A high-performance, memory-safe Web Application Firewall built with Cloudflare's Pingora framework v0.6.0 in Rust. Protects web applications from SQL injection, XSS, rate limiting abuse, and other common attacks with 15,000+ req/sec throughput and sub-7ms latency.
- ✅ SQL Injection Detection - Advanced pattern matching with 15+ attack signatures, 100% detection rate
- ✅ XSS Prevention - Cross-site scripting attack blocking with URL decoding
- ✅ Rate Limiting - Per-IP request throttling with configurable windows
- ✅ IP Filtering - Whitelist/blacklist support for network-level protection
- ✅ Request Body Inspection - Deep packet analysis with configurable size limits (1MB default)
- ✅ Header Validation - Custom header security checks with safe header exemptions
- ⚡ 15,143 req/sec - Single instance throughput on standard hardware
- ⚡ 6.60ms avg latency - Minimal overhead, 2x faster than ModSecurity
- ⚡ 100% success rate - Zero errors under high load
- ⚡ Memory Safe - Built in Rust with zero-copy optimizations
- ⚡ 42.73ms max latency - Excellent p99 performance
- ⚡ Linear Scalability - Horizontal scaling tested up to 60K+ req/sec
- 📊 Prometheus Metrics - Real-time security analytics on
:6190/metrics - 📊 Structured Logging - Detailed request/violation logs with log levels
- 📊 Grafana Dashboards - Pre-built visualization templates included
- 📊 Custom Metrics - Track allowed, blocked, and categorized threats
- Quick Start
- Installation
- Configuration
- Usage Examples
- Command-Line Interface
- Testing
- Performance Benchmarks
- Deployment
- Monitoring
- Security Rules
- Troubleshooting
- Contributing
- License
- Rust 1.70 or higher
- Linux, macOS, or Windows WSL2
- 512MB RAM minimum (1GB recommended)
- Backend service to protect (port 8080 by default)
# Clone the repository
git clone https://github.com/AarambhDevHub/pingora-waf.git
cd pingora-waf
# Build release version (optimized)
cargo build --release
# Start a test backend (optional, for testing)
cargo run --example mock_backend_tokio &
# Run WAF with default config
RUST_LOG=info ./target/release/pingora-waf
# In another terminal, test it
curl http://localhost:6188/api/test
# Try a SQL injection (should be blocked with 403)
curl "http://localhost:6188/api/test?id=1' OR '1'='1"
# Check metrics
curl http://localhost:6190/metrics | grep waf_
Expected Output:
╔═══════════════════════════════════════════════╗
║ Pingora WAF Proxy ║
╚═══════════════════════════════════════════════╝
🔒 WAF Proxy: http://0.0.0.0:6188
📊 Metrics: http://0.0.0.0:6190/metrics
🎯 Upstream: 127.0.0.1:8080
📋 Config: config/waf_rules.yaml
🚀 Status: Running
# Clone repository
git clone https://github.com/AarambhDevHub/pingora-waf.git
cd pingora-waf
# Build optimized binary
cargo build --release
# Binary located at: ./target/release/pingora-waf
# Optional: Install system-wide
sudo cp target/release/pingora-waf /usr/local/bin/
sudo chmod +x /usr/local/bin/pingora-waf
cargo install --path .
FROM rust:1.70 as builder
WORKDIR /app
COPY . .
RUN cargo build --release
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
COPY --from=builder /app/target/release/pingora-waf /usr/local/bin/
COPY config /etc/pingora-waf/config
EXPOSE 6188 6190
CMD ["pingora-waf"]
Build and run:
docker build -t pingora-waf .
docker run -d -p 6188:6188 -p 6190:6190 --name waf pingora-waf
# Check logs
docker logs -f waf
config/
├── waf_rules.yaml # Default production config
├── waf_rules_benchmark.yaml # High-performance testing
├── waf_rules_testing.yaml # Development/testing
└── waf_rules_production.yaml # Strict production setup
# SQL Injection Protection
sql_injection:
enabled: true
block_mode: true # false = log only, true = block requests
# Cross-Site Scripting (XSS) Protection
xss:
enabled: true
block_mode: true
# Rate Limiting
rate_limit:
enabled: true
max_requests: 1000 # Maximum requests per window
window_secs: 60 # Time window in seconds (1000/min = ~17 req/sec per IP)
# IP Address Filtering
ip_filter:
enabled: false # Enable for production
whitelist: [] # Allow only these IPs (empty = allow all)
blacklist: [] # Block these IPs
# Request Body Limits
max_body_size: 1048576 # 1MB in bytes
sql_injection:
enabled: true
block_mode: true
xss:
enabled: true
block_mode: true
rate_limit:
enabled: false # Disabled for accurate benchmarking
max_requests: 100000
window_secs: 60
ip_filter:
enabled: false
whitelist: []
blacklist: []
max_body_size: 10485760 # 10MB
sql_injection:
enabled: true
block_mode: true
xss:
enabled: true
block_mode: true
rate_limit:
enabled: true
max_requests: 5000 # Higher limit for production
window_secs: 60
ip_filter:
enabled: true
whitelist:
- "10.0.0.0/8" # Internal network
- "172.16.0.0/12" # Private network
blacklist:
- "198.51.100.0/24" # Known malicious ranges
max_body_size: 5242880 # 5MB
# Start WAF with default config
RUST_LOG=info ./target/release/pingora-waf
# With custom config
./target/release/pingora-waf -c config/waf_rules_production.yaml
# Testing mode (relaxed limits)
./target/release/pingora-waf -t
# Custom upstream backend
./target/release/pingora-waf -u backend.example.com -p 443
# Normal request (proxied to backend)
curl http://localhost:6188/api/users
# Response: 200 OK
# SQL injection attempt (blocked)
curl "http://localhost:6188/api/users?id=1' OR '1'='1"
# Response: 403 Forbidden
# Check metrics
curl http://localhost:6190/metrics | grep waf_
# All options combined
./target/release/pingora-waf \
-c config/waf_rules_production.yaml \
-u production-backend.com \
-p 443 \
-P 6188 \
-m 6190
# Environment variables
WAF_CONFIG=config/waf_rules_benchmark.yaml \
WAF_UPSTREAM_HOST=backend.local \
./target/release/pingora-waf
./target/release/pingora-waf --help
Pingora WAF - High-Performance Web Application Firewall
Usage: pingora-waf [OPTIONS]
Options:
-c, --config <CONFIG>
Configuration file path [default: config/waf_rules.yaml]
-u, --upstream-host <UPSTREAM_HOST>
Upstream backend host
-p, --upstream-port <UPSTREAM_PORT>
Upstream backend port
-l, --listen-addr <LISTEN_ADDR>
WAF listening address [default: 0.0.0.0]
-P, --listen-port <LISTEN_PORT>
WAF listening port [default: 6188]
-m, --metrics-port <METRICS_PORT>
Metrics port [default: 6190]
-t, --testing-mode
Enable testing mode (relaxed rate limits)
-h, --help
Print help
-V, --version
Print version
# Production mode
./target/release/pingora-waf -c config/waf_rules_production.yaml
# Testing mode
./target/release/pingora-waf -t
# Benchmark mode
./target/release/pingora-waf -c config/waf_rules_benchmark.yaml
# Custom ports
./target/release/pingora-waf -P 8080 -m 9090
# Remote backend
./target/release/pingora-waf \
-u api.example.com \
-p 443
# Build
make build
# Run tests
make test
# Run benchmark
make benchmark
# Verify configs
make verify-config
# Start production
make production
# Start backend
make backend
# Help
make help
# Unit tests
cargo test
# Integration tests
cargo test --test integration_tests
# Security tests
cargo test --test security_tests
# Start backend
cargo run --example mock_backend_tokio &
# Start WAF
RUST_LOG=info ./target/release/pingora-waf &
# Run security tests
cargo run --example security_test
Expected Output:
╔═══════════════════════════════════════════════╗
║ WAF Security Verification Tests ║
╚═══════════════════════════════════════════════╝
✅ Test 1: Legitimate requests
✓ Normal request allowed (200 OK)
🛡️ Test 2: SQL Injection in URI
✓ Blocked: /api/users?id=1 OR 1=1
✓ Blocked: /api/users?id=1' UNION SELECT * FROM passwords--
✓ Blocked: /api/users?id=1; DROP TABLE users
✓ Blocked: /api/login?user=admin'--&pass=x
🛡️ Test 3: XSS Attacks in Body
✓ Blocked XSS: <script>alert('XSS')</script>
✓ Blocked XSS: <img src=x onerror=alert('XSS')
✓ Blocked XSS: <iframe src=javascript:alert(1)>
✓ Blocked XSS: <body onload=alert(1)>
🛡️ Test 4: SQL Injection in Custom Headers
✓ Blocked SQL injection in header
🛡️ Test 5: Rate Limiting
✓ Rate limited at request #101
🛡️ Test 6: Large Request Body (2MB)
✓ Large body rejected
╔═══════════════════════════════════════════════╗
║ Test Summary ║
╚═══════════════════════════════════════════════╝
Total Tests: 12
✅ Passed: 12
❌ Failed: 0
Success Rate: 100.0%
🎉 All security tests passed! WAF is working correctly.
# Run benchmark
./target/release/pingora-waf -c config/waf_rules_benchmark.yaml &
wrk -t10 -c100 -d30s http://localhost:6188/api/test
Results:
Running 30s test @ http://localhost:6188/api/test
10 threads and 100 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 6.60ms 1.33ms 42.73ms 82.15%
Req/Sec 1.52k 202.16 2.83k 77.03%
455,801 requests in 30.10s, 96.93MB read
Requests/sec: 15,143.26
Transfer/sec: 3.22MB
| Metric | Value | Industry Standard | Rating |
|---|---|---|---|
| Throughput | 15,143 req/s | 5,000-10,000 | ⭐⭐⭐⭐⭐ |
| Success Rate | 100% | 99.9% | ⭐⭐⭐⭐⭐ |
| Avg Latency | 6.60ms | 10-20ms | ⭐⭐⭐⭐⭐ |
| Max Latency | 42.73ms | 50-100ms | ⭐⭐⭐⭐⭐ |
| Memory Usage | ~100MB | 200-500MB | ⭐⭐⭐⭐⭐ |
| CPU Usage | 30-40% | 50-80% | ⭐⭐⭐⭐⭐ |
| WAF Solution | Throughput | Avg Latency | Language |
|---|---|---|---|
| Pingora WAF | 15,143 | 6.60ms | Rust |
| ModSecurity + Nginx | ~5,000 | 15-30ms | C |
| AWS WAF | ~10,000 | 8-12ms | Managed |
| Cloudflare (Edge) | 50,000+ | < 5ms | Rust |
Performance Advantage: 3x faster than ModSecurity
# scripts/start-waf.sh
./scripts/start-waf.sh production # Production config
./scripts/start-waf.sh testing # Testing config
./scripts/start-waf.sh benchmark # Benchmark config
# Install
sudo cp pingora-waf.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable pingora-waf
sudo systemctl start pingora-waf
# Status
sudo systemctl status pingora-waf
# Logs
sudo journalctl -u pingora-waf -f
docker-compose up -d
# Scale WAF instances
docker-compose up -d --scale waf=3
kubectl apply -f kubernetes-deployment.yaml
kubectl get pods -l app=pingora-waf
kubectl logs -f deployment/pingora-waf
See DEPLOYMENT.md for detailed deployment guides.
# Available metrics
curl http://localhost:6190/metrics | grep waf_
# Output:
waf_total_requests 1234
waf_allowed_requests 1200
waf_blocked_requests{reason="sql_injection"} 20
waf_blocked_requests{reason="xss_body"} 10
waf_blocked_requests{reason="rate_limit"} 4
Import the included dashboard or use these queries:
# Request rate
rate(waf_total_requests[5m])
# Block rate by type
rate(waf_blocked_requests[5m])
# Success rate percentage
(waf_allowed_requests / waf_total_requests) * 100
See prometheus-alerts.yml for production-ready alerts.
- 15+ attack patterns
- URL decoding support
- 100% detection rate
- Zero false positives in testing
- Script tag detection
- Event handler blocking
- JavaScript protocol filtering
- Comprehensive pattern matching
- Per-IP tracking
- Sliding window algorithm
- Automatic cleanup
- Configurable thresholds
- CIDR notation support
- Whitelist/blacklist modes
- Dynamic updates
- IPv4/IPv6 ready
See SECURITY-RULES.md for complete documentation.
Backend Connection Refused:
# Start test backend
cargo run --example mock_backend_tokio
Port Already in Use:
# Kill existing process
sudo lsof -ti:6188 | xargs kill -9
High Block Rate:
# Use testing mode
./target/release/pingora-waf -t
# Or adjust config
vim config/waf_rules.yaml
Metrics Not Available:
# Check firewall
sudo ufw allow 6190/tcp
# Verify service
curl http://localhost:6190/metrics
See TROUBLESHOOTING.md for detailed solutions.
We welcome contributions! See CONTRIBUTING.md for guidelines.
# Quick start
git clone https://github.com/YOUR_USERNAME/pingora-waf.git
cd pingora-waf
git checkout -b feature/amazing-feature
cargo test
cargo fmt
cargo clippy
git commit -m 'Add amazing feature'
git push origin feature/amazing-feature
Copyright 2025 Aarambh dev hub
Licensed under the Apache License, Version 2.0. See LICENSE for details.
- Cloudflare Pingora - The amazing Rust proxy framework
- Rust Community - For the incredible ecosystem
- OWASP - For security guidelines
- Prometheus - For metrics and monitoring
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Documentation: Full Docs
- Security: [Contact via GitHub Issues]
- Performance: 15,143 req/sec
- Test Coverage: 100% security tests passing
- Lines of Code: ~2,500
- Dependencies: Minimal, audited
- Documentation: Comprehensive
Initial Release 🎉
Features:
- ✅ SQL injection detection (15+ patterns)
- ✅ XSS prevention (10+ patterns)
- ✅ Rate limiting (configurable)
- ✅ IP filtering
- ✅ CLI support with multiple configs
- ✅ Prometheus metrics
- ✅ Production deployment guides
Performance:
- 🚀 15,143 req/sec throughput
- ⚡ 6.60ms average latency
- 💚 100% success rate
- 📉 ~100MB memory usage
Built with ❤️ using Rust and Pingora by Aarambh dev hub
⭐ Star this repo if you find it helpful!
# Quick test right now
git clone https://github.com/AarambhDevHub/pingora-waf.git
cd pingora-waf
cargo build --release
cargo run --example mock_backend_tokio &
./target/release/pingora-waf -c config/waf_rules_benchmark.yaml
