A lightweight, real time log monitoring tool designed to detect and block IP addresses exhibiting abusive behavior such as brute force attacks, excessive requests, or suspicious patterns. Automatically integrates with your serverβs firewall (iptables or ufw) to block offenders and protect web services without relying on external services.
With Support and Validation From:
Web Application Firewall with Threat Intelligence β’ Documentation
Table of Contents
Click to expand
Overview
nginx-defender is a high-performance, Web Application Firewall (WAF) and threat detection system engineered for modern web infrastructure. Built with Go and designed for scalability, it provides real time threat mitigation, machine learning-based anomaly detection, and comprehensive security analytics.
Detection Pipeline
- Streaming anomaly detection with incremental model persistence
- Behavioral profiling with burst, scraping, probing, and credential-stuffing signals
- Confidence-driven adaptive mitigation (monitor, rate-limit, tarpit, block)
- Deception endpoint detection fed back into the ML signal stream
- Extensible detection plugins through dynamic module loading
ML and Adaptive Security Deep Dive
The detection path now combines:
- Signature and threat intelligence signals
- Per-IP behavioral profile scoring
- Streaming online anomaly model output
- Adaptive response planning based on confidence
Reproducible Benchmarking
Use the benchmark harness to compare runtime and deployment readiness against Fail2Ban:
- script:
scripts/benchmark-compare.sh - output:
docs/benchmark-results.md
Key Differentiators
graph TD
A[Incoming Traffic] --> B[Log Parser]
B --> C[Threat Detection Engine]
C --> D[ML Anomaly Detection]
C --> E[Pattern Matching]
C --> F[Rate Limiting]
D --> G[Firewall Manager]
E --> G
F --> G
G --> H[iptables/nftables/pf]
G --> I[Notification System]
I --> J[Dashboard/API]
| Feature | nginx-defender | Commercial WAFs | Open Source WAFs | |---------|----------------|-----------------|------------------| | Real-time ML Detection | Native | Limited | None | | Multi-backend Firewall | 5+ backends | Proprietary | Limited | | Advanced Analytics | Built-in | Expensive addon | Basic | | Geographic Intelligence | Integrated | Licensed | Manual | | Clustering Support | Native | Enterprise only | None | | Container Ready | OCI compliant | Legacy | Configuration heavy |
Architecture
System Architecture
High-Level Architecture Diagram
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β nginx-defender β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β βββββββββββββββββ ββββββββββββββββ βββββββββββββββββββββββ β
β β Log Monitor β β Threat Intel β β Web Dashboard β β
β β (Async) β β (Real-time) β β (WebSocket) β β
β βββββββββ¬ββββββββ ββββββββ¬ββββββββ βββββββββββ¬ββββββββββββ β
β β β β β
β βββββββββΌββββββββββββββββββΌβββββββββββββββββββββΌββββββββββββ β
β β Threat Detection Engine β β
β β βββββββββββββββ ββββββββββββββββ βββββββββββββββββββ β β
β β β Pattern β β ML Anomaly β β Rate Limiting β β β
β β β Matcher β β Detection β β Engine β β β
β β βββββββββββββββ ββββββββββββββββ βββββββββββββββββββ β β
β βββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββ β
β β Firewall Manager β β
β β βββββββββββββββ ββββββββββββββββ βββββββββββββββββββ β β
β β β iptables β β nftables β β pf β β β
β β β Backend β β Backend β β Backend β β β
β β βββββββββββββββ ββββββββββββββββ βββββββββββββββββββ β β
β βββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββ β
β β Multi-Channel Notification System β β
β β Telegram β Slack β Email β Webhook β Discord β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Component Overview
| Component | Responsibility | Technology | Scalability | |-----------|---------------|------------|-------------| | Log Monitor | Real-time log parsing and streaming | Go channels, fsnotify | Horizontal | | Detection Engine | Threat analysis and classification | Regex, ML algorithms | Vertical | | Firewall Manager | Rule application and management | System calls, netlink | Horizontal | | Notification System | Alert distribution and escalation | HTTP clients, WebSockets | Horizontal | | Web Dashboard | Management interface and analytics | HTTP server, static assets | Horizontal | | Metrics Collector | Performance and security metrics | Prometheus client | Horizontal |
Core Features
Threat Detection Engine
Advanced Pattern Recognition System
Machine Learning Integration
- Behavioral Analysis: Statistical anomaly detection using sliding windows
- Attack Vectorization: Feature extraction from HTTP requests
- Model Training: Continuous learning from threat patterns
- False Positive Reduction: Adaptive threshold adjustment
Pattern Matching Engine
# Example threat patterns
patterns:
sql_injection:
regex: "(?i)(union|select|insert|update|delete|drop|exec|script)"
severity: 9
categories: ["injection", "database"]
xss_detection:
regex: "(?i)(<script||vbscript:|onload=|onerror=)"
severity: 8
categories: ["xss", "injection"]
directory_traversal:
regex: "(?i)(\\.\\.[\\/\\\\]|%2e%2e%2f|%252e%252e%252f)"
severity: 7
categories: ["pathtraversal", "fileaccess"]
Rate Limiting Algorithm
type RateLimiter struct {
Window time.Duration
Threshold int
Algorithm string // "slidingwindow", "tokenbucket", "leaky_bucket"
}
Firewall Management
Multi-Backend Firewall System
Supported Backends
| Backend | Platform | Features | Performance | |---------|----------|----------|-------------| | iptables | Linux | Legacy compatibility, wide support | ~10k rules/sec | | nftables | Linux | Modern netfilter, better performance | ~50k rules/sec | | pf | FreeBSD/macOS | Advanced filtering, built-in NAT | ~30k rules/sec | | Windows Firewall | Windows | Native Windows integration | ~5k rules/sec | | Mock | All | Testing and development | Unlimited |
Rule Management
type Rule struct {
ID string json:"id"
IP string json:"ip"
Action Action json:"action"
Duration time.Duration json:"duration"
CreatedAt time.Time json:"created_at"
ExpiresAt time.Time json:"expires_at"
Reason string json:"reason"
ThreatLevel string json:"threat_level"
Metadata map[string]string json:"metadata"
}
Action Types
BLOCK: Complete traffic blockingDROP: Silent packet droppingREJECT: Explicit connection rejectionRATE_LIMIT: Bandwidth throttlingTARPIT: Connection delay injectionALLOW: Whitelist override
Monitoring & Analytics
Real-time Dashboard and Metrics
Web Dashboard Features
- Real-time Threat Map: Geographic visualization of attacks
- Performance Metrics: Request processing and response times
- Rule Management: Interactive firewall rule configuration
- Log Analysis: Filtering and search capabilities
- Alert Management: Notification configuration and history
Prometheus Metrics
# HELP nginxdefenderrequests_total Total number of requests processed
TYPE nginxdefenderrequests_total counter
nginxdefenderrequeststotal{status="blocked",reason="sqlinjection"} 1234
HELP nginxdefenderresponsedurationseconds Request processing duration
TYPE nginxdefenderresponsedurationseconds histogram
nginxdefenderresponsedurationseconds_bucket{le="0.1"} 8932
WebSocket API
const ws = new WebSocket('ws://localhost:8080/ws');
ws.onmessage = function(event) {
const data = JSON.parse(event.data);
console.log('New threat detected:', data);
};
Notification System
Multi-Channel Alert Distribution
Supported Channels
| Channel | Features | Configuration | |---------|----------|---------------| | Telegram | Rich formatting, bot integration | Bot token, chat ID | | Slack | Channel posting, thread replies | Webhook URL, channel | | Email | HTML templates, attachments | SMTP configuration | | Webhook | Custom integrations, JSON payload | Endpoint URL, headers | | Discord | Server notifications, embeds | Webhook URL | | PagerDuty | Incident management, escalation | Integration key |
Alert Severity Levels
severity_mapping:
critical: 9-10 # Immediate response required
high: 7-8 # Urgent attention needed
medium: 4-6 # Standard monitoring
low: 1-3 # Informational only
Technical Specifications
System Requirements
Minimum Requirements
hardware:
cpu: "1 core (x86_64/ARM64)"
memory: "256 MB RAM"
storage: "100 MB disk space"
network: "1 Mbps bandwidth"
software: os: "Linux 4.0+, macOS 10.15+, FreeBSD 12+" privileges: "root/administrator (for firewall management)" dependencies: "None (statically linked binary)"
Recommended Production Setup
hardware:
cpu: "4+ cores (x86_64)"
memory: "2+ GB RAM"
storage: "10+ GB SSD"
network: "100+ Mbps bandwidth"
software: os: "Linux 5.4+ (Ubuntu 20.04+, CentOS 8+)" kernel: "nftables support enabled" monitoring: "Prometheus + Grafana"
Performance Characteristics
| Metric | Value | Notes | |--------|-------|-------| | Log Processing | 100k+ entries/sec | Single instance | | Rule Application | 50k+ rules/sec | nftables backend | | Memory Usage | <100 MB | Base configuration | | CPU Usage | <5% | Idle state | | Response Time | <1ms | Rule matching | | Concurrent Connections | 10k+ | Web dashboard |
Network Architecture
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β Client ββββββ nginx- ββββββ Backend β
β Traffic β β defender β β Services β
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β
βββββββββββββββ
β Firewall β
β Rules β
βββββββββββββββ
Quick Start
Use this for a fast, predictable setup. It assumes Nginx is already running and writing access logs.
- One-line install + guided setup
curl -fsSL https://raw.githubusercontent.com/Anipaleja/nginx-defender/main/scripts/install.sh | sh
nginx-defender setup
Use -config to write the config elsewhere, and -force to overwrite an existing file.
- Pick a config baseline
cp config.yaml ./config.local.yaml
# or: config-demo.yaml (safe defaults) / config-advanced.yaml (full features)
- Point log sources to your Nginx logs (platform defaults)
/var/log/nginx/access.log, /var/log/nginx/error.log
- macOS (Homebrew): /opt/homebrew/var/log/nginx/access.log (Apple Silicon) or /usr/local/var/log/nginx/access.log (Intel)
- FreeBSD: /var/log/nginx/access.log, /var/log/nginx/error.log
macOS Homebrew services note: if Nginx is started via brew services, the logs live under $(brew --prefix)/var/log/nginx/.
Minimal known-good snippet for common Nginx log paths (Linux/FreeBSD):
logs: sources: - path: "/var/log/nginx/access.log" format: "combined" follow: true - path: "/var/log/nginx/error.log" format: "error" follow: true On macOS, replace the paths with your Homebrew prefix.
- Choose firewall mode
iptables or nftables
- macOS/FreeBSD: pf
- For safe evaluation: set firewall.backend: "mock" or export NGINXDEFENDERDRY_RUN=true.
- Run it (pick one)
sudo ./nginx-defender -config ./config.local.yaml
Docker Compose (uses docker-compose.yml)
cp config.yaml ./config.yaml docker compose up -d If you changed log paths, also update the volumes mount paths in docker-compose.yml.
- Verify
curl http://localhost:8080/health
curl http://localhost:9090/metrics
- See activity
tail -f /var/log/nginx/access.log
You should see detections in the nginx-defender logs as traffic hits your Nginx instance.
Installation
Binary Installation
One-line installer (Linux/macOS/FreeBSD)
curl -fsSL https://raw.githubusercontent.com/Anipaleja/nginx-defender/main/scripts/install.sh | sh
Then generate a config:
nginx-defender setup
Linux (x86_64)
# Download latest release
curl -L https://github.com/anipaleja/nginx-defender/releases/latest/download/nginx-defender-linux-amd64.tar.gz | tar -xz
Install system-wide
sudo mv nginx-defender /usr/local/bin/
sudo chmod +x /usr/local/bin/nginx-defender
Create configuration directory
sudo mkdir -p /etc/nginx-defender
sudo wget -O /etc/nginx-defender/config.yaml https://raw.githubusercontent.com/anipaleja/nginx-defender/main/config.yaml
Create systemd service
sudo tee /etc/systemd/system/nginx-defender.service > /dev/null <<EOF
[Unit]
Description=nginx-defender WAF
After=network.target
[Service] Type=simple User=root ExecStart=/usr/local/bin/nginx-defender -config /etc/nginx-defender/config.yaml Restart=always RestartSec=5
[Install] WantedBy=multi-user.target EOF
Enable and start service
sudo systemctl enable nginx-defender
sudo systemctl start nginx-defender
macOS (Homebrew)
# Add tap (if available)
brew tap anipaleja/nginx-defender
Install via Homebrew
brew install nginx-defender
Start service
brew services start nginx-defender
Docker Deployment
Basic Docker Run
# Pull latest image
docker pull ghcr.io/anipaleja/nginx-defender:latest
Run with host networking (recommended for firewall functionality)
docker run -d \
--name nginx-defender \
--network host \
--cap-add NET_ADMIN \
--cap-add NET_RAW \
-v /var/log/nginx:/var/log/nginx:ro \
-v ./config.yaml:/app/config.yaml:ro \
ghcr.io/anipaleja/nginx-defender:latest
Docker Compose
version: '3.8'
services: nginx-defender: image: ghcr.io/anipaleja/nginx-defender:latest container_name: nginx-defender restart: unless-stopped network_mode: host cap_add: - NET_ADMIN - NET_RAW volumes: - /var/log/nginx:/var/log/nginx:ro - ./config.yaml:/app/config.yaml:ro - ./data:/app/data environment: - LOG_LEVEL=info - DRY_RUN=false healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8080/health"] interval: 30s timeout: 10s retries: 3
prometheus: image: prom/prometheus:latest container_name: prometheus ports: - "9090:9090" volumes: - ./prometheus.yml:/etc/prometheus/prometheus.yml command: - '--config.file=/etc/prometheus/prometheus.yml' - '--storage.tsdb.path=/prometheus' - '--web.console.libraries=/etc/prometheus/console_libraries' - '--web.console.templates=/etc/prometheus/consoles'
grafana: image: grafana/grafana:latest container_name: grafana ports: - "3000:3000" environment: - GFSECURITYADMIN_PASSWORD=admin volumes: - grafana-storage:/var/lib/grafana
volumes: grafana-storage:
Kubernetes Deployment
Complete Kubernetes Manifests
Namespace and ConfigMap
apiVersion: v1
kind: Namespace
metadata:
name: nginx-defender
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-defender-config
namespace: nginx-defender
data:
config.yaml: |
firewall:
backend: "iptables"
whitelist:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
detection:
enabled: true
patterns_file: "pkg/patterns/common.yaml"
rate_limiting:
enabled: true
window: "1m"
max_requests: 100
server:
host: "0.0.0.0"
port: 8080
metrics:
enabled: true
prometheus:
enabled: true
host: "0.0.0.0"
port: 9090
DaemonSet Deployment
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: nginx-defender
namespace: nginx-defender
spec:
selector:
matchLabels:
app: nginx-defender
template:
metadata:
labels:
app: nginx-defender
spec:
hostNetwork: true
hostPID: true
containers:
- name: nginx-defender
image: ghcr.io/anipaleja/nginx-defender:latest
imagePullPolicy: Always
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
ports:
- containerPort: 8080
name: web
- containerPort: 9090
name: metrics
volumeMounts:
- name: config
mountPath: /app/config.yaml
subPath: config.yaml
- name: log-files
mountPath: /var/log/nginx
readOnly: true
- name: proc
mountPath: /host/proc
readOnly: true
- name: sys
mountPath: /host/sys
readOnly: true
volumes:
- name: config
configMap:
name: nginx-defender-config
- name: log-files
hostPath:
path: /var/log/nginx
- name: proc
hostPath:
path: /proc
- name: sys
hostPath:
path: /sys
tolerations:
- operator: Exists
effect: NoSchedule
Service and Ingress
apiVersion: v1
kind: Service
metadata:
name: nginx-defender-service
namespace: nginx-defender
spec:
selector:
app: nginx-defender
ports:
- name: web
port: 8080
targetPort: 8080
- name: metrics
port: 9090
targetPort: 9090
type: ClusterIP
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-defender-ingress
namespace: nginx-defender
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: nginx-defender.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-defender-service
port:
number: 8080
Configuration
Configuration File Structure
Complete Configuration Reference
# nginx-defender configuration file
Version: 2.0
Firewall configuration
firewall:
# Backend type: iptables, nftables, pf, mock
backend: "iptables"
# Whitelisted IP addresses and ranges
whitelist:
- "127.0.0.1"
- "::1"
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"
# Default action for threats
default_action: "BLOCK"
# Rule cleanup interval
cleanup_interval: "5m"
# Maximum number of rules
max_rules: 10000
Threat detection configuration
detection:
enabled: true
# Machine learning model file (optional)
mlmodel: "/app/models/threatdetection.model"
# Threat patterns file
patterns_file: "pkg/patterns/common.yaml"
# Rate limiting configuration
rate_limiting:
enabled: true
window: "1m"
max_requests: 100
algorithm: "sliding_window"
# Geographic blocking
geo_blocking:
enabled: true
blocked_countries: ["CN", "RU", "KP"]
allowed_countries: []
geoip_database: "/app/data/GeoLite2-City.mmdb"
# Honeypot integration
honeypot:
enabled: false
boost_factor: 2.0
services: ["ssh", "http", "ftp"]
Log monitoring configuration
logs:
level: "info"
format: "json"
output: "stdout"
# Log sources to monitor
sources:
- path: "/var/log/nginx/access.log"
format: "combined"
follow: true
- path: "/var/log/nginx/error.log"
format: "error"
follow: true
- path: "/var/log/apache2/access.log"
format: "combined"
follow: false
Web server configuration
server:
host: "0.0.0.0"
port: 8080
# TLS configuration
tls:
enabled: false
cert_file: "/app/certs/server.crt"
key_file: "/app/certs/server.key"
# CORS configuration
cors:
enabled: true
allowed_origins: ["*"]
allowed_methods: ["GET", "POST", "PUT", "DELETE"]
Metrics and monitoring
metrics:
enabled: true
# Prometheus configuration
prometheus:
enabled: true
host: "0.0.0.0"
port: 9090
path: "/metrics"
# Performance monitoring
performance:
enabled: true
interval: "30s"
Notification configuration
notifications:
enabled: true
# Notification channels
channels:
console:
enabled: true
level: "info"
email:
enabled: false
smtp_host: "smtp.example.com"
smtp_port: 587
username: "alerts@example.com"
password: "password"
to: ["admin@example.com"]
subject_prefix: "[nginx-defender]"
telegram:
enabled: false
bottoken: "BOTTOKEN"
chatid: "CHATID"
slack:
enabled: false
webhookurl: "WEBHOOKURL"
channel: "#security"
username: "nginx-defender"
webhook:
enabled: false
url: "https://api.example.com/webhooks/security"
headers:
Authorization: "Bearer TOKEN"
Content-Type: "application/json"
Clustering configuration (Enterprise)
clustering:
enabled: false
node_id: "node-1"
discovery:
method: "static"
endpoints: ["node-2:8081", "node-3:8081"]
# Distributed rule synchronization
sync:
enabled: true
interval: "10s"
Environment Variables
| Variable | Description | Default | |----------|-------------|---------| | NGINXDEFENDERCONFIG | Configuration file path | config.yaml | | NGINXDEFENDERLOG_LEVEL | Log level (debug, info, warn, error) | info | | NGINXDEFENDERDRY_RUN | Enable dry-run mode | false | | NGINXDEFENDERBACKEND | Firewall backend override | - | | NGINXDEFENDERWEB_PORT | Web server port | 8080 | | NGINXDEFENDERMETRICS_PORT | Metrics server port | 9090 |
API Reference
REST API Endpoints
Complete API Documentation
System Information
GET /api/v1/status
Response:
{
"status": "healthy",
"version": "2.0.0",
"uptime": "2h30m15s",
"build_info": {
"version": "v2.0.0",
"commit": "abc123",
"build_time": "2025-07-27T10:00:00Z"
}
}
Firewall Rules Management
GET /api/v1/rules
POST /api/v1/rules
DELETE /api/v1/rules/{id}
Create Rule:
{ "ip": "192.168.1.100", "action": "BLOCK", "duration": "1h", "reason": "SQL injection attempt", "metadata": { "threat_level": "high", "pattern": "sql_injection" } }
Statistics and Metrics
GET /api/v1/stats
GET /api/v1/metrics
Statistics Response:
{ "firewall": { "backend": "iptables", "total_rules": 1234, "active_rules": 987, "expired_rules": 247 }, "detection": { "total_requests": 50000, "blocked_requests": 1234, "threat_detections": { "sql_injection": 456, "xss": 234, "brute_force": 344 } }, "performance": { "avgresponsetime": "0.5ms", "memory_usage": "89MB", "cpu_usage": "3.2%" } }
Configuration Management
GET /api/v1/config
PUT /api/v1/config
POST /api/v1/config/reload
Log Analysis
GET /api/v1/logs?limit=100&level=error
GET /api/v1/threats?since=1h&severity=high
WebSocket API
Real-time Event Streaming
Connection
const ws = new WebSocket('ws://localhost:8080/ws');
Event Types
// Threat detection event
{
"type": "threat_detected",
"timestamp": "2025-07-27T12:00:00Z",
"data": {
"ip": "192.168.1.100",
"threattype": "sqlinjection",
"severity": 9,
"blocked": true
}
}
// Rule creation event { "type": "rule_created", "timestamp": "2025-07-27T12:00:01Z", "data": { "rule_id": "rule-123", "ip": "192.168.1.100", "action": "BLOCK", "expires_at": "2025-07-27T13:00:01Z" } }
// System metrics update { "type": "metrics_update", "timestamp": "2025-07-27T12:00:00Z", "data": { "cpu_usage": 3.2, "memory_usage": 89, "active_connections": 1234 } }
Performance Benchmarks
Throughput Testing
Performance Test Results
Test Environment
- Hardware: Intel Xeon E5-2686v4 (4 cores), 16GB RAM
- OS: Ubuntu 22.04 LTS
- Network: 10Gbps Ethernet
- Backend: nftables
Results
| Test Scenario | Throughput | Latency (p95) | CPU Usage | Memory Usage | |---------------|------------|---------------|-----------|--------------| | Log Processing | 150k entries/sec | 2ms | 15% | 120MB | | Pattern Matching | 100k requests/sec | 1ms | 25% | 95MB | | Rule Application | 75k rules/sec | 0.5ms | 10% | 85MB | | API Requests | 50k requests/sec | 5ms | 20% | 100MB | | WebSocket Events | 25k events/sec | 3ms | 12% | 90MB |
Scaling Characteristics
Log Processing Rate vs CPU Cores:
1 core: 50k entries/sec
2 cores: 95k entries/sec
4 cores: 150k entries/sec
8 cores: 180k entries/sec (diminishing returns)
Memory Optimization
Memory Usage Analysis
| Component | Base Memory | Per Rule | Per Connection | |-----------|-------------|----------|----------------| | Core Engine | 45MB | 64 bytes | 2KB | | Pattern Matcher | 25MB | - | 512 bytes | | Web Server | 15MB | - | 4KB | | Metrics Collector | 10MB | 128 bytes | 1KB | | Total Baseline | 95MB | 192 bytes | 7.5KB |
Memory Growth Projections
- 10k rules: ~97MB
- 100k rules: ~114MB
- 1M rules: ~287MB
- 10k concurrent connections: ~170MB
Security Considerations
Security Architecture
Security Design Principles
Defense in Depth
- Input Validation: All user inputs are validated and sanitized
- Principle of Least Privilege: Minimal required permissions
- Fail-Safe Defaults: Secure defaults for all configurations
- Complete Mediation: All access attempts are checked
- Open Design: Security through design, not obscurity
Threat Model
graph LR
A[External Attacker] -->|HTTP Requests| B[nginx-defender]
C[Malicious Insider] -->|Config Changes| B
D[Compromised System] -->|Local Access| B
B -->|Validated Traffic| E[Protected Services]
B -->|Blocked Traffic| F[Firewall Drop]
B -->|Alerts| G[Security Team]
Security Controls
| Layer | Control | Implementation | |-------|---------|----------------| | Network | Traffic filtering | iptables/nftables rules | | Application | Input validation | Regex patterns, ML detection | | Authentication | API access control | JWT tokens, API keys | | Authorization | Role-based access | RBAC system | | Audit | Activity logging | Structured logging, SIEM integration | | Encryption | Data protection | TLS 1.3, AES-256 |
Vulnerability Management
Security Practices
Regular Security Assessments
- Static Analysis: Weekly automated scans
- Dynamic Testing: Monthly penetration testing
- Dependency Scanning: Daily vulnerability checks
- Configuration Audits: Quarterly security reviews
Incident Response
- Detection: Automated threat detection and alerting
- Analysis: Log correlation and forensic analysis
- Containment: Automatic rule application and isolation
- Recovery: System restoration and patch application
- Lessons Learned: Post-incident review and improvements
Compliance Standards
- OWASP Top 10: Protection against common web vulnerabilities
- NIST Cybersecurity Framework: Risk management alignment
- ISO 27001: Information security management
- PCI DSS: Payment card industry compliance (where applicable)
Development
Building from Source
Development Setup
Prerequisites
# Install Go 1.21+
curl -L https://go.dev/dl/go1.21.linux-amd64.tar.gz | sudo tar -C /usr/local -xz
export PATH=$PATH:/usr/local/go/bin
Install development tools
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
go install github.com/securecodewarrior/sast-scan@latest
Build Process
# Clone repository
git clone https://github.com/anipaleja/nginx-defender.git
cd nginx-defender
Install dependencies
go mod download
Run tests
go test -v ./...
Build binary
go build -o nginx-defender ./cmd/nginx-defender
Build for multiple platforms
make build-all
Development Workflow
# Run with hot reload
air -c .air.toml
Run tests with coverage
go test -coverprofile=coverage.out ./...
go tool cover -html=coverage.out
Lint code
golangci-lint run
Security scan
gosec ./...
Contributing Guidelines
Contribution Process
Code Standards
- Go Style: Follow effective Go guidelines
- Documentation: Comprehensive godoc comments
- Testing: Minimum 80% test coverage
- Performance: Benchmark critical paths
- Security: Static analysis and vulnerability scanning
Pull Request Process
- Fork the repository
- Create feature branch (
git checkout -b feature/amazing-feature) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open Pull Request with detailed description
Issue Reporting
## Bug Report Template
Environment:
- OS: [e.g., Ubuntu 22.04]
- Version: [e.g., v2.0.0]
- Backend: [e.g., iptables]
Steps to Reproduce: - Configuration used
- Command executed
- Expected vs actual behavior
Logs: [Paste relevant logs here] Additional Context: [Any other relevant information]
License
This project is licensed under the MIT License. See the LICENSE file for details. Closed source forks are not permitted.
Third-Party Licenses
Open Source Dependencies
| Dependency | License | Usage | |------------|---------|-------| | gorilla/mux | BSD-3-Clause | HTTP routing | | gorilla/websocket | BSD-2-Clause | WebSocket support | | sirupsen/logrus | MIT | Structured logging | | prometheus/client_golang | Apache-2.0 | Metrics collection | | oschwald/geoip2-golang | ISC | Geographic lookup | | go-telegram-bot-api/telegram-bot-api | MIT | Telegram integration | | slack-go/slack | BSD-2-Clause | Slack integration |
nginx-defender - Protecting the modern web, one request at a time.
Documentation β’ Community β’ Security