Anipaleja
nginx-defender
Go

A lightweight, real time log monitoring tool designed to detect and block IP addresses exhibiting abusive behavior such as brute force attacks, excessive requests, or suspicious patterns. Automatically integrates with your server’s firewall (iptables or ufw) to block offenders and protect web services without relying on external services.

Last updated Jun 11, 2026
79
Stars
7
Forks
11
Issues
0
Stars/day
Attention Score
32
Language breakdown
Go 56.9%
HTML 34.7%
JavaScript 3.9%
Shell 1.9%
Python 1.8%
CSS 0.6%
β–Έ Files click to expand
README

image

Build Status Docker Version Go Report Card License Go Version Platform Stars - Purple NGINX

With Support and Validation From:

YC Google Deepmind Cisco Vercel Anthropic

Web Application Firewall with Threat Intelligence β€’ Documentation


Table of Contents

Click to expand

- Threat Detection Engine - Firewall Management - Monitoring & Analytics - Notification System - Binary Installation - Docker Deployment - Kubernetes Deployment

Overview

nginx-defender is a high-performance, Web Application Firewall (WAF) and threat detection system engineered for modern web infrastructure. Built with Go and designed for scalability, it provides real time threat mitigation, machine learning-based anomaly detection, and comprehensive security analytics.

Detection Pipeline

  • Streaming anomaly detection with incremental model persistence
  • Behavioral profiling with burst, scraping, probing, and credential-stuffing signals
  • Confidence-driven adaptive mitigation (monitor, rate-limit, tarpit, block)
  • Deception endpoint detection fed back into the ML signal stream
  • Extensible detection plugins through dynamic module loading

ML and Adaptive Security Deep Dive

The detection path now combines:

  • Signature and threat intelligence signals
  • Per-IP behavioral profile scoring
  • Streaming online anomaly model output
  • Adaptive response planning based on confidence
This enables deterministic blocking for known high-risk payloads while still adapting to new attacker behavior with a continuously updated model.

Reproducible Benchmarking

Use the benchmark harness to compare runtime and deployment readiness against Fail2Ban:

  • script: scripts/benchmark-compare.sh
  • output: docs/benchmark-results.md

Key Differentiators

graph TD
    A[Incoming Traffic] --> B[Log Parser]
    B --> C[Threat Detection Engine]
    C --> D[ML Anomaly Detection]
    C --> E[Pattern Matching]
    C --> F[Rate Limiting]
    D --> G[Firewall Manager]
    E --> G
    F --> G
    G --> H[iptables/nftables/pf]
    G --> I[Notification System]
    I --> J[Dashboard/API]

| Feature | nginx-defender | Commercial WAFs | Open Source WAFs | |---------|----------------|-----------------|------------------| | Real-time ML Detection | Native | Limited | None | | Multi-backend Firewall | 5+ backends | Proprietary | Limited | | Advanced Analytics | Built-in | Expensive addon | Basic | | Geographic Intelligence | Integrated | Licensed | Manual | | Clustering Support | Native | Enterprise only | None | | Container Ready | OCI compliant | Legacy | Configuration heavy |


Architecture

System Architecture

High-Level Architecture Diagram

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                        nginx-defender                          β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  Log Monitor  β”‚  β”‚ Threat Intel β”‚  β”‚   Web Dashboard     β”‚  β”‚
β”‚  β”‚   (Async)     β”‚  β”‚  (Real-time) β”‚  β”‚    (WebSocket)      β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚          β”‚                 β”‚                    β”‚              β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚                Threat Detection Engine                   β”‚  β”‚
β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚  β”‚
β”‚  β”‚  β”‚   Pattern   β”‚ β”‚  ML Anomaly  β”‚ β”‚  Rate Limiting  β”‚    β”‚  β”‚
β”‚  β”‚  β”‚   Matcher   β”‚ β”‚  Detection   β”‚ β”‚     Engine      β”‚    β”‚  β”‚
β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚                            β”‚                                   β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚                  Firewall Manager                        β”‚  β”‚
β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚  β”‚
β”‚  β”‚  β”‚  iptables   β”‚ β”‚   nftables   β”‚ β”‚      pf         β”‚    β”‚  β”‚
β”‚  β”‚  β”‚   Backend   β”‚ β”‚   Backend    β”‚ β”‚   Backend       β”‚    β”‚  β”‚
β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚                            β”‚                                   β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚            Multi-Channel Notification System             β”‚  β”‚
β”‚  β”‚    Telegram β”‚ Slack β”‚ Email β”‚ Webhook β”‚ Discord          β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Component Overview

| Component | Responsibility | Technology | Scalability | |-----------|---------------|------------|-------------| | Log Monitor | Real-time log parsing and streaming | Go channels, fsnotify | Horizontal | | Detection Engine | Threat analysis and classification | Regex, ML algorithms | Vertical | | Firewall Manager | Rule application and management | System calls, netlink | Horizontal | | Notification System | Alert distribution and escalation | HTTP clients, WebSockets | Horizontal | | Web Dashboard | Management interface and analytics | HTTP server, static assets | Horizontal | | Metrics Collector | Performance and security metrics | Prometheus client | Horizontal |


Core Features

Threat Detection Engine

Advanced Pattern Recognition System

Machine Learning Integration

  • Behavioral Analysis: Statistical anomaly detection using sliding windows
  • Attack Vectorization: Feature extraction from HTTP requests
  • Model Training: Continuous learning from threat patterns
  • False Positive Reduction: Adaptive threshold adjustment

Pattern Matching Engine

# Example threat patterns
patterns:
  sql_injection:
    regex: "(?i)(union|select|insert|update|delete|drop|exec|script)"
    severity: 9
    categories: ["injection", "database"]
    
  xss_detection:
    regex: "(?i)(<script||vbscript:|onload=|onerror=)"
    severity: 8
    categories: ["xss", "injection"]
    
  directory_traversal:
    regex: "(?i)(\\.\\.[\\/\\\\]|%2e%2e%2f|%252e%252e%252f)"
    severity: 7
    categories: ["pathtraversal", "fileaccess"]

Rate Limiting Algorithm

type RateLimiter struct {
    Window    time.Duration
    Threshold int
    Algorithm string // "slidingwindow", "tokenbucket", "leaky_bucket"
}

Firewall Management

Multi-Backend Firewall System

Supported Backends

| Backend | Platform | Features | Performance | |---------|----------|----------|-------------| | iptables | Linux | Legacy compatibility, wide support | ~10k rules/sec | | nftables | Linux | Modern netfilter, better performance | ~50k rules/sec | | pf | FreeBSD/macOS | Advanced filtering, built-in NAT | ~30k rules/sec | | Windows Firewall | Windows | Native Windows integration | ~5k rules/sec | | Mock | All | Testing and development | Unlimited |

Rule Management

type Rule struct {
    ID          string            json:&quot;id&quot;
    IP          string            json:&quot;ip&quot;
    Action      Action            json:&quot;action&quot;
    Duration    time.Duration     json:&quot;duration&quot;
    CreatedAt   time.Time         json:&quot;created_at&quot;
    ExpiresAt   time.Time         json:&quot;expires_at&quot;
    Reason      string            json:&quot;reason&quot;
    ThreatLevel string            json:&quot;threat_level&quot;
    Metadata    map[string]string json:&quot;metadata&quot;
}

Action Types

  • BLOCK: Complete traffic blocking
  • DROP: Silent packet dropping
  • REJECT: Explicit connection rejection
  • RATE_LIMIT: Bandwidth throttling
  • TARPIT: Connection delay injection
  • ALLOW: Whitelist override

Monitoring & Analytics

Real-time Dashboard and Metrics

Web Dashboard Features

  • Real-time Threat Map: Geographic visualization of attacks
  • Performance Metrics: Request processing and response times
  • Rule Management: Interactive firewall rule configuration
  • Log Analysis: Filtering and search capabilities
  • Alert Management: Notification configuration and history

Prometheus Metrics

# HELP nginxdefenderrequests_total Total number of requests processed

TYPE nginxdefenderrequests_total counter

nginxdefenderrequeststotal{status="blocked",reason="sqlinjection"} 1234

HELP nginxdefenderresponsedurationseconds Request processing duration

TYPE nginxdefenderresponsedurationseconds histogram

nginxdefenderresponsedurationseconds_bucket{le="0.1"} 8932

WebSocket API

const ws = new WebSocket('ws://localhost:8080/ws');
ws.onmessage = function(event) {
    const data = JSON.parse(event.data);
    console.log('New threat detected:', data);
};

Notification System

Multi-Channel Alert Distribution

Supported Channels

| Channel | Features | Configuration | |---------|----------|---------------| | Telegram | Rich formatting, bot integration | Bot token, chat ID | | Slack | Channel posting, thread replies | Webhook URL, channel | | Email | HTML templates, attachments | SMTP configuration | | Webhook | Custom integrations, JSON payload | Endpoint URL, headers | | Discord | Server notifications, embeds | Webhook URL | | PagerDuty | Incident management, escalation | Integration key |

Alert Severity Levels

severity_mapping:
  critical: 9-10    # Immediate response required
  high: 7-8         # Urgent attention needed
  medium: 4-6       # Standard monitoring
  low: 1-3          # Informational only


Technical Specifications

System Requirements

Minimum Requirements

hardware:
  cpu: "1 core (x86_64/ARM64)"
  memory: "256 MB RAM"
  storage: "100 MB disk space"
  network: "1 Mbps bandwidth"

software: os: "Linux 4.0+, macOS 10.15+, FreeBSD 12+" privileges: "root/administrator (for firewall management)" dependencies: "None (statically linked binary)"

Recommended Production Setup

hardware:
  cpu: "4+ cores (x86_64)"
  memory: "2+ GB RAM"
  storage: "10+ GB SSD"
  network: "100+ Mbps bandwidth"

software: os: "Linux 5.4+ (Ubuntu 20.04+, CentOS 8+)" kernel: "nftables support enabled" monitoring: "Prometheus + Grafana"

Performance Characteristics

| Metric | Value | Notes | |--------|-------|-------| | Log Processing | 100k+ entries/sec | Single instance | | Rule Application | 50k+ rules/sec | nftables backend | | Memory Usage | <100 MB | Base configuration | | CPU Usage | <5% | Idle state | | Response Time | <1ms | Rule matching | | Concurrent Connections | 10k+ | Web dashboard |

Network Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   Client    │────│  nginx-     │────│  Backend    β”‚
β”‚  Traffic    β”‚    β”‚  defender   β”‚    β”‚  Services   β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                          β”‚
                   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                   β”‚  Firewall   β”‚
                   β”‚   Rules     β”‚
                   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Quick Start

Use this for a fast, predictable setup. It assumes Nginx is already running and writing access logs.

  • One-line install + guided setup
curl -fsSL https://raw.githubusercontent.com/Anipaleja/nginx-defender/main/scripts/install.sh | sh
  nginx-defender setup
Use -config to write the config elsewhere, and -force to overwrite an existing file.
  • Pick a config baseline
cp config.yaml ./config.local.yaml
   # or: config-demo.yaml (safe defaults) / config-advanced.yaml (full features)
  • Point log sources to your Nginx logs (platform defaults)
- Linux: /var/log/nginx/access.log, /var/log/nginx/error.log - macOS (Homebrew): /opt/homebrew/var/log/nginx/access.log (Apple Silicon) or /usr/local/var/log/nginx/access.log (Intel) - FreeBSD: /var/log/nginx/access.log, /var/log/nginx/error.log

macOS Homebrew services note: if Nginx is started via brew services, the logs live under $(brew --prefix)/var/log/nginx/.

Minimal known-good snippet for common Nginx log paths (Linux/FreeBSD):

logs:      sources:        - path: "/var/log/nginx/access.log"          format: "combined"          follow: true        - path: "/var/log/nginx/error.log"          format: "error"          follow: true
On macOS, replace the paths with your Homebrew prefix.

  • Choose firewall mode
- Linux: iptables or nftables - macOS/FreeBSD: pf - For safe evaluation: set firewall.backend: "mock" or export NGINXDEFENDERDRY_RUN=true.
  • Run it (pick one)
Local binary
sudo ./nginx-defender -config ./config.local.yaml

Docker Compose (uses docker-compose.yml)

cp config.yaml ./config.yaml    docker compose up -d
If you changed log paths, also update the volumes mount paths in docker-compose.yml.

  • Verify
curl http://localhost:8080/health
   curl http://localhost:9090/metrics
  • See activity
tail -f /var/log/nginx/access.log
You should see detections in the nginx-defender logs as traffic hits your Nginx instance.

Installation

Binary Installation

One-line installer (Linux/macOS/FreeBSD)

curl -fsSL https://raw.githubusercontent.com/Anipaleja/nginx-defender/main/scripts/install.sh | sh
Then generate a config:
nginx-defender setup

Linux (x86_64)

# Download latest release
curl -L https://github.com/anipaleja/nginx-defender/releases/latest/download/nginx-defender-linux-amd64.tar.gz | tar -xz

Install system-wide

sudo mv nginx-defender /usr/local/bin/ sudo chmod +x /usr/local/bin/nginx-defender

Create configuration directory

sudo mkdir -p /etc/nginx-defender sudo wget -O /etc/nginx-defender/config.yaml https://raw.githubusercontent.com/anipaleja/nginx-defender/main/config.yaml

Create systemd service

sudo tee /etc/systemd/system/nginx-defender.service > /dev/null <<EOF [Unit] Description=nginx-defender WAF After=network.target

[Service] Type=simple User=root ExecStart=/usr/local/bin/nginx-defender -config /etc/nginx-defender/config.yaml Restart=always RestartSec=5

[Install] WantedBy=multi-user.target EOF

Enable and start service

sudo systemctl enable nginx-defender sudo systemctl start nginx-defender

macOS (Homebrew)

# Add tap (if available)
brew tap anipaleja/nginx-defender

Install via Homebrew

brew install nginx-defender

Start service

brew services start nginx-defender

Docker Deployment

Basic Docker Run

# Pull latest image
docker pull ghcr.io/anipaleja/nginx-defender:latest

Run with host networking (recommended for firewall functionality)

docker run -d \ --name nginx-defender \ --network host \ --cap-add NET_ADMIN \ --cap-add NET_RAW \ -v /var/log/nginx:/var/log/nginx:ro \ -v ./config.yaml:/app/config.yaml:ro \ ghcr.io/anipaleja/nginx-defender:latest

Docker Compose

version: '3.8'

services: nginx-defender: image: ghcr.io/anipaleja/nginx-defender:latest container_name: nginx-defender restart: unless-stopped network_mode: host cap_add: - NET_ADMIN - NET_RAW volumes: - /var/log/nginx:/var/log/nginx:ro - ./config.yaml:/app/config.yaml:ro - ./data:/app/data environment: - LOG_LEVEL=info - DRY_RUN=false healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8080/health"] interval: 30s timeout: 10s retries: 3

prometheus: image: prom/prometheus:latest container_name: prometheus ports: - "9090:9090" volumes: - ./prometheus.yml:/etc/prometheus/prometheus.yml command: - '--config.file=/etc/prometheus/prometheus.yml' - '--storage.tsdb.path=/prometheus' - '--web.console.libraries=/etc/prometheus/console_libraries' - '--web.console.templates=/etc/prometheus/consoles'

grafana: image: grafana/grafana:latest container_name: grafana ports: - "3000:3000" environment: - GFSECURITYADMIN_PASSWORD=admin volumes: - grafana-storage:/var/lib/grafana

volumes: grafana-storage:

Kubernetes Deployment

Complete Kubernetes Manifests

Namespace and ConfigMap

apiVersion: v1
kind: Namespace
metadata:
  name: nginx-defender

apiVersion: v1 kind: ConfigMap metadata: name: nginx-defender-config namespace: nginx-defender data: config.yaml: | firewall: backend: "iptables" whitelist: - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" detection: enabled: true patterns_file: "pkg/patterns/common.yaml" rate_limiting: enabled: true window: "1m" max_requests: 100 server: host: "0.0.0.0" port: 8080 metrics: enabled: true prometheus: enabled: true host: "0.0.0.0" port: 9090

DaemonSet Deployment

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: nginx-defender
  namespace: nginx-defender
spec:
  selector:
    matchLabels:
      app: nginx-defender
  template:
    metadata:
      labels:
        app: nginx-defender
    spec:
      hostNetwork: true
      hostPID: true
      containers:
      - name: nginx-defender
        image: ghcr.io/anipaleja/nginx-defender:latest
        imagePullPolicy: Always
        securityContext:
          privileged: true
          capabilities:
            add:
              - NET_ADMIN
              - NET_RAW
              - SYS_ADMIN
        ports:
        - containerPort: 8080
          name: web
        - containerPort: 9090
          name: metrics
        volumeMounts:
        - name: config
          mountPath: /app/config.yaml
          subPath: config.yaml
        - name: log-files
          mountPath: /var/log/nginx
          readOnly: true
        - name: proc
          mountPath: /host/proc
          readOnly: true
        - name: sys
          mountPath: /host/sys
          readOnly: true
      volumes:
      - name: config
        configMap:
          name: nginx-defender-config
      - name: log-files
        hostPath:
          path: /var/log/nginx
      - name: proc
        hostPath:
          path: /proc
      - name: sys
        hostPath:
          path: /sys
      tolerations:
      - operator: Exists
        effect: NoSchedule

Service and Ingress

apiVersion: v1
kind: Service
metadata:
  name: nginx-defender-service
  namespace: nginx-defender
spec:
  selector:
    app: nginx-defender
  ports:
  - name: web
    port: 8080
    targetPort: 8080
  - name: metrics
    port: 9090
    targetPort: 9090
  type: ClusterIP

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nginx-defender-ingress namespace: nginx-defender annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: nginx-defender.example.com http: paths: - path: / pathType: Prefix backend: service: name: nginx-defender-service port: number: 8080


Configuration

Configuration File Structure

Complete Configuration Reference

# nginx-defender configuration file

Version: 2.0

Firewall configuration

firewall: # Backend type: iptables, nftables, pf, mock backend: "iptables" # Whitelisted IP addresses and ranges whitelist: - "127.0.0.1" - "::1" - "192.168.0.0/16" - "10.0.0.0/8" - "172.16.0.0/12" # Default action for threats default_action: "BLOCK" # Rule cleanup interval cleanup_interval: "5m" # Maximum number of rules max_rules: 10000

Threat detection configuration

detection: enabled: true # Machine learning model file (optional) mlmodel: "/app/models/threatdetection.model" # Threat patterns file patterns_file: "pkg/patterns/common.yaml" # Rate limiting configuration rate_limiting: enabled: true window: "1m" max_requests: 100 algorithm: "sliding_window" # Geographic blocking geo_blocking: enabled: true blocked_countries: ["CN", "RU", "KP"] allowed_countries: [] geoip_database: "/app/data/GeoLite2-City.mmdb" # Honeypot integration honeypot: enabled: false boost_factor: 2.0 services: ["ssh", "http", "ftp"]

Log monitoring configuration

logs: level: "info" format: "json" output: "stdout" # Log sources to monitor sources: - path: "/var/log/nginx/access.log" format: "combined" follow: true - path: "/var/log/nginx/error.log" format: "error" follow: true - path: "/var/log/apache2/access.log" format: "combined" follow: false

Web server configuration

server: host: "0.0.0.0" port: 8080 # TLS configuration tls: enabled: false cert_file: "/app/certs/server.crt" key_file: "/app/certs/server.key" # CORS configuration cors: enabled: true allowed_origins: ["*"] allowed_methods: ["GET", "POST", "PUT", "DELETE"]

Metrics and monitoring

metrics: enabled: true # Prometheus configuration prometheus: enabled: true host: "0.0.0.0" port: 9090 path: "/metrics" # Performance monitoring performance: enabled: true interval: "30s"

Notification configuration

notifications: enabled: true # Notification channels channels: console: enabled: true level: "info" email: enabled: false smtp_host: "smtp.example.com" smtp_port: 587 username: "alerts@example.com" password: "password" to: ["admin@example.com"] subject_prefix: "[nginx-defender]" telegram: enabled: false bottoken: "BOTTOKEN" chatid: "CHATID" slack: enabled: false webhookurl: "WEBHOOKURL" channel: "#security" username: "nginx-defender" webhook: enabled: false url: "https://api.example.com/webhooks/security" headers: Authorization: "Bearer TOKEN" Content-Type: "application/json"

Clustering configuration (Enterprise)

clustering: enabled: false node_id: "node-1" discovery: method: "static" endpoints: ["node-2:8081", "node-3:8081"] # Distributed rule synchronization sync: enabled: true interval: "10s"

Environment Variables

| Variable | Description | Default | |----------|-------------|---------| | NGINXDEFENDERCONFIG | Configuration file path | config.yaml | | NGINXDEFENDERLOG_LEVEL | Log level (debug, info, warn, error) | info | | NGINXDEFENDERDRY_RUN | Enable dry-run mode | false | | NGINXDEFENDERBACKEND | Firewall backend override | - | | NGINXDEFENDERWEB_PORT | Web server port | 8080 | | NGINXDEFENDERMETRICS_PORT | Metrics server port | 9090 |


API Reference

REST API Endpoints

Complete API Documentation

System Information

GET /api/v1/status
Response:
{
  "status": "healthy",
  "version": "2.0.0",
  "uptime": "2h30m15s",
  "build_info": {
    "version": "v2.0.0",
    "commit": "abc123",
    "build_time": "2025-07-27T10:00:00Z"
  }
}

Firewall Rules Management

GET /api/v1/rules
POST /api/v1/rules
DELETE /api/v1/rules/{id}

Create Rule:

{   "ip": "192.168.1.100",   "action": "BLOCK",   "duration": "1h",   "reason": "SQL injection attempt",   "metadata": {     "threat_level": "high",     "pattern": "sql_injection"   } }

Statistics and Metrics

GET /api/v1/stats
GET /api/v1/metrics

Statistics Response:

{   "firewall": {     "backend": "iptables",     "total_rules": 1234,     "active_rules": 987,     "expired_rules": 247   },   "detection": {     "total_requests": 50000,     "blocked_requests": 1234,     "threat_detections": {       "sql_injection": 456,       "xss": 234,       "brute_force": 344     }   },   "performance": {     "avgresponsetime": "0.5ms",     "memory_usage": "89MB",     "cpu_usage": "3.2%"   } }

Configuration Management

GET /api/v1/config
PUT /api/v1/config
POST /api/v1/config/reload

Log Analysis

GET /api/v1/logs?limit=100&level=error
GET /api/v1/threats?since=1h&severity=high

WebSocket API

Real-time Event Streaming

Connection

const ws = new WebSocket('ws://localhost:8080/ws');

Event Types

// Threat detection event
{
  "type": "threat_detected",
  "timestamp": "2025-07-27T12:00:00Z",
  "data": {
    "ip": "192.168.1.100",
    "threattype": "sqlinjection",
    "severity": 9,
    "blocked": true
  }
}

// Rule creation event { "type": "rule_created", "timestamp": "2025-07-27T12:00:01Z", "data": { "rule_id": "rule-123", "ip": "192.168.1.100", "action": "BLOCK", "expires_at": "2025-07-27T13:00:01Z" } }

// System metrics update { "type": "metrics_update", "timestamp": "2025-07-27T12:00:00Z", "data": { "cpu_usage": 3.2, "memory_usage": 89, "active_connections": 1234 } }


Performance Benchmarks

Throughput Testing

Performance Test Results

Test Environment

  • Hardware: Intel Xeon E5-2686v4 (4 cores), 16GB RAM
  • OS: Ubuntu 22.04 LTS
  • Network: 10Gbps Ethernet
  • Backend: nftables

Results

| Test Scenario | Throughput | Latency (p95) | CPU Usage | Memory Usage | |---------------|------------|---------------|-----------|--------------| | Log Processing | 150k entries/sec | 2ms | 15% | 120MB | | Pattern Matching | 100k requests/sec | 1ms | 25% | 95MB | | Rule Application | 75k rules/sec | 0.5ms | 10% | 85MB | | API Requests | 50k requests/sec | 5ms | 20% | 100MB | | WebSocket Events | 25k events/sec | 3ms | 12% | 90MB |

Scaling Characteristics

Log Processing Rate vs CPU Cores:
  1 core:  50k entries/sec
  2 cores: 95k entries/sec
  4 cores: 150k entries/sec
  8 cores: 180k entries/sec (diminishing returns)

Memory Optimization

Memory Usage Analysis

| Component | Base Memory | Per Rule | Per Connection | |-----------|-------------|----------|----------------| | Core Engine | 45MB | 64 bytes | 2KB | | Pattern Matcher | 25MB | - | 512 bytes | | Web Server | 15MB | - | 4KB | | Metrics Collector | 10MB | 128 bytes | 1KB | | Total Baseline | 95MB | 192 bytes | 7.5KB |

Memory Growth Projections

  • 10k rules: ~97MB
  • 100k rules: ~114MB
  • 1M rules: ~287MB
  • 10k concurrent connections: ~170MB

Security Considerations

Security Architecture

Security Design Principles

Defense in Depth

  • Input Validation: All user inputs are validated and sanitized
  • Principle of Least Privilege: Minimal required permissions
  • Fail-Safe Defaults: Secure defaults for all configurations
  • Complete Mediation: All access attempts are checked
  • Open Design: Security through design, not obscurity

Threat Model

graph LR
    A[External Attacker] -->|HTTP Requests| B[nginx-defender]
    C[Malicious Insider] -->|Config Changes| B
    D[Compromised System] -->|Local Access| B
    
    B -->|Validated Traffic| E[Protected Services]
    B -->|Blocked Traffic| F[Firewall Drop]
    B -->|Alerts| G[Security Team]

Security Controls

| Layer | Control | Implementation | |-------|---------|----------------| | Network | Traffic filtering | iptables/nftables rules | | Application | Input validation | Regex patterns, ML detection | | Authentication | API access control | JWT tokens, API keys | | Authorization | Role-based access | RBAC system | | Audit | Activity logging | Structured logging, SIEM integration | | Encryption | Data protection | TLS 1.3, AES-256 |

Vulnerability Management

Security Practices

Regular Security Assessments

  • Static Analysis: Weekly automated scans
  • Dynamic Testing: Monthly penetration testing
  • Dependency Scanning: Daily vulnerability checks
  • Configuration Audits: Quarterly security reviews

Incident Response

  • Detection: Automated threat detection and alerting
  • Analysis: Log correlation and forensic analysis
  • Containment: Automatic rule application and isolation
  • Recovery: System restoration and patch application
  • Lessons Learned: Post-incident review and improvements

Compliance Standards

  • OWASP Top 10: Protection against common web vulnerabilities
  • NIST Cybersecurity Framework: Risk management alignment
  • ISO 27001: Information security management
  • PCI DSS: Payment card industry compliance (where applicable)

Development

Building from Source

Development Setup

Prerequisites

# Install Go 1.21+
curl -L https://go.dev/dl/go1.21.linux-amd64.tar.gz | sudo tar -C /usr/local -xz
export PATH=$PATH:/usr/local/go/bin

Install development tools

go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest go install github.com/securecodewarrior/sast-scan@latest

Build Process

# Clone repository
git clone https://github.com/anipaleja/nginx-defender.git
cd nginx-defender

Install dependencies

go mod download

Run tests

go test -v ./...

Build binary

go build -o nginx-defender ./cmd/nginx-defender

Build for multiple platforms

make build-all

Development Workflow

# Run with hot reload
air -c .air.toml

Run tests with coverage

go test -coverprofile=coverage.out ./... go tool cover -html=coverage.out

Lint code

golangci-lint run

Security scan

gosec ./...

Contributing Guidelines

Contribution Process

Code Standards

  • Go Style: Follow effective Go guidelines
  • Documentation: Comprehensive godoc comments
  • Testing: Minimum 80% test coverage
  • Performance: Benchmark critical paths
  • Security: Static analysis and vulnerability scanning

Pull Request Process

  • Fork the repository
  • Create feature branch (git checkout -b feature/amazing-feature)
  • Commit changes (git commit -m 'Add amazing feature')
  • Push to branch (git push origin feature/amazing-feature)
  • Open Pull Request with detailed description

Issue Reporting

## Bug Report Template

Environment:

  • OS: [e.g., Ubuntu 22.04]
  • Version: [e.g., v2.0.0]
  • Backend: [e.g., iptables]
Steps to Reproduce:
  • Configuration used
  • Command executed
  • Expected vs actual behavior
Logs:
[Paste relevant logs here]
Additional Context: [Any other relevant information]


License

This project is licensed under the MIT License. See the LICENSE file for details. Closed source forks are not permitted.

Third-Party Licenses

Open Source Dependencies

| Dependency | License | Usage | |------------|---------|-------| | gorilla/mux | BSD-3-Clause | HTTP routing | | gorilla/websocket | BSD-2-Clause | WebSocket support | | sirupsen/logrus | MIT | Structured logging | | prometheus/client_golang | Apache-2.0 | Metrics collection | | oschwald/geoip2-golang | ISC | Geographic lookup | | go-telegram-bot-api/telegram-bot-api | MIT | Telegram integration | | slack-go/slack | BSD-2-Clause | Slack integration |


Star History Chart

nginx-defender - Protecting the modern web, one request at a time.

Documentation β€’ Community β€’ Security

πŸ”— More in this category

Β© 2026 GitRepoTrend Β· Anipaleja/nginx-defender Β· Updated daily from GitHub