Self-hosted WAF for modern APIs. FortressWAF is a Go reverse proxy that inspects REST, GraphQL, WebSocket, gRPC, and SOAP traffic through a configurable detection pipeline. Configuration is YAML, changes apply at runtime. Single binary, no external dependencies required.
flowchart LR
C[Client] --> T[TLS Termination<br/>HTTP/2, ACME, OCSP, mTLS]
T --> P[Request Parser<br/>Headers, Body, Params]
P --> A[Auth Layer<br/>JWT, OAuth, CAPTCHA, API Keys]
A --> PL[Protocol Inspection<br/>GraphQL · gRPC · SOAP · WebSocket]
PL --> D[Detection Pipeline]
subgraph D[ ]
direction TB
S[SQL Injection]
X[XSS]
R[RCE]
B[Bot Detection]
DD[DDoS / Rate Limit]
CR[Credential Protection]
AP[API Protection]
PR[Protocol Anomaly]
UF[Upload Security]
end
D --> SC[Scoring Engine<br/>Block · Challenge · Rate-Limit · Allow]
SC --> UP[Proxy Forwarder]
UP --> OR[Origin Server]
SC -.-> LOG[SIEM Export<br/>Elasticsearch · Splunk · JSON Log]
SC -.-> PROM[Prometheus Metrics]
SC -.-> ML[Ml Sidecar<br/>Optional · Python]
| Module | What It Detects |
|---|---|
| SQL Injection | Tautology, UNION, time-based blind, error-based, stacked queries, encoded variants |
| Cross-Site Scripting | Stored, reflected, DOM, event handlers, script tags, obfuscated JS |
| RCE | Shell injection, SSTI, EL injection, deserialization, Log4Shell, file inclusion |
| Path Traversal | Directory traversal, null bytes, encoding bypass |
| API Protection | OpenAPI schema enforcement, shadow API discovery, mass assignment |
| Protocol Anomaly | HTTP verb tampering, header smuggling, malformed requests, method override |
| Feature | Implementation |
|---|---|
| JWT Validation | JWKS cache, RS256/ES256/HS256, issuer/audience validation, scope check |
| OAuth 2.0 Introspection | RFC 7662, token cache, scope and role verification |
| mTLS | CA validation, policy OID, certificate info extraction |
| CAPTCHA | reCAPTCHA v2/v3, hCaptcha, configurable score threshold |
| API Key Management | Bearer token validation against configured keys |
| Feature | Details |
|---|---|
| Rate Limiting | Token bucket, leaky bucket, sliding window, fixed window — per-IP, per-route, global |
| DDoS Protection | Slow loris detection, slow POST, cache busting, adaptive rate limits |
| Bot Detection | Known bot lists, headless browser detection, JS challenge generation |
| IP Reputation | TOR/proxy/VPN detection, ASN filtering, CIDR allow/block lists |
| Session Tracking | Cookie-based session management with Redis backend |
| Protocol | Capabilities |
|---|---|
| GraphQL | Query depth limiting, cost analysis, alias count, batch size, field restrictions |
| WebSocket | Frame type validation, rate limiting, message size, origin check |
| gRPC | Per-service rate limiting, message size limits, content-type detection |
| SOAP/XML | XML nesting depth validation, content-type enforcement |
- Brute force detection with exponential backoff per IP
- Credential stuffing detection per user hash
- Password spray detection across accounts
- Account lockout with configurable thresholds (attempts, window, duration)
- Login path auto-detection (
/login,/auth,/signin)
| Tool | Integration |
|---|---|
| Prometheus | Metrics endpoint on configurable port/path (requests, latency, decisions, active connections) |
| Grafana | Pre-built dashboards for overview, security, compliance, ML |
| Elasticsearch | SIEM event export, index templates included |
| Kibana | Dashboard definitions for security events and ML anomalies |
| Splunk | Event export via HTTP event collector |
| Health Probes | /health, /ready, /live endpoints for K8s |
- File upload validation (MIME signatures, extension allow/block lists, magic bytes)
- Response body inspection for data leakage
- Configurable request size limits per endpoint
- HTTP/2 via TLS configuration
- ACME/LetsEncrypt automatic certificate management
- OCSP stapling placeholder
git clone https://github.com/FortressWAF/FortressWAF.git
cd FortressWAF
# Edit config with your upstream
cp deploy/config.yaml config.yaml
# Run
go run ./cmd/proxy -config config.yaml
# Or use Docker
docker compose -f deploy/docker-compose.yml up -dMinimal config:
tls:
enabled: true
cert_file: cert.pem
key_file: key.pem
http2_enabled: true
admin:
port: 8444
api_keys: ["sk-admin"]
sites:
- name: myapp
domains: ["app.example.com"]
upstream: "http://127.0.0.1:3000"
port: 443
waf_enabled: trueFull architecture document: docs/architecture.md
flowchart LR
C[Client] --> T[TLS<br/>HTTP/2 · mTLS]
T --> P[Parse]
P --> A[Auth<br/>JWT · OAuth · CAPTCHA]
A --> PL[Protocol<br/>GraphQL · gRPC · SOAP · WS]
PL --> D[Detection<br/>18 inspectors]
D --> S[Scoring]
S --> F[Forwarder]
F --> O[Origin]
cmd/proxy/ — WAF server entry point
internal/
engine/ — Detection pipeline (18 inspector modules)
api/ — Management REST API
config/ — YAML config with live reload
reputation/ — IP reputation and threat feeds
ratelimit/ — Rate limiting algorithms
session/ — Session tracking
siem/ — SIEM event export
deploy/ — Docker, Ansible, Terraform, Helm, monitoring
docs/ — Documentation
dashboard/ — Web dashboard (Next.js)
ml-engine/ — ML sidecar (Python/FastAPI)
Measured on a laptop (Intel i5-7200U, 2 cores). Server-grade CPUs typically 2-3x faster.
| Setup | Per-core throughput |
|---|---|
| Passthrough (no inspectors) | ~80,000 req/s |
| Single inspector (SQLi/XSS/RCE) | ~5,000,000 inspections/s |
| Full engine (6+ inspectors) | ~2,500 req/s |
| RequestContext creation | ~80,000 ctx/s |
Full benchmark: benchmark.txt
Latency overhead per request: ~400μs average with full engine on laptop hardware.
| Document | Contents |
|---|---|
| Getting Started | Installation and first config |
| Architecture | Pipeline details and deployment modes |
| Configuration | Full YAML reference |
| Rule Language | Rule DSL syntax |
| API Reference | REST API docs |
| Deployment | Docker, K8s, cloud |
| Compliance | PCI-DSS, SOC2, GDPR references |
| Troubleshooting | Common issues |
| Repository | Description |
|---|---|
| fortressctl | CLI tool for managing FortressWAF instances |
| fortresshoneypot | Low-interaction HTTP/SSH honeypot |
AGPL-3.0