This is a cross-platform, all-in-one web defense solution written in Rust. It aims to be extremely fast and rock-solid.
The following are local static resource access tests. The defense architecture used for testing:
vigie-waf ===> nginx ===> index.html
| Max concurrency | Total requests | Failure rate | p(95) latency |
|---|---|---|---|
| 200 | 88,765 | 0% | 6.92ms |
| 500 | 176,176 | 0% | 125.18ms |
| 1000 | 481,326 | 0% | 410.16ms |
-6.92ms-brightgreen){kind=icon}
-125.18ms-brightgreen){kind=icon}
-410.16ms-brightgreen){kind=icon}
Most of the core defense logic can be expressed as Lua scripts. Users can add custom scripts for additional defenses and control the execution order of these scripts. Current built-in modules include:
- 1. Static bypass: Configure static resource paths that are ignored by defense scripts.
- 2. IP blacklist: Configure blacklists that apply permanently or on a schedule.
- 3. IP whitelist: Configure whitelists that apply permanently or on a schedule.
- 4. CC rate limit: Configure rate limits for site access.
- 5. Search engines detection: Identify mainstream search engines and verify their authenticity so that genuine crawlers can access the site while forged crawlers are added to the blacklist for 30 minutes.
- 6. PoW (Proof-of-Work) defense: On first access, visitors are redirected to a lightweight loading page where the browser runs a small JS-based PoW calculation. Only clients that solve the challenge are allowed to reach the upstream server. This is an effective mitigation against many bots and can help against certain types of DDoS attacks.
- Core functionality implemented
- Multi-process architecture
- Improve documentation
- Migrate to full in-memory shared architecture
- Other feature iterations — planned: automated certificate renewal, admin panel improvements
- Open-source the code
-
Download the latest release from the releases page: https://github.com/pcloth/vigie-waf/releases
-
Run the executable from the project root:
./bin/vigie-waf-rust.exe
-
Download the latest release from the releases page: https://github.com/pcloth/vigie-waf/releases
-
Run the binary from the project root:
./bin/vigie-waf-rust
Because vigie-waf supports OTA upgrades, if you want to use OTA updates do not run the project directly from inside the container. It is recommended to mount the host code directory into the container instead.
docker run -it -p 80:80 -p 443:443 \
-v your_path:/app \
pcloth/vigie-waf-rust:latest \
-e ADMIN_USERNAME=admin \
-e ADMIN_PASSWORD=admin123 \
-e JWT_SECRET=298347sjfi#2212 \
bash -c "export RUST_LOG=debug && /app/bin/vigie-waf-rust & while true; do echo hello world; sleep 60; done"Note: the
& while true; do echo hello world; sleep 60; donepart is added so the container does not stop while performing OTA upgrades. If you plan to perform manual upgrades, you can omit this.
Be sure to change the ADMIN_USERNAME, ADMIN_PASSWORD, and JWT_SECRET environment variables from their defaults.
After the application is running, open your browser and visit http://localhost to see the welcome page:
Click through to the admin login page:
Log in using the credentials you configured via environment variables.
Default username:
admin, default password:admin123
Change your language. Currently Chinese and English are supported.
Configure your site(s):
Thank you for trying vigie-waf.
The screenshot shows that shortly after going online, attackers were greatly reduced thanks to the applied defenses.
You can add more custom defense scripts or fine-tune the default system scripts.
Whitelist entries can be set with expiration times.
Blacklist entries can be set with expiration times. Fake crawlers detected by the firewall are automatically added to the blacklist and blocked for 30 minutes.
Requests that declare themselves as crawlers via the User-Agent are subject to reverse DNS verification. Forged crawlers are rejected and their IP addresses are blocked for 30 minutes. The screenshot shows the UI for editing/adding/managing which crawlers are allowed.
This feature balances SEO and defense: choose which crawlers may access your site and optionally limit their crawl rate.
Easily toggle PoW proof-of-work, enable/disable CC rate limiting and set static resource bypass rules.
You can perform online OTA upgrades to update to the latest version seamlessly and for free.
