BunkerWeb

What Is BunkerWeb?

The WAF market has been vendor-controlled for two decades. Imperva, F5, Fortinet, and eventually Cloudflare built commercial WAF products that organisations purchase, configure as black boxes, and trust to filter malicious traffic. The security policy is opaque, the filtering logic is proprietary, and the service routes application traffic through infrastructure the customer does not control. For security-conscious organisations — particularly those in regulated sectors under GDPR, the EU AI Act, or national security frameworks — a WAF that operates as a black box run by a US company is a risk posture, not a risk mitigation.

BunkerWeb is a direct challenge to that model. Developed by Bunkerity SAS, a small French security company headquartered in Agen (RCS Agen B 902 545 128), it is an open-source WAF built on NGINX under AGPL-3.0 licence. The full codebase is on GitHub. The filtering logic is auditable. The deployment runs on your infrastructure. Traffic never crosses a US-operated scrubbing centre. Since its 2021 launch, the project has accumulated 7,000+ GitHub stars and a growing community deploying it across Docker, Kubernetes, and bare-metal Linux environments.

Bunkerity offers three commercial layers on top of the open-source foundation: BunkerWeb PRO (a subscription adding advanced plugin features and a support centre), BunkerWeb Cloud (a fully managed WAF SaaS), and professional services for custom integration work. The French headquarters, AGPL licence, and EU-hosted Cloud tier mean organisations can choose the exact trade-off between self-operated control and managed convenience, all within EU jurisdiction.

Key Features

NGINX Foundation

BunkerWeb is built directly on NGINX rather than operating as a standalone WAF appliance in front of NGINX. This matters because it means there is no performance penalty from running a separate WAF proxy layer in the traffic path — the WAF and reverse proxy are the same process, with security automation layered into NGINX's request processing pipeline. Organisations already running NGINX-based infrastructure can migrate to BunkerWeb without replacing their reverse proxy architecture.

The NGINX base also means BunkerWeb inherits NGINX's well-proven TLS handling, HTTP/2 and HTTP/3 support, upstream connection pooling, and load balancing. The security features extend NGINX; they do not replace it.

Anti-DDoS Rate Limiting and Anti-Bot Challenges

BunkerWeb's DDoS mitigation model operates at the application layer rather than at network infrastructure level. Rate limiting caps requests per IP or per session, throttling volumetric HTTP floods. The anti-bot system uses proof-of-work challenges — a client-side JavaScript computation that is trivial for a legitimate browser but computationally expensive for bots running thousands of concurrent requests. This approach does not require CAPTCHA (which creates user friction) or IP blocklisting (which creates false positives) — it distinguishes bots from humans by making automated request floods economically unviable.

For application-layer DDoS that targets server resource exhaustion rather than bandwidth saturation, this combination is effective. It will not absorb a 100 Gbps volumetric UDP flood — BunkerWeb operates above the network layer. But it will defend a web application against HTTP flood attacks, credential stuffing, scraping, and layer-7 DDoS campaigns that network-level mitigation cannot address.

Bad-IP Feed Blocking

BunkerWeb integrates threat intelligence feeds to block known-malicious IP addresses at ingress. These feeds include sources tracking Tor exit nodes, VPN services commonly used by attackers, known botnet command-and-control ranges, and other categorised threat actor infrastructure. Blocking at ingress based on threat feeds stops a significant proportion of automated attack traffic before it enters the application stack, reducing noise for the application-layer WAF rules downstream.

Automatic HTTPS and Security Headers

BunkerWeb integrates Let's Encrypt ACME for automatic TLS certificate provisioning and renewal. Enabling HTTPS for a new service is a configuration option, not an operational task. Alongside TLS automation, BunkerWeb automatically sets HTTP security headers — Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, HSTS — to hardened defaults. For development teams who consistently miss security header configuration in application deployment, BunkerWeb enforces these controls at the infrastructure layer.

Docker, Swarm, and Kubernetes Support

BunkerWeb ships as Docker images with Docker Compose examples, supports Docker Swarm for clustered deployments, and provides a Kubernetes operator with an official Helm chart. For teams running containerised infrastructure, this means BunkerWeb integrates into standard infrastructure-as-code workflows. The Kubernetes deployment mode supports multiple BunkerWeb instances managed as a cluster, with shared configuration and centralised administration — suitable for production-scale deployments across multiple services.

Plugin System

BunkerWeb includes a plugin system allowing custom security modules beyond the built-in feature set. Community plugins and custom organisation-specific plugins can be loaded to extend the WAF's behaviour. BunkerWeb PRO adds a set of official advanced plugins not included in the community edition, including additional detection capabilities and integration features.

Pricing

BunkerWeb's pricing structure has three tiers. The community edition is free under AGPL-3.0 — download from GitHub, self-host, and run a production-grade WAF with no licence fee. This is not a trial version or a crippled free tier; it is the full WAF.

BunkerWeb PRO is a subscription adding advanced official plugins and access to a dedicated support centre. The licence is per-server with a limit of 100 services (FQDNs) and is available on monthly or annual billing. Exact pricing is not listed on the public pricing page — it requires account creation on the BunkerWeb panel portal. This opacity is a minor friction point for teams doing budget comparison, though it is not unusual for specialist security software.

BunkerWeb Cloud is a fully managed WAF SaaS operated by Bunkerity from EU infrastructure, with Essential and Custom plan tiers. Cloud is designed for organisations that want WAF-as-a-service without managing self-hosted NGINX deployments. Annual billing is available with a two-month discount.

For open-source teams and smaller deployments, the free community edition will cover most requirements. Teams needing vendor support, SLAs, or advanced plugin features will evaluate PRO or Cloud based on whether they prefer self-hosted or managed operation.

EU Compliance & Privacy

BunkerWeb's EU compliance case is straightforward and structural.

Bunkerity SAS is a French company (RCS Agen B 902 545 128) subject to French data protection law and EU GDPR. The company has €75,000 share capital and is headquartered in Agen, Lot-et-Garonne. AGPL-3.0 licensing means the source code is publicly auditable — no black-box components, no undisclosed data collection, no hidden telemetry. The community edition collects no telemetry by design.

For BunkerWeb Cloud customers, Bunkerity operates the managed service from EU-hosted infrastructure, keeping WAF processing within EU jurisdiction. There is no US parent company, no US data centre in the managed service path, and no CLOUD Act exposure.

For self-hosted community or PRO deployments, the organisation controls all WAF infrastructure. Traffic is processed on the deploying organisation's own servers; Bunkerity receives no traffic data, no log data, and no personal data from the WAF operation. This is the strongest possible GDPR data sovereignty position — stricter even than managed EU-hosted services, because there is no data processor relationship at all.

Who It's Best For

Development and DevOps teams running containerised applications who want a self-hosted WAF integrated into Docker or Kubernetes infrastructure without purchasing a commercial WAF subscription.

Security-conscious organisations requiring full WAF source code auditability — regulated sector, public sector, or enterprise security teams where "we can audit the WAF code" is a compliance requirement.

EU organisations replacing Cloudflare WAF who want to eliminate US-operated traffic intermediaries while maintaining application-layer DDoS protection, bot mitigation, and security header enforcement.

Small-to-medium engineering teams where the economics of a commercial WAF subscription (Cloudflare Pro at $25/month, Cloudflare Business at $200/month) are unfavourable compared to a free self-hosted solution.

If the priority is open-source auditability, self-hosted control, and EU jurisdiction at zero licence cost, choose BunkerWeb. If the priority is zero-operations global CDN + WAF with a 300-city anycast network and zero infrastructure management, choose Cloudflare instead. If the primary threat is network-layer volumetric DDoS (100+ Gbps UDP floods) rather than application-layer attacks, BunkerWeb's network-level coverage is limited compared to purpose-built DDoS mitigation providers.

The Verdict

BunkerWeb makes a credible case as the open-source alternative to commercial WAF platforms for European web infrastructure. The NGINX foundation, AGPL-3.0 licence, Docker/Kubernetes support, and French jurisdiction cover the essentials that other open-source WAF options — ModSecurity, Naxsi — typically require significant configuration work to achieve. The proof-of-work anti-bot system and bad-IP feed integration go beyond a basic WAF ruleset toward practical DDoS mitigation at the application layer. For development teams who prioritise source code transparency, EU data sovereignty, and zero licence-fee operation, BunkerWeb is the strongest European option in its category.

Frequently Asked Questions

Is BunkerWeb GDPR compliant?

Yes. BunkerWeb is developed by Bunkerity SAS, a French company subject to EU GDPR and French data protection law. The open-source community edition runs entirely on the deploying organisation's own infrastructure — Bunkerity receives no traffic data, no logs, and no personal data from WAF operation. BunkerWeb Cloud is hosted in EU data centres operated by Bunkerity. The AGPL-3.0 licence enables full source code audit to verify the absence of undisclosed data collection. This combination provides GDPR compliance across all three deployment modes: self-hosted community, self-hosted PRO, and managed Cloud.

Where is BunkerWeb's infrastructure located?

BunkerWeb is self-hosted software — its infrastructure is wherever you deploy it. The developer organisation, Bunkerity SAS, is headquartered in Agen, France. BunkerWeb Cloud, the managed SaaS service, is operated by Bunkerity from EU-hosted infrastructure, with WAF processing remaining within EU borders. Self-hosted deployments run on the deploying organisation's own servers — on-premise, EU cloud VMs, or any infrastructure of their choosing. There is no required connection to Bunkerity infrastructure for community or PRO self-hosted deployments.

How does BunkerWeb compare to Cloudflare WAF?

Cloudflare WAF is a managed cloud service with a global anycast network, self-service onboarding, transparent pricing starting from free, and near-zero operational overhead. BunkerWeb requires self-hosted deployment and NGINX configuration expertise, but provides open-source auditability, complete data sovereignty (no traffic routed through a US-operated intermediary), and zero licence cost for the community edition. BunkerWeb Cloud offers a managed alternative under French jurisdiction. Choose Cloudflare for a zero-ops global WAF with CDN acceleration. Choose BunkerWeb if source code auditability, EU jurisdiction, or eliminating US-operated traffic intermediaries is a requirement.

Is the free community edition genuinely production-ready?

Yes. The community edition under AGPL-3.0 is the same codebase used in the commercial tiers — not a limited preview. It includes the full reverse proxy and WAF feature set: DDoS rate limiting, anti-bot proof-of-work challenges, bad-IP feed blocking, automatic Let's Encrypt TLS, HTTP security header enforcement, and the plugin system. BunkerWeb PRO adds advanced official plugins and a support centre. The free edition does not artificially restrict features to drive paid conversions — organisations running high-traffic production deployments do so on the community edition without a PRO licence.

Does BunkerWeb support Kubernetes?

Yes. BunkerWeb provides a Kubernetes operator with an official Helm chart for production cluster deployments. It also supports Docker Compose for single-host deployments, Docker Swarm for clustered Docker environments, and direct Linux installation for bare-metal or VM deployments. Kubernetes mode supports managing multiple BunkerWeb instances across a cluster with shared configuration and centralised administration. The official BunkerWeb documentation covers Kubernetes deployment in detail with examples for common configurations.