8 comments

[ 2.7 ms ] story [ 15.3 ms ] thread
Saw this pop up on my Twitter feed. I'm not entirely sure where the "core" code lives -- website says OSS but I can't seem to find the core on GitHub. But perhaps it's just early and the core's not OSS yet, or somehow obtainable another way rn. Regardless, I thought I'd share anyways since I found it interesting and perhaps somebody else knows more about the project than I do. I'm currently using Fastly's WAF (prev. sigsci), but an OSS WAF solution would be neat to see.
At a glance, this looks like something you could pretty trivially re-implement without the web UI. It's not terribly hard to write middleware to reject requests based on things like IP address, especially if your rules don't require state (like rate limiting per IP instead of just flat dropping based on IP).

I do think it must either be early or abandoned; the NodeJS installation instructions are just an empty page.

Hey - Mike (Wafris cofounder here)

To your questions: there's an OSS core in that you can use the firewall itself without a connection to Wafris Hub.

We're in a transition where we're moving from our v1 (which required Redis) to a v2 on all clients (which uses locally replicated SQLite) and the docs and clients are in different states.

Some what's driving this is:

1. Solutions like Fastly + Cloudflare are out there, but there's still way too many sites without any "default" type protection.

2. It remains a big issue to try and sync and scale these types of systems if implemented within a framework.

3. It's easy to find stuff to block (look in your logs and it's all sorts of dumb attacks, scrapers, bots, etc.) but much harder to close the loop on discovering what to block. This is really "Wafris Hub" (the web gui) that tries to close the loop on this.

Would love more feedback, either here or mike@wafris.org

Ah, I see. So the clients themselves house the OSS "core" code, implemented in each respective language? Then Wafris the company provides Wafris Hub, which sets rules that those clients enforce? e.g. this is the Ruby "core"? https://github.com/Wafris/wafris-rb/blob/main/lib/wafris.rb#...

Is my understanding correct?

Yeah, so in that v2 Ruby/Rails client if you'd rather not use Hub you can do things like push 50,000 IPs into the SQLite DB and then distribute that along with your app (or distribute the db however makes sense for your deployment).
Is there support for using ingress-nginx in kubernetes?

Also is there a list of supported servers/software? I clicked on a few links from the home page and they took me to a page asking for an e-mail to be notified when they're available in the future.

Does the free plan even allow blocking anything? All the Pricing page says is "IP Investigation" for the free/oss plan, leading me to assume most features are behind a paywall?

So free and open source costs $249 a month?