# Overview

Handy, High performance Nginx firewall module.

# Why ngx_waf

Basic protection: such as black and white list of IPs or IP range, uri black and white list, and request body black list, etc.
Easy to use: configuration files and rule files are easy to write and readable.
High performance: Efficient algorithms and caching.
Advanced protection: ModSecurity (opens new window) compatible, you can use OWASP(Open Web Application Security Project®) ModSecurity Core Rule Set (opens new window).
Friendly crawler verification: Supports verifying Google, Bing, Baidu and Yandex crawlers and allowing them automatically to avoid false positives.
Captcha: Supports three kinds of captchas: hCaptcha, reCAPTCHAv2 and reCAPTCHAv3.

# Features

ModSecurity (opens new window) compatible. This feature is only available in the latest Current version.
Anti SQL injection (powered by libinjection (opens new window)).
Anti XSS (powered by libinjection (opens new window)).
IPV4 and IPV6 support.
Support for enabling CAPTCHAs, including hCaptcha (opens new window), reCAPTCHAv2 (opens new window) and reCAPTCHAv3 (opens new window). This feature is only available in the latest Current version.
Support authentication-friendly crawlers (based on user agent and IP identification) to avoid blocking of these crawlers (e.g. GoogleBot). This feature is only available in the latest Current version.
CC protection, if the request rate exceeds the limit, the IP will be automatically banned for a period of time, or use CAPTCHA to do human identification and allow it if successful..
Exceptional allow on specific IP address.
Block the specified IP or IP range.
Block the specified request body.
Exceptional allow on specific URL.
Block the specified URL.
Block the specified query string.
Block the specified UserAgent.
Block the specified Cookie.
Exceptional allow on specific Referer.
Block the specified Referer.

# Contact

Telegram Channel: https://t.me/ngx_waf (opens new window)
Telegram Group (English): https://t.me/group_ngx_waf (opens new window)
Telegram Group (Chinese): https://t.me/group_ngx_waf_cn (opens new window)

Hope you can help promote this project. The more stars got, the better this project is. 😃

# Test Suite

This module comes with a Perl-driven test suite. The test cases are declarative too. Thanks to the Test::Nginx (opens new window) module in the Perl world.

To run it on your side:

## It will take a lot of time, but it only needs to be run once.
cpan Test::Nginx

# You need to specify a temporary directory.
# If the directory does not exist it will be created automatically.
# If the directory already exists it will be **removed** first and then created.
export MODULE_TEST_PATH=/path/to/temp/dir

# You need to specify the absolute path to the dynamic module if you have it installed, 
# otherwise you do not need to run this line.
export MODULE_PATH=/path/to/ngx_http_waf_module.so

cd ./test/test-nginx
sh ./init.sh
sh ./start.sh ./t/*.t

Some parts of the test suite requires standard modules proxy, rewrite and SSI to be enabled as well when building Nginx.

# Performance Test

Performance Test

# Thanks

ModSecurity (opens new window): An open source, cross platform web application firewall (WAF) engine.
uthash (opens new window): C macros for hash tables and more.
libcurl (opens new window): The multiprotocol file transfer library .
cJSON (opens new window): Ultralightweight JSON parser in ANSI C.
libinjection (opens new window): SQL / SQLI tokenizer parser analyzer.
libsodium (opens new window): A modern, portable, easy to use crypto library.
test-nginx (opens new window): Data-driven test scaffold for Nginx C module and OpenResty Lua library development.
lastversion (opens new window): A command line tool that helps you download or install a specific version of a project.
ngx_lua_waf (opens new window): A web application firewall based on the lua-nginx-module (openresty).
nginx-book (opens new window): The Chinese language development guide for nginx.
nginx-development-guide (opens new window): The Chinese language development guide for nginx.

Version Description →