backend is plaintext unless you configure backend HTTPS separately.

  5. AGPLv3 compliance. If you build a managed service on top of BunkerWeb, engage a lawyer to confirm your obligations.

FAQ

Yes. bunkerized-nginx was the original name for the project when it was first released as a security-hardened nginx Docker image. The project matured significantly and was rebranded to BunkerWeb under the bunkerity/bunkerweb GitHub repository. The core concept — nginx as a secure-by-default reverse proxy with WAF capabilities — is unchanged. All new development happens under the BunkerWeb name, and the original bunkerized-nginx repository redirects there.

Yes, for self-hosted use. BunkerWeb is licensed under AGPLv3, which is completely free for self-hosting your own applications. There are no per-server fees, no request-based pricing, and no feature gating on the core WAF functionality. Bunkerity offers paid PRO features (advanced plugins, priority support, managed cloud hosting) for businesses that need them, but the free tier is genuinely capable.

Cloud WAFs like Cloudflare WAF offer global anycast DDoS absorption, CDN integration, and managed rule updates — advantages BunkerWeb can't match for volumetric DDoS attacks. However, Cloudflare WAF pricing starts at $20/month per domain (Business plan) and can run into hundreds monthly for high-traffic sites. BunkerWeb gives you comparable per-request protection at $0, running on your existing infrastructure. For SMBs where volumetric DDoS isn't the primary threat model (most aren't targeted at that scale), BunkerWeb is the stronger value proposition. The two can also coexist: BunkerWeb behind Cloudflare's proxy adds defence-in-depth.

Not if you tune it. ModSecurity in detection mode (SECURITY_MODE=detect) is completely transparent — it logs threats without blocking anything. Start there, review your logs for false positives, disable or tune any rules that flag legitimate traffic, then switch to block mode. The most common false positives occur with: file upload endpoints, rich text editors (like TinyMCE/CKEditor), REST APIs with complex payloads, and legacy apps that use non-standard headers. All are configurable.

Yes. BunkerWeb has official Kubernetes support via Ingress controller integration, as well as Docker Swarm mode for distributed container deployments. The Kubernetes integration uses annotations on Ingress resources to apply per-service BunkerWeb configuration, fitting naturally into existing K8s workflows. Documentation at docs.bunkerweb.io covers the full setup.

BunkerWeb automatically applies: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Feature-Policy, and X-XSS-Protection. It also removes information-leaking headers: Server, X-Powered-By, X-AspNet-Version, and X-AspNetMvc-Version. All values are configurable via environment variables if the defaults don't match your application's requirements.

According to IBM's 2024 Cost of a Data Breach Report, the global average breach cost is $4.88 million [1]. For small businesses with fewer than 500 employees, that figure is $2.98 million on average [8] — often company-ending. The Ponemon Institute's research consistently shows that organizations with mature WAF deployments detect and contain breaches significantly faster, reducing average incident costs [4]. Basic WAF coverage, like BunkerWeb provides, is one of the most cost-effective security controls available to small businesses.

Ready to Lock Down Your nginx?

BunkerWeb is the pragmatic choice for SMBs who want real web security without an enterprise budget. It's not theoretical protection — it's ModSecurity, OWASP CRS, hardened TLS, and security headers running in production on thousands of sites right now.

But deploying it properly — tuning ModSecurity false positives for your specific stack, configuring per-domain security policies, integrating with your monitoring, and verifying your configuration against your compliance requirements — that's where most SMBs get stuck.

That's exactly what we do at lil.business.

If you want help deploying BunkerWeb (or a full security architecture review of your web infrastructure), we offer straightforward consulting engagements sized for SMB budgets — no enterprise sales process, no bloated retainers.

Book a free 30-minute consult →

We'll assess your current setup, identify the highest-risk gaps, and give you an actionable plan — whether you implement it yourself or with us.

References

[1] IBM Security, "Cost of a Data Breach Report 2024," IBM Newsroom, Jul. 2024. [Online]. Available: https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs

[2] Netcraft, "March 2025 Web Server Survey," Netcraft, Mar. 2025. [Online]. Available: https://www.netcraft.com/blog/march-2025-web-server-survey/

[3] OWASP Foundation, "OWASP Top Ten — 2021," OWASP, 2021. [Online]. Available: https://owasp.org/Top10/

[4] M. Monowar, S. Bhatt, and P. Bhatt, "A Study on the Effectiveness of Web Application Firewalls Against OWASP Top 10 Attacks," IEEE Access, vol. 9, pp. 154902–154918, 2021. [Online]. Available: https://ieeexplore.ieee.org/document/9591452

[5] OWASP Foundation, "OWASP Testing Guide v4.2 — Information Gathering: Fingerprint Web Server," OWASP, 2021. [Online]. Available: https://owasp.org/www-project-web-security-testing-guide/

[6] National Institute of Standards and Technology, "NIST SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations," NIST, Aug. 2019. [Online]. Available: https://doi.org/10.6028/NIST.SP.800-52r2

[7] Verizon, "2024 Data Breach Investigations Report," Verizon Business, 2024. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[8] BusinessDasher, "25+ Small Business Cyber Attack Statistics (2024 Update)," BusinessDasher, Oct. 2024. [Online]. Available: https://www.businessdasher.com/small-business-cyber-attack-statistics/

[9] Bunkerity, "BunkerWeb Documentation — Security Tuning," BunkerWeb Docs, 2024. [Online]. Available: https://docs.bunkerweb.io/security-tuning/

[10] Bunkerity, "BunkerWeb GitHub Repository," GitHub, 2024. [Online]. Available: https://github.com/bunkerity/bunkerweb

[11] NIST, "National Vulnerability Database — CVE Statistics," NVD, 2024. [Online]. Available: https://nvd.nist.gov/general/nvd-dashboard

[12] Heimdal Security, "Small Business Cybersecurity Statistics in 2026," Heimdal Security Blog, Oct. 2025. [Online]. Available: https://heimdalsecurity.com/blog/small-business-cybersecurity-statistics/

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation