WAF: free web application firewall hosted on digitalocean, would you like it?

Posted December 5, 2015 10.4k views
Nginx Node.js Security


Last year I’ve started to develop a WAF (web application firewall) based on Nginx (openresty) + ModSecurity and Nodejs. Now the WAF is stable and it works like a charm :)

I would like to create a new branch of this project ( and create a FREE service waf-in-cloud for small websites / blogs / etc … (not enterprise) called and hosted on digitalocean. The free WAF will include all ModSecurity rules + Custom Rules + Shared Reputation DB + 2 months of reports and logs + real time dashboard.

Someone would be interested in using this kind of service? I’ve created a repository on github to collect opinions and show screenshots and video of the WAF.

hope this can be useful,


  • It looks nice, have you considered making it open source? I was going to look at but your website doesn’t really have any useful links, the Join Us link is broken so I couldn’t do anything with it.

    It looks nice to use but it would only fit into my servers if it could be a self hosted application, which it doesn’t sound like it is from your description. I know it could be useful for some people though.

  • Hi @jonaharagon thanks for your comment. you’re right, is a “brochure” website only, and it doesn’t have so much info. I’m working hard to the “” website, it will include a registration process where you’ll be able to configure you WAF and use it.

    the idea is that you have to change your DNS website to a CNAME something like:     CNAME

    so will receive all http requests and forward (as a reverse proxy) it to and block attacks without forward it.

    i think is hard to make a WAF opensource, cos for doing that i need to publish the whole system image! I think could be more useful as a service.

    i’ll update this question when website is done. thank you!


  • It looks really smooth, and I think from experience alot of new DO users would appreciate something like this. If its easy to setup for them and there is a good docu, it could become popular in my opinion. You should make your project here once its done, would be great.

  • Hi @CrypticDesigns thanks for your comment! I’m a little bit worried about the change DNS by end users. I don’t know if this should be easy to do by all users, i don’t know if all users know what is a CNAME :) But probably who need a WAF is not a “simple” end user :)

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

5 answers

Hi guys!

I’m working to the registration process on website, i think i’ll complete it soon :)

I’ve just configured a “demo user” for make you try the WAF Web GUI. I would love to know your opinions about it :) It is not a “production state” for now, it is a “pre-alfa”. You need to login to:

Password: demo
Demo Website:

The WAF protect a demo website ( that you can use it for generate events on the demo account. For example, you’ll see a request by you IP Address if you do:
curl -v ""

thank you!
others news coming soon :)



i’ve completed the sign up process :) Now is possible to start to use the WAF and create configurations.

Comments or Suggestions are really appreciated :)


Did you try Wallarm? It’s built on top of NGINX with automatic learning from the traffic and vulnerability scanner built-in

Did this come along? I can’t view the website. Would love to have a WAF service.

Sorry to rejuvenate this thread, but is way too intrusive with its CNAME requirement, and is gone. Wallarm looks nice, but the Nginx install gives an error. I followed the instructions on their website, and while executing yum install wallarm-node-nginx nginx-module-wallarm, I get this error:

Error: Package: ruby-proton-2.12.0-1.x86_64 (wallarm-node)
           Requires: libproton212 = 2.12.0-1
Error: ruby-proton conflicts with nginx-module-wallarm-2.10.7-1.el7.x86_64
Error: Package: ruby-proton-2.12.0-1.x86_64 (wallarm-node)
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

This is on CentOS 7.x. Any ideas?

Submit an Answer