Open source waf is an important part of network security. Cloudflare believes that: ten years later, the network security infrastructure of the digital economy will be as popular as a water filtration system, and the core of this filtration system is waf. For servers, it is very important to deploy WEB application firewalls. There are many open source wafs in this area, but too few excellent ones. After a lot of searches, and combined with market popularity, the author sorted out the top ten open source wafs in 2021 for your reference.
1. OpenResty
OpenResty was initiated by Chinese Zhang Yichun. It is a software platform packaged with nginx and various third-party modules. The core is the nginx+lua scripting language. Mainly because nginx is written in C language and its modification is very complicated, while lua language is much simpler. Many large domestic companies such as 360, Jingdong, gitee, etc. are all used as web application firewalls.
Project address: https://github.com/openresty/
2. AIHTTPS
aihttps is an upgraded version of hihttps, also written by Chinese. It is characterized by compatibility with ModSecurity rules and has evolved in the direction of artificial intelligence: using machine learning to autonomously generate confrontation rules to defend against: vulnerability scanning, CC, DDOS, SQL injection, XSS, etc. Its commercial version is also open source, and it is currently the most commercialized open source WAF.
Project address: https://github.com/qq4108863/Official website: http://www.hihttps.com
3. ModSecurity
ModSecurity is the originator of open source WAF. It is an open source cross-platform Web Application Firewall (WAF) engine for Apache, IIS and Nginx, developed by Trustwave's SpiderLabs. The security community OWASP develops and maintains a set of free application protection rules. This is the so-called OWASP ModSecurity core rule set (ie CRS). This set of rules is very good, but the false alarm rate in some environments is amazing. Xiao He, Xiao He failed.
Project address: https://github.com/SpiderLabs/ModSecurity
4. Naxsi
Naxsi is a firewall based on the Nginx module with its own rule definitions. The project is written in C language and requires proficiency in the Nginx source code It is very far away from business.
Project address: https://github.com/nbs-system/naxsi
5. OpenWAF
OpenWAF is based on Nginx. The advantage is that it consists of two functional engines: behavior analysis engine and rule engine. The rule engine mainly analyzes a single request, and the behavior analysis engine is mainly responsible for cross-request information tracking. The disadvantage is that it is complicated and not suitable for developers who are not familiar with Nginx and lua.
Project address: https://github.com/titansec/OpenWAF
6 , X-WAF
X-WAF core is developed based on openresty + lua, waf management background: developed with golang + xorm + macrom, supports binary deployment, suitable for small businesses.
Project address: https://github.com/xsec -lab/x-waf
7. Unixhot
Unixhot uses Nginx+Lua to implement a custom WAF. In one sentence, it is to parse HTTP requests (protocol analysis module), rule detection (rule module), do different defense actions (action module), and combine the defense process ( Log module) to record, very simple.
Project address: https://github.com/unixhot/waf
8. Java WAF
There are few WAF developed in Java. We found an API Gateway developed in Java. Since WAF is built on top of the open source proxy LittleProxy, it is said that WAF is the bottom layer Netty is used. Functionally, it supports security interception, various analysis and detection, scripts (sandbox), flow control/CC protection, etc. Not knowing the C language is a good news for Java lovers.
Project address: https://github.com/chengdedeng/waf
9. VeryNginx
VeryNginx is also developed based on lua_Nginx_module(openrestry), which implements advanced firewall, access statistics and other functions. Integrate and run in Nginx, expanding the functions of Nginx itself.
Project address: https://github.com/alexazhou/VeryNginx/
10. FreeWAF
FeeWAF works at the application layer and performs two-way deep-level detection of HTTP: real-time protection of the Internet to avoid using application layer vulnerabilities to illegally obtain or destroy website data, It can effectively defend against SQL injection, XSS, CSRF, buffer overflow, application layer DOS/DDOS, etc. But the project has not been updated for a long time.
Summary:
Open source does not mean free. Open source is still a little short of the Monkey King's somersault from commercial combat. In this regard, AIHTTPS is undoubtedly the most thoroughly commercialized open source product. Perhaps as expected by Cloudflare, after WAF becomes the basic implementation of the digital economy, open source waf shines with the light of our Chinese domestic production. Here we pay tribute to all workers who protect network security!