Enterprise Web Security Out of the Box
High-performance lightweight WAF — 60,000 QPS aggregate, 5,000 QPS per core, millisecond latency, <300MB RAM.
FOXWAF is an open-source Web Application Firewall (WAF) written in Go, with a built-in Go reverse proxy and load balancer that serves as a lightweight drop-in alternative to Nginx + ModSecurity. It uses an Aho-Corasick automaton to match OWASP Top 10 rulesets and block SQL injection, XSS, RCE, file inclusion, and SSRF, while providing CC/DDoS protection, ShangMi (SM2/SM3/SM4) cryptography, HTTP/3 (QUIC), and full hot-reload of configuration, rules, and certificates.
Core Features
12 enterprise-grade security capabilities
WAF Rule Engine
Covers SQL injection, XSS, RCE, file inclusion, SSRF and the full OWASP Top 10 threat surface
AC Automaton Matching
Aho-Corasick multi-pattern matching, 5 position-specific Trie trees, millisecond full-ruleset scan
CC / DDoS Protection
256-shard lock-free counters, sliding window detection + JS challenge human verification
Anti-Crawler & Bot Detection
Smart detection of malicious crawlers and automation: User-Agent blacklist + behavior analysis + DevTools anti-debug
Pure-Go Reverse Proxy
No Nginx required - native Go implementation with round-robin / weighted load balancing and WebSocket pass-through
Hot-Reload Everything
Configurations, rules and certificates all hot-reloadable without restart - zero downtime
SSL / TLS Management
Dynamic SNI certificate loading, per-domain isolated certificate management, automatic HTTPS redirect
Plugin System
Go-Plugin based extension mechanism, supporting custom security logic, request rewriting and audit logging
Visual Management Panel
Built-in Web UI - live attack logs, traffic stats, rule management and site configuration in one place
Docker Deployment
Official Docker images, one-command docker-compose launch, cloud-native ready
Single-Container Deployment
Lightweight container image, one-click deploy and run, no external dependencies, ready out of the box
Multi-Site Management
Multi-site configuration in a single instance, isolated rules and policies, unified management entry
Performance
Real-world benchmark results
Detection Rate & False Positive Rate
wrk Benchmark
Security Architecture
8-stage request processing pipeline
Fast-Path Check
RoutingHealth checks and static-asset fast pass-through
Site Matching
RoutingMatch the target site configuration based on the Host header
IP ACL Check
SecurityIP/CIDR allow/deny lists + GeoIP control
CC Protection
SecuritySliding-window rate limiting + JS Challenge
User-Agent Check
SecurityUser-Agent blacklist matching, blocks malicious clients
Request Normalization
SecurityURL decoding & Unicode normalization to defeat encoding evasion
WAF Rule Matching
CoreAC automaton full-ruleset scan + precise regex matching
Reverse Proxy Forwarding
ProxyLoad-balanced forwarding to upstream + optional static caching
FOXWAF vs Nginx + ModSecurity vs OpenResty
A side-by-side comparison so you can decide whether FOXWAF fits your stack.
| Dimension | FOXWAF | Nginx + ModSecurity | OpenResty + lua-resty-waf |
|---|---|---|---|
| Deployment | Single Go binary, reverse proxy + WAF in one process | Nginx + dynamic ModSecurity module + Apache config | Nginx + LuaJIT runtime + Lua module zoo |
| Performance | ~5,000 QPS | ~1,200 QPS (all rules on) | ~3,000 QPS |
| Memory footprint | < 300 MB | ~ 200 MB | ~ 350 MB |
| Rule engine | Aho-Corasick automaton, single-pass multi-pattern | Sequential PCRE regex per rule | Lua-driven, per-rule regex with token cache |
| Configuration | Web console + REST API, save = live | nginx.conf + .conf includes, reload required | nginx.conf + Lua scripts, reload required |
| Hot reload | Rules / certs / config – RCU style, zero downtime | nginx -s reload (graceful, but reset connections) | Lua hot-reload supported, Nginx config still needs reload |
| HTTP/3 (QUIC) | Native, toggle in console | Experimental, requires custom build | Experimental, requires custom build |
| ShangMi (SM2/SM3/SM4) | Built-in, dual-cert with RSA/ECDSA | Requires Tongsuo / BabaSSL custom build | Requires Tongsuo / BabaSSL custom build |
| OWASP CRS support | Bundled, one-click toggle | Official OWASP CRS supported | Community ports of CRS available |
| Learning curve | GUI-driven, 5 minutes to first site | Steep – Apache-style SecRule DSL | Steep – Lua + Nginx internals |
| Open source | CLI / docs / rule sets open; engine commercial | Apache 2.0 (engine + Nginx connector) | BSD-style (LuaJIT + ngx_lua) |
| Best fit | Teams that want WAF + reverse proxy + console in one box, with Chinese compliance | Teams already standardized on Nginx with strong DevOps | Teams comfortable in Lua, building bespoke rules |
QPS numbers measured with wrk -c200 -t8 against an OWASP CRS Level 2 baseline on the same 4-core test host. See the architecture section for raw reports.
Pricing
Pick the plan that fits you
Personal
- WAF Rule Engine
- Reverse Proxy & Load Balancing
- SSL/TLS Certificate Management
- Visual Management Panel
- WebSocket Support
- Docker Deployment
Pro
- All Personal features
- CC / DDoS protection
- Advanced site management
- Plugin system
- Custom rules
- ShangMi (SM2 / SM3 / SM4)
- HTTP/3 (QUIC)
One Command, Instant Deploy
███████╗ ██████╗ ██╗ ██╗██╗ ██╗ █████╗ ███████╗ ██╔════╝██╔═══██╗╚██╗██╔╝██║ ██║██╔══██╗██╔════╝ █████╗ ██║ ██║ ╚███╔╝ ██║ █╗ ██║███████║█████╗ ██╔══╝ ██║ ██║ ██╔██╗ ██║███╗██║██╔══██║██╔══╝ ██║ ╚██████╔╝██╔╝ ██╗╚███╔███╔╝██║ ██║██║ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝
Official Notices
Announcements
Product notices, security advisories, and operational updates from the FOXWAF team.
Releases
Continuous iteration, constant evolution
Frequently Asked Questions
Answers to questions we get every week
What is FOXWAF?
FOXWAF is an open-source Go WAF (Web Application Firewall) with a built-in Go reverse proxy — a lightweight drop-in alternative to Nginx + ModSecurity. It blocks OWASP Top 10 attacks (SQL injection, XSS, RCE, file inclusion, SSRF) and provides CC/DDoS protection, ShangMi (SM2/SM3/SM4) cryptography, HTTP/3 (QUIC), and full hot-reload of configuration, rules and certificates.
How does FOXWAF compare to Nginx + ModSecurity?
FOXWAF is a single-process solution that combines a reverse proxy and a WAF engine in one Go binary, replacing the traditional Nginx + ModSecurity two-tier stack. Rule matching uses an Aho-Corasick automaton instead of ModSecurity's sequential regex evaluation, delivering several times the throughput. Configuration, rules and certificates are all hot-reloaded via the Web console or API with no Nginx reload required. HTTP/3 (QUIC) and ShangMi (SM2/SM3/SM4) cryptography are supported natively without recompiling third-party modules.
What's the difference between Personal and Pro?
The Personal edition is free and includes the WAF rule engine, reverse proxy, SSL management and Docker deployment, suitable for individual developers and small projects. The Pro edition adds CC/DDoS protection, advanced site features, plugin system, custom rules, ShangMi (SM) cryptography, and HTTP/3 (QUIC), suitable for enterprise-grade production environments.
Does FOXWAF support Docker deployment?
Yes. FOXWAF officially recommends a one-click installation script that deploys via Docker Compose, ready in 5 minutes. Linux amd64 / arm64 with Docker >= 20.10 is required.
How do I enable ShangMi (SM2/SM3/SM4) cryptography?
On the Pro edition, upload an SM2 certificate and its private key under Site configuration; FOXWAF automatically negotiates SM-TLS and enables SM3 hashing and SM4 symmetric encryption for capable clients. The Personal edition supports only ECDSA / RSA. SM2 certificates may coexist with conventional RSA / ECDSA certificates on the same site, and the appropriate one is selected automatically based on client capability.
Does FOXWAF support HTTP/3 / QUIC?
The Pro edition supports HTTP/3 over QUIC natively. After enabling HTTP/3 in Site configuration, FOXWAF listens on UDP at the same port and advertises the upgrade via the Alt-Svc response header. A host kernel >= 5.4 is recommended for optimal UDP socket performance.
Can FOXWAF reverse-proxy WebSocket and gRPC?
Yes. FOXWAF's built-in reverse proxy natively supports HTTP/1.1 Upgrade to WebSocket as well as HTTP/2 and gRPC bidirectional streams. No special configuration is required: when the proxy detects an Upgrade: websocket header or a Content-Type: application/grpc, it automatically switches to streaming forwarding without buffering the full request body.
Do rule sets and certificates require a service restart?
No. All FOXWAF configuration (sites, upstreams, certificates, rule sets, mirror sources, CC/Bot thresholds) takes effect immediately on save through the console or API. The runtime uses RCU-style double-buffer switching: new requests use the new configuration while in-flight requests continue with the old configuration to completion, ensuring zero downtime. Rule tries are rebuilt and swapped atomically, and certificate / SNI routing tables are replaced as read-only maps.
How do I upgrade FOXWAF?
Run foxwaf update. The CLI tries the configured mirrors (GitHub / GitCode / official direct link) in priority order, downloads the latest release, verifies the MD5 checksum, swaps the image and restarts the Docker container. The Web console's Version Management page also lets you upgrade to or roll back to a specific version manually; the current configuration and database are automatically backed up to the backup/ directory before each upgrade.
Is FOXWAF open source?
FOXWAF publishes releases on both GitHub and GitCode. The core protection engine and rulesets are closed-source, while the CLI tooling and documentation are open. Pro features are activated via RSA-signed licenses.