A modern, cloud-native Web Application Firewall (WAF) designed for Kubernetes environments. KWAF provides enterprise-grade security features with high performance, scalability, and ease of management.
- π‘οΈ Web Application Firewall: Advanced request filtering and threat detection
- π API Security: Comprehensive API protection with OpenAPI validation, JWT/OAuth support
- π¨ DDoS Protection: Multi-layered DDoS mitigation with adaptive algorithms
- β‘ Rate Limiting: Flexible rate limiting with multiple algorithms
- π― Rule Engine: Powerful rule-based security policy engine
- π Geo-blocking: Geographic access control
- π€ Bot Detection: Advanced bot detection and mitigation
- OpenAPI Validation: Automatic API schema validation
- JWT & OAuth: Token-based authentication and authorization
- API Key Management: Secure API key validation and management
- GraphQL Security: GraphQL-specific threat detection and validation
- API Versioning: Multi-version API support and management
- ποΈ Web Admin Panel: Modern React-based management interface
- π Real-time Metrics: Comprehensive monitoring and alerting
- π§ Multi-tenancy: Enterprise-grade tenant isolation
- π Observability: Distributed tracing and structured logging
- π― Exception Management: Fine-grained exception handling
- Control Plane: Centralized policy management and configuration
- Data Plane: High-performance request processing engine
- CLI Management: Command-line tool for automation and DevOps
- Cloud-native: Kubernetes-first design with Helm charts
- Go: 1.25 or higher
- Kubernetes: 1.24 or higher (for production deployment)
- PostgreSQL: 12 or higher (for persistent storage)
- Redis: 6 or higher (for caching and rate limiting)
git clone https://github.com/kwaf-project/kwaf.git
cd kwaf
# Start all components
docker-compose up -d
# Access admin panel
open http://localhost:8080# Download latest release
curl -L https://github.com/kwaf-project/kwaf/releases/latest/download/kwaf-linux-amd64.tar.gz | tar xz
# Install components
sudo mv kwaf* /usr/local/bin/
# Start control plane
kwafcp --config config/controlplane.yaml
# Start data plane
kwafd --config config/dataplane.yamlgit clone https://github.com/kwaf-project/kwaf.git
cd kwaf
# Build all components
make build
# Run tests
make test
# Build Docker images
make docker-buildCentralized management server responsible for:
- Policy configuration and distribution
- Rule management and compilation
- Multi-tenant administration
- Metrics collection and aggregation
High-performance proxy server that:
- Processes HTTP/HTTPS requests
- Applies security policies in real-time
- Enforces rate limits and access controls
- Provides DDoS protection
Command-line interface for:
- Configuration management
- Policy deployment
- Monitoring and troubleshooting
- Automation and CI/CD integration
Modern web interface featuring:
- Real-time dashboard and metrics
- Policy management interface
- User and tenant administration
- Security event visualization
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β Admin Panel β β kwafctl β β External APIs β
β (Web UI/API) β β (CLI Tool) β β (Monitoring) β
βββββββββββ¬ββββββββ βββββββββββ¬ββββββββ βββββββββββ¬ββββββββ
β β β
ββββββββββββββββββββββββΌβββββββββββββββββββββββ
β
βββββββββββββββΌββββββββββββ
β KWAF Control β
β Plane β
β (kwafcp) β
βββββββββββββββ¬ββββββββββββ
β gRPC
βββββββββββββΌββββββββββββ
β β
βββββββββββΌβββββββ ββββββββΌβββββββββββ
β KWAF Data β β KWAF Data β
β Plane (kwafd) β β Plane (kwafd) β
βββββββββββ¬βββββββ ββββββββ¬βββββββββββ
β β
βββββββββββΌβββββββ ββββββββΌβββββββββββ
β Application β β Application β
β Services β β Services β
ββββββββββββββββββ βββββββββββββββββββ
# config/controlplane.yaml
server:
host: "0.0.0.0"
port: 8090
tls:
enabled: true
cert_file: "/path/to/cert.pem"
key_file: "/path/to/key.pem"
database:
host: "localhost"
port: 5432
database: "kwaf"
username: "kwaf"
password: "secure_password"
storage:
type: "postgres"
max_connections: 100# config/dataplane.yaml
server:
host: "0.0.0.0"
port: 8080
admin_port: 8081
controlplane:
address: "kwafcp:8090"
tls:
enabled: true
ca_file: "/path/to/ca.pem"
upstream:
default_backend: "http://app:3000"
timeout: "30s"
retries: 3- Installation Guide
- Configuration Reference
- API Documentation
- Rule Development
- Kubernetes Deployment
- Performance Tuning
We welcome contributions! Please see our Contributing Guide for details.
For development setup, building from source, and contribution guidelines, see our Contributing Guide.
- π Report Bugs
- π‘ Request Features
- π¬ Community Discussions
- π§ Security Issues
KWAF is designed for high performance:
- Throughput: 100K+ requests/second per data plane instance
- Latency: <10ms additional latency in proxy mode
- Memory: <100MB base memory footprint
- CPU: Minimal CPU overhead with optimized rule engine
See our Performance Documentation for detailed benchmarks.
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
- The OWASP ModSecurity Core Rule Set project
- The Envoy Proxy community for architecture inspiration
- The CNCF ecosystem for cloud-native best practices
β If you find KWAF useful, please give us a star on GitHub! It helps us understand the community interest and motivates continued development.