NyxGuard Manager is a free self-hosted WAF and application firewall that packs production-grade reverse proxy management, multi-layer threat protection, observability, and identity management into a single Docker container. No subscription. No cloud. Free forever.
Full lifecycle management of your proxy hosts from a clean web UI — no manual nginx editing required.
Create and manage reverse proxy entries pointing to any backend service. Supports custom domain names, SSL/TLS termination, HTTP/2, and per-host custom nginx configuration blocks.
Automated certificate provisioning and renewal via Let's Encrypt and Certbot. Supports HTTP-01 and DNS-01 challenges. DNS provider plugins (Cloudflare, etc.) are persisted across restarts.
A full custom login portal enforced at the nginx layer via Lua subrequests. Per-host credential lists with HMAC-signed session cookies — no HTTP Basic Auth, no browser pop-ups, no credential prompts.
See the Security page for a full deep-dive. Here's a summary of what's included.
nginx-level WAF with per-application rule sets. Custom rule editor in the UI. All WAF events are logged and shown in the Attack Dashboard.
Per-application and global rate limiting via nginx zones. Automatic IP banning when thresholds are breached. Configurable burst windows.
Distinguish legitimate bots (Googlebot, Bingbot, Cloudflare) from malicious scrapers and automated attack tools. SEO-safe mode ensures good bots are never blocked.
Global access control layer with IP ranges, CIDR blocks, and GeoIP2-based country filtering. Block entire regions or enforce allowlist-only access.
Restrict the NyxGuard admin panel itself to trusted LAN devices by IP/CIDR and MAC address. ARP-based device scanner built in.
Fine-grained control over authentication bypass per application. Versioned policy sets with rollback support. Defaults to secure (bypass OFF).
Authentik OpenID Connect single sign-on. Users authenticate through your existing identity provider. CSRF-protected state, graceful fallback to local auth.
TOTP two-factor authentication with QR provisioning. RS256-signed JWTs. Timing-safe login and anti-enumeration dummy hash comparison.
Role-based user accounts with per-user permission scopes. Local SVG initials avatars (no external requests). Password recovery flow.
Every administrative action, login event, and security decision is recorded. Configurable retention period, searchable and exportable.
Configurable alert delivery for attack spikes, system events, and health changes. Multiple channels with per-event-type filtering and test-before-save validation.
Create named integration tokens with 256-bit entropy for Prometheus scraping. Timing-safe token validation. Rotate tokens without losing configuration.
Complete UI translation in 6 languages using ICU message format with pluralization and parameter interpolation. Community-translatable source files.
Built-in update manager tracks available versions and provides one-click update from the admin panel, backed by the update script.
Export your full NyxGuard configuration for backup or migration. Import on a new instance to restore all proxy hosts, access lists, and settings.