Architecture

FOXWAF performs listening, TLS termination, site matching, security inspection and upstream forwarding in a single process — chained as an 8-layer pipeline, lock-free and zero-copy throughout, sustaining 5,000 QPS per core.

Request Pipeline

Each HTTP request flows through the stages below in order; once any stage triggers a block, the request returns immediately to avoid wasted computation.

1. 01 · RoutingFast-Path Check

   Health checks and static-asset fast pass-through skip the full pipeline, hitting and returning directly to save CPU.

2. 02 · RoutingSite Matching

   Match the site configuration precisely via Host header and SNI; when multiple sites share a port, pick the certificate by SNI.

3. 03 · SecurityIP / Geo ACL

   IP / CIDR allow- and deny-lists, GeoLite2 region access control, configurable per site.

4. 04 · SecurityCC / Rate Limiting

   256-shard lock-free counters with a sliding window; exceeding the threshold triggers a JS Challenge that lets legitimate clients through.

5. 05 · SecurityUser-Agent Check

   User-Agent blacklist matching; allow specific crawlers (Googlebot / Bingbot, etc.) on demand.

6. 06 · SecurityBot / Anti-Crawler

   Behavioral analysis, TLS fingerprinting and DevTools anti-debug to identify automation tools across multiple dimensions.

7. 07 · CoreWAF Rule Matching

   5 position-specific Tries + a single AC-automaton scan; matches are confirmed by a second regex pass. The full rule set runs in milliseconds.

8. 08 · ForwardReverse Proxy

   Round-robin / weighted / consistent-hash load balancing; HTTP/1.1, HTTP/2, HTTP/3, WebSocket pass-through; optional static caching.

Why It's Fast

• Pure-Go implementation: goroutines + async IO sustain tens of thousands of concurrent connections in a single process — no PHP-FPM / Lua / OpenResty layers.
• Lock-free design: CC protection uses 256-shard atomic counters; rule hot reload uses RCU-style swapping, the read path holds no lock.
• Zero-allocation matching: AC automaton + buffer reuse — full-ruleset scans never trigger GC on the hot path.
• Built-in reverse proxy: runs in-process with the WAF, avoiding the extra copies and context switches an upstream Nginx would introduce.

Hot Reload

Configuration, rule sets and TLS certificates all support hot reload with zero traffic interruption:

• Configuration: changes are triggered by SIGHUP or the console API; new connections use the new config, existing connections finish naturally.
• Rule Sets: a new Trie is built and atomically swapped in; the old Trie is GC'd once all references release.
• Certificate: the SNI routing table refreshes in real time with no need to restart listeners.

Further Reading

• Configuration — Sites, upstreams, certificates, rule sets
• OpenAPI Reference — 脚本化运维与 CI/CD 集成
• Plugins & Extensions — Inject custom logic into pipeline hooks
• Performance — Raw wrk benchmark report