Web Application Firewall (WAF) Vendors

Keypoints

• There is many WAF vendors
• Some are self-hosted
• Some are more feature-rich
• We provide our own

WAF Vendors

I am a believer in web application firewalls. If nothing else, you can at least provide a layer of protection before traffic hits your website's server. In my view, the two main things they accomplish, are 1) blocking traffic that has no business accessing your site, and 2) protecting your site from receiving manipulative requests.

What are some services that provide a WAF solution? Well, I'm not endorsing all these options, but here are some ones to look for.

Cloudflare

I would guess that Cloudflare is the probably the most popular WAF vendor. Admittedly, Cloudflare has quite an amazing platform. I was involved with a bigger enterprise site getting setup on Cloudflare, and their WAF has some great features.

Akamai

Akamai is one of the players that I think has been showing up more and more. They announced their completion of acquiring Linode back in March 2022. Ever since I saw that, I have been seeing this company more regularly.

Side note; I had posted about this back in December, and even though the poll had low engagement (3 people :-), 100% agreed that this acquisition wasn't good for the Linode brand. Linode was always sort of a familiar name for developers for a number of years.

AWS WAF

AWS is one of the largest public clouds in the market today, so of course they have a WAF offering. I actually haven't used this option, but I think it's still important to mention.

As many of you know, I'm not exactly a fan of high consumption of centralized services. I like to see competition, and to spread out the influence and cash amongst many players. However, if your company has gone "all-in" with AWS, then you might consider their offering.

Interesting note; back when I was helping the bigger enterprise site get setup on Cloudflare, the actual website was on AWS. So I think it's common to see a "hybrid" approach, where companies use a variety of providers, instead of just one service provider only.

Skip2

I've actually messaged the owner of this company, and it sounds awesome. They use FreeBSD, like we do, for their servers. I would recommend reaching out to them for your CDN needs (note, a CDN often includes the WAF).

Self Hosted Solutions

Now, if you're like me, you've skipped to this section, because it's more interesting.

Pingora

Pingora is more of a library for creating a proxy server, instead of a finished product. It is a newer program library that was developed by Cloudflare. You can find a tutorial to try it out (using Rust!) from this GitHub page. This may be more proxy/CDN oriented, but again, just having any layer in front of your website's server I think is a good thing. Plus, since you must implement the library into a program, you have the ability to do additional checks on the traffic.

Check out the features that Pingora currently supports:

• Async Rust: fast and reliable
• HTTP 1/2 end to end proxy
• TLS over OpenSSL or BoringSSL
• gRPC and websocket proxying
• Graceful reload
• Customizable load balancing and failover strategies
• Support for a variety of observability tools

There is other tools that can do a lot of this stuff, but the thing that makes Pingora different: Async Rust. I have listened to talked about implementing Async Rust into web servers, and it makes a world of difference. Plus, the memory safety of Rust might help increase the chances of default security.

I know, I know, there is often hype about keywords like async and rust, but I think that the Pingora library could potentially be the basis for some serious competitors.

Nginx

Nginx is a very flexible platform that has been highly utilized by many organizations. As such, there is a couple options that you can integrate with Nginx. It is important to note though, that Nginx itself is quite powerful, and you can utilize the default features to provide a lot of protection, such as adding/removing HTTP headers.

ModSecurity

ModSecurity is an intrusion detection and prevention engine that can be connected to different servers, such as Nginx. I've generally heard good things about it, but guess what? The product called "NGINX ModSecurity WAF" has reached end-of-life:

Please note that NGINX ModSecurity WAF officially went End-of-Sale as of April 1, 2022 and is transitioning to End-of-Life effective March 31, 2024. F5

This end-of-sale/end-of-life seems to based on the situation where the management of the ModSecurity project changed hands, and the same expectations were not planned to be met.

With that said, ModSecurity itself continues on under the custodianship of OWASP. And you can still connect ModSecurity to Nginx; for example, the package called modsecurity3-nginx is in the FreeBSD software repositories, and there is a this project on GitHub from OWASP.

OpenResty

OpenResty is a "Scalable Web Platform by Extending NGINX with Lua." Lua is a scripting language that is often used in conjunction with other programs. With this platform, you can embed Lua scripts right into your Nginx configuration, as shown here. Doing this would allow you to conditionally check for certain conditions and situations and then apply a decision.

HAProxy

HAProxy gives a similar situation as Nginx, so I'll leave the reader to explore this option on their own.

The Stockton SEO Agency Offering

At this point, if you don't want to go with a big WAF vendor, and you're not ready to self-host, then what options do you have? Well, there is always the Stockton SEO Agency to help you out!

We have put together our own mini-CDN/WAF solution. No, it's not Cloudflare, or AWS. It is something of our own mix. Why is this important? Well, because of our passion for web hosting, we just had to put together our own basic solution to sit in front of the sites we host. This gives us full control over our service offering as well, and full customization of each domain we host.

Our mini-CDN/WAF provides 2 endpoints for our clients websites, with caching. We also provide HTTP headers to further secure your site, and we block a swath of IP addresses for extra protection.

Valete!