Private Beta

Web Application Firewall
& Reverse Proxy
for your infrastructure

High-performance web application protection powered by the OWASP Core Rule Set. A single binary — deployed in minutes on any server.

⚡ Get Early Access Learn more →
OWASP CRS built-in
Automatic TLS / Let's Encrypt
GeoIP filtering
High performance
Single binary
100% On-prem Your data, your server
1 binary Full stack in one file
OWASP CRS Embedded ruleset
< 5 min To first protected site
Features

Everything you need to protect
your web applications

HA-WAF combines all security components into one solution with zero external dependencies.

🛡

WAF on OWASP CRS

Embedded Coraza WAF engine with up-to-date OWASP Core Rule Set rules. Detection and prevention modes, paranoia levels 1–4, configurable anomaly threshold. Blocks SQL Injection, XSS, RCE, LFI and hundreds of other attacks.

Detection / Prevention Paranoia 1–4 Anomaly threshold
🌎

GeoIP Filtering

Allow or block traffic by country of origin — configured independently per site. Whitelist of allowed countries, auto-update of the GeoIP map from a URL, X-Country header forwarded to the backend.

Per-site Auto-update X-Country header
🔒

Automatic TLS

Let's Encrypt integration via ACME. Supports HTTP-01 and DNS-01 challenges, multi-account ACME configuration, certificate management UI. Upload custom PEM files per site.

HTTP-01 / DNS-01 Multi-account Custom PEM upload

Rate Limiting

Flexible request throttling: by connection count, HTTP request rate, or bytes-in rate. Configurable per site and per path — using prefix, exact match, or regex scoping.

conn_rate http_req_rate bytes_in_rate Per-path
🚫

IP Lists & WAF Auto-Ban

Per-site CIDR whitelists and blacklists. Whitelist entries support a WAF bypass flag for trusted sources. Automatic IP ban when the WAF hit threshold is exceeded — configurable threshold and duration, responds with 429.

CIDR whitelist/blacklist WAF bypass Auto-ban
🔄

Path Routing

Flexible request routing: proxy, return, and redirect actions. Match by prefix, exact, regex, or suffix. Native WebSocket and gRPC support. Load balance across multiple upstreams, manipulate headers, apply per-path rate limits.

WebSocket gRPC LB Header rewrite
📜

Domain Lists & WAF Bypass

Domain list files (.lst) with optional URL sync — for routing traffic to different backends. Specific domains can be excluded from WAF inspection directly in WAFPolicy without changing rules.

.lst files URL sync WAF bypass domains

Custom Rules & Exclusions

Write SecRule/SecAction directives globally or per site with priority ordering. CRS rule exclusions: disable, exclude_arg, exclude_request_header, exclude_url. Full ModSecurity-compatible syntax.

SecRule / SecAction Global + per-site Rule exclusions
📊

Observability

Native OpenTelemetry support: traces, metrics, and logs via OTLP gRPC. Ready-made integrations with Grafana, VictoriaMetrics, and VictoriaLogs. Prometheus /metrics endpoint.

OTel OTLP Grafana Prometheus
👤

SSO & Access Control

Multi-provider OIDC/SSO, local users, and API keys. Viewer and admin roles. Full action audit trail for security compliance.

OIDC/SSO API keys Roles
💾

Config Revisions & Backup

Full configuration snapshots with diff view and one-click rollback. Export and import the entire configuration as JSON — for backups and server-to-server migration.

Snapshots Diff view Rollback Export/Import
🔨

REST API & Web UI

Full-featured REST API with OpenAPI specification. Multi-language web interface (RU/EN). Custom TCP/HTTP/HTTPS listeners on non-standard ports with optional WAF. SQLite (default, zero-config) or PostgreSQL.

OpenAPI RU / EN UI Custom ports SQLite / PG
Architecture

One binary,
the full stack

HA-WAF manages all components as a single process — no complex orchestration, no external dependencies.

  • 1

    Proxy Engine — reverse proxy

    High-performance inbound traffic handling, SSL termination, load balancing across backends, and path-based routing.

  • 2

    WAF Engine — traffic analysis

    Embedded Coraza WAF with OWASP CRS inspects every request in real time via the SPOE protocol.

  • 3

    REST API + Web UI — management

    HTTP API on port 8080 and a built-in web interface. SQLite (zero-config default) or PostgreSQL for configuration storage.

  • 4

    ACME — automatic TLS

    Built-in Let's Encrypt client supporting HTTP-01 and DNS-01 challenges, multi-account setup, and automatic certificate renewal.

Internet
     |
     ↓
┌─────────────────────┐
|     HA-WAF           |
|                     |
|  :80  HTTP          |
|  :443 HTTPS / TLS    |
|                     |
|  ┌───────────────┐  |
|  |  Proxy Engine |  |
|  └─────┬────────┘  |
|         | SPOE       |
|  ┌─────┴────────┐  |
|  |  WAF Engine  |  |
|  |  OWASP CRS   |  |
|  └───────────────┘  |
|                     |
|  :8080 REST API     |
|  SQLite / PostgreSQL |
└─────────┬──────────┘
           |
           ↓
   Backend servers
Documentation

Documentation

Everything you need to get started quickly, fine-tune your configuration, and integrate HA-WAF into your infrastructure.

🚀

Quick Start

  • Docker and systemd installation
  • Adding your first site
  • Basic WAF configuration

Configuration

  • GeoIP, Rate Limiting, IP Lists
  • Custom rules and CRS exclusions
  • TLS, ACME, Path Routing
📄

API Reference

  • OpenAPI specification
  • REST endpoints and examples
  • Authentication and API keys
📦

Deployment

  • Docker Compose with monitoring stack
  • Systemd unit for on-prem VM
  • Kubernetes — Helm Chart, Flux CD
  • Backup, restore, and migration
Documentation in progress — available on request. Write to info@ha-waf.com
Use Cases

Who uses HA-WAF

🏢

Enterprise Systems

Protect internal and external web services. Meet security compliance requirements without expensive commercial solutions. SSO, roles, and audit trail included.

🛍

E-Commerce Platforms

Block scrapers, automated attacks, and fraud. Apply rate limiting to checkout and API endpoints. Enforce geo-restrictions with GeoIP filtering.

🏥

Critical Infrastructure

Healthcare, finance, government — where data cannot be entrusted to a foreign cloud WAF vendor. Fully on-premises, zero data leaves your network.

🚀

SaaS & Startups

Fast setup with minimal configuration. Scales from a single VPS to a high-traffic cluster. SQLite by default — zero infrastructure dependencies to start.

🔫

API Gateway

Protect APIs from abuse, injections, and DDoS. Flexible rules scoped to URL paths and request headers. Native gRPC and WebSocket support.

🏠

On-Prem & Private Cloud

Full data sovereignty. Deploy via Docker, systemd, or Kubernetes (Helm Chart). No dependency on external services.

Deployment

Your server.
No vendor lock-in.

HA-WAF runs inside your infrastructure — full control over data and configuration, no cloud dependencies.

📦

Docker Image

Ready-to-use image for rapid deployment in any container environment

Systemd Unit

Pre-built service configuration to run as a system service on any Linux server

📜

Docker Compose

Full stack with OTel Collector, VictoriaMetrics, and Grafana in a single command

Kubernetes / Helm Chart

Official Helm chart with HPA, PodDisruptionBudget, Ingress, and HTTPRoute. Flux CD manifests included.

⚡ Get Early Access ✉ Contact Us