--- title: BunkerWeb created: 2026-06-08 updated: 2026-06-08 type: app tags: [catalogue, firewall, app-marathon3-batch-c] confidence: high contested: false sources: [https://selfh.st/apps/?tag=firewall&app=bunkerweb] --- # 🔒 BunkerWeb > Le Web Application Firewall (WAF) NGINX nouvelle gĂ©nĂ©ration, avec interface moderne et machine learning. ## 📋 Informations GĂ©nĂ©rales | Champ | Valeur | | :--- | :--- | | **Site web** | [bunkerweb.io](https://www.bunkerweb.io) | | **GitHub** | [bunkerity/bunkerweb](https://github.com/bunkerity/bunkerweb) | | **License** | AGPL-3.0 | | **Langage** | Python / NGINX | | **Étoiles GitHub** | 6k ⭐ | | **CatĂ©gorie** | [[cat-firewall|Firewall]] | ## 📝 Description **BunkerWeb** est un WAF (Web Application Firewall) open source construit comme un wrapper autour de NGINX embarquĂ©, offrant une protection applicative couche 7 moderne. ModSecurity OWASP CRS, anti-bot avec challenge JS, rate-limiting, antibot, anti-DDoS L7, anti-scan, antibruteforce. UI web d'administration complĂšte, API Python, autoconfiguration via ENV/labels Docker. **DiffĂ©rence vs ModSecurity classique** : intĂ©gration NGINX native (pas de sidecar Apache), UI admin moderne, plugins Python, intĂ©gration Docker native, configuration dĂ©clarative. **Pour qui** : hĂ©bergeurs web, sites exposĂ©s, Ă©quipes sĂ©curitĂ©, devops voulant un WAF clĂ©-en-main derriĂšre Traefik/Nginx. ## 🚀 Installation ### Docker Compose (recommandĂ©) ```yaml version: '3.8' services: bunkerweb: image: bunkerity/bunkerweb:1.6.0 container_name: bunkerweb restart: unless-stopped ports: - "80:8080" - "443:8443" - "443:8443/udp" environment: SERVER_NAME: "example.com" ADMIN_EMAIL: "admin@example.com" USE_CROWDSEC: "yes" USE_MODSECURITY: "yes" USE_BAD_BEHAVIOR: "yes" USE_LIMIT_REQ: "yes" USE_BLACKLIST: "yes" BLACKLIST_COUNTRY: "RU CN" WORKERS: "4" volumes: - bw-data:/data depends_on: - bw-scheduler labels: - "traefik.enable=false" bw-scheduler: image: bunkerity/bunkerweb-scheduler:1.6.0 container_name: bw-scheduler restart: unless-stopped volumes: - bw-data:/data environment: DATABASE_URI: "sqlite:///data/db.sqlite3" MULTISITE: "yes" USE_CROWDSEC: "yes" CROWDSEC_API: "http://crowdsec:8080" bw-ui: image: bunkerity/bunkerweb-ui:1.6.0 container_name: bw-ui restart: unless-stopped environment: ADMIN_USERNAME: admin ADMIN_PASSWORD: ${BW_ADMIN_PASSWORD} DATABASE_URI: "sqlite:///data/db.sqlite3" depends_on: - bw-scheduler labels: - "traefik.http.routers.bwui.rule=Host(`bw-admin.example.com`)" - "traefik.http.routers.bwui.tls.certresolver=letsencrypt" volumes: bw-data: ``` ## 🔄 Alternatives ### Open Source - **ModSecurity** — WAF historique (Apache/NGINX/IIS), CRS OWASP - **CrowdSec** — fail2ban collaboratif, peut complĂ©ter - **Coraza** — WAF Go, compatible ModSecurity - **Naxsi** — WAF NGINX natif, basĂ© sur scores - **HAProxy Enterprise** — LB + WAF commercial open ### PropriĂ©taires - **Cloudflare WAF** — WAF SaaS leader mondial - **AWS WAF** — WAF managĂ© Amazon - **Imperva WAF** — enterprise legacy - **F5 BIG-IP AWAF** — appliance enterprise ## 🔐 SĂ©curitĂ© - **ModSecurity OWASP CRS 4.x** : protection contre Top 10 OWASP - **CrowdSec intĂ©gration** : blocage IPs basĂ© sur rĂ©putation collective - **HTTPS durci** : TLS 1.2/1.3, HSTS, OCSP stapling - **Auto-ban** : antibot, antibruteforce, anti-DDoS L7 - **Audit logs** : traçabilitĂ© complĂšte des requĂȘtes bloquĂ©es ## 📚 Ressources - [Documentation](https://docs.bunkerweb.io/) - [OWASP CRS](https://coreruleset.org/) - [Plugin list](https://github.com/bunkerity/bunkerweb-plugins) ## Pages LiĂ©es - [[cat-firewall]] — CatĂ©gorie Firewall - [[app-opnsense]] — Pare-feu rĂ©seau L3/L4 - [[app-vector]] — AgrĂ©gation logs BunkerWeb