WAF: free web application firewall hosted on digitalocean, would you like it?

December 5, 2015 8k views
Security Node.js Nginx


Last year I've started to develop a WAF (web application firewall) based on Nginx (openresty) + ModSecurity and Nodejs. Now the WAF is stable and it works like a charm :)

I would like to create a new branch of this project (waf.blue) and create a FREE service waf-in-cloud for small websites / blogs / etc ... (not enterprise) called waf.red and hosted on digitalocean. The free WAF will include all ModSecurity rules + Custom Rules + Shared Reputation DB + 2 months of reports and logs + real time dashboard.

Someone would be interested in using this kind of service? I've created a repository on github to collect opinions and show screenshots and video of the WAF.


hope this can be useful,


  • It looks nice, have you considered making it open source? I was going to look at waf.blue but your website doesn't really have any useful links, the Join Us link is broken so I couldn't do anything with it.

    It looks nice to use but it would only fit into my servers if it could be a self hosted application, which it doesn't sound like it is from your description. I know it could be useful for some people though.

  • Hi @jonaharagon thanks for your comment. you're right, waf.blue is a "brochure" website only, and it doesn't have so much info. I'm working hard to the "waf.red" website, it will include a registration process where you'll be able to configure you WAF and use it.

    the idea is that you have to change your DNS website to a CNAME something like:

    www.example.com.     CNAME node1.waf.red.

    so node1.waf.red will receive all http requests and forward (as a reverse proxy) it to www.example.com and block attacks without forward it.

    i think is hard to make a WAF opensource, cos for doing that i need to publish the whole system image! I think could be more useful as a service.

    i'll update this question when waf.red website is done. thank you!


  • It looks really smooth, and I think from experience alot of new DO users would appreciate something like this. If its easy to setup for them and there is a good docu, it could become popular in my opinion. You should make your project here once its done, would be great.

  • Hi @CrypticDesigns thanks for your comment! I'm a little bit worried about the change DNS by end users. I don't know if this should be easy to do by all users, i don't know if all users know what is a CNAME :) But probably who need a WAF is not a "simple" end user :)

4 Answers

Hi guys!

I'm working to the registration process on waf.red website, i think i'll complete it soon :)

I've just configured a "demo user" for make you try the WAF Web GUI. I would love to know your opinions about it :) It is not a "production state" for now, it is a "pre-alfa". You need to login to:


Console: https://node1.waf.red/
Username: demo@waf.red
Password: demo
Demo Website: http://scream48.com

The WAF protect a demo website (scream48.com) that you can use it for generate events on the demo account. For example, you'll see a request by you IP Address if you do:
curl -v "http://scream48.com"

thank you!
others news coming soon :)



i've completed the sign up process :) Now is possible to start to use the WAF and create configurations.


Comments or Suggestions are really appreciated :)


Did you try Wallarm? It's built on top of NGINX with automatic learning from the traffic and vulnerability scanner built-in

Did this come along? I can't view the node1.waf.red website. Would love to have a WAF service.

Have another answer? Share your knowledge.