Every feature you need — free WAF, DDoS protection, and reverse proxy in one

NyxGuard Manager is a free self-hosted WAF and application firewall that packs production-grade reverse proxy management, multi-layer threat protection, observability, and identity management into a single Docker container. No subscription. No cloud. Free forever.

Reverse Proxy Management

Full lifecycle management of your proxy hosts from a clean web UI — no manual nginx editing required.

Proxy Hosts

Create and manage reverse proxy entries pointing to any backend service. Supports custom domain names, SSL/TLS termination, HTTP/2, and per-host custom nginx configuration blocks.

Capabilities

  • Add/edit/delete proxy hosts from the UI
  • Custom nginx config injection per host
  • HTTP/2 & WebSocket support
  • Force HTTPS redirect toggle
  • Block common exploits toggle
  • Access list attachment per host
  • Cache assets option
nginxHTTP/2WebSocketCustom Config

SSL Certificates

Automated certificate provisioning and renewal via Let's Encrypt and Certbot. Supports HTTP-01 and DNS-01 challenges. DNS provider plugins (Cloudflare, etc.) are persisted across restarts.

Capabilities

  • Let's Encrypt via Certbot
  • HTTP-01 and DNS-01 challenge modes
  • Cloudflare DNS plugin support
  • Auto-renewal with no downtime
  • Custom certificate upload
  • Self-signed certificate generation
  • Certbot site-packages persist across restarts
Let's EncryptCertbotDNS-01Cloudflare

Access Portal

A full custom login portal enforced at the nginx layer via Lua subrequests. Per-host credential lists with HMAC-signed session cookies — no HTTP Basic Auth, no browser pop-ups, no credential prompts.

Capabilities

  • Custom branded login page per protected host
  • HMAC-SHA256 signed session cookies (8h TTL)
  • Timing-safe credential verification
  • IP allow/deny rules with satisfy any/all logic
  • Auth bypass toggle per host (opt-out of protection)
  • Access events logged to Audit Log & Event Center
Session AuthLua EnforcementIP RulesAudit Log

Multi-Layer Threat Protection — Free WAF, DDoS Shield & Bot Defence

See the Security page for a full deep-dive. Here's a summary of what's included.

Web Application Firewall (WAF)

nginx-level WAF with per-application rule sets. Custom rule editor in the UI. All WAF events are logged and shown in the Attack Dashboard.

Detects & Blocks

  • SQL injection patterns
  • Cross-site scripting (XSS)
  • Path traversal attempts
  • Custom user-defined signatures
  • Configurable action: block or log-only
SQLiXSSCustom RulesPer-app

DDoS & Rate Limiting

Per-application and global rate limiting via nginx zones. Automatic IP banning when thresholds are breached. Configurable burst windows.

Controls

  • Requests-per-second threshold
  • Burst size configuration
  • Auto-ban duration (configurable)
  • Manual IP unban from UI
  • Real-time DDoS event log
Rate LimitingAuto-bannginx zones

Bot & Crawler Protection

Distinguish legitimate bots (Googlebot, Bingbot, Cloudflare) from malicious scrapers and automated attack tools. SEO-safe mode ensures good bots are never blocked.

Features

  • Known-bad bot signature matching
  • User-agent allowlist / blocklist
  • SEO-safe mode for search engine bots
  • Cloudflare bot allowlist
  • Per-application bot rules
Bot DetectionSEO-safeAllowlist

GlobalGate — IP & Country Filtering

Global access control layer with IP ranges, CIDR blocks, and GeoIP2-based country filtering. Block entire regions or enforce allowlist-only access.

Features

  • IP address and CIDR block rules
  • GeoIP2 country code filtering
  • Block mode or allowlist mode
  • Per-application override
  • Partial badge when apps diverge from global
GeoIP2CIDRCountry Block

LAN Access Control

Restrict the NyxGuard admin panel itself to trusted LAN devices by IP/CIDR and MAC address. ARP-based device scanner built in.

Features

  • IP/CIDR rule list for admin access
  • MAC address filtering
  • ARP scan for LAN device discovery
  • nginx allow/deny snippet generation
  • Self-lockout prevention logic
  • Admin routes always exempt
MAC FilterARP ScanCIDR

App Auth Bypass Control

Fine-grained control over authentication bypass per application. Versioned policy sets with rollback support. Defaults to secure (bypass OFF).

Features

  • Global default setting (bypass OFF by default)
  • Per-application override
  • Bidirectional global↔app sync
  • Versioned policy sets
  • One-click rollback to any previous version
Per-appVersionedRollback

Authentication & User Management

SSO Integration (Authentik)

Authentik OpenID Connect single sign-on. Users authenticate through your existing identity provider. CSRF-protected state, graceful fallback to local auth.

Details

  • Authentik OIDC flow
  • In-memory CSRF state store
  • Email-based local account mapping
  • SSO callback via frontend hash routing
  • Error messages never leak email addresses
AuthentikOIDCCSRF Protected

2FA & Secure Auth

TOTP two-factor authentication with QR provisioning. RS256-signed JWTs. Timing-safe login and anti-enumeration dummy hash comparison.

Details

  • TOTP via authenticator app (QR code)
  • Recovery codes for lockout
  • RS256 signed JWT tokens
  • Timing-safe bcrypt comparison
  • Dummy hash compare when email not found
  • Configurable token expiry
TOTPRS256 JWTTiming-safe

User Management

Role-based user accounts with per-user permission scopes. Local SVG initials avatars (no external requests). Password recovery flow.

Details

  • Admin and user roles
  • Per-user permission scopes
  • Local SVG initials avatar generation
  • Password change & recovery
  • Account creation by admin
RBACLocal AvatarsRecovery

Audit, Notifications & i18n

Audit Log

Every administrative action, login event, and security decision is recorded. Configurable retention period, searchable and exportable.

Full HistoryRetentionExport

Notification Channels

Configurable alert delivery for attack spikes, system events, and health changes. Multiple channels with per-event-type filtering and test-before-save validation.

Multi-channelEvent FiltersTest Mode

Prometheus Integrations

Create named integration tokens with 256-bit entropy for Prometheus scraping. Timing-safe token validation. Rotate tokens without losing configuration.

Prometheus256-bit TokenRotate

Internationalisation

Complete UI translation in 6 languages using ICU message format with pluralization and parameter interpolation. Community-translatable source files.

ENFRDEESITRO

Update Manager

Built-in update manager tracks available versions and provides one-click update from the admin panel, backed by the update script.

Auto-detectOne-click

Configuration Export

Export your full NyxGuard configuration for backup or migration. Import on a new instance to restore all proxy hosts, access lists, and settings.

BackupMigration