Run it on your infrastructure
Deploy NyxGuard on a Linux host with Docker. Configuration, certificates, rules, and security events remain under your control.
A free self-hosted web application firewall and nginx reverse proxy for protecting Docker services from SQL injection, XSS, abusive bots, and application-layer floods. Keep traffic policy, TLS, GeoIP controls, SSO, and monitoring on infrastructure you control.
NyxGuard Manager combines every layer of protection and visibility you need to run self-hosted infrastructure with confidence. No separate tools, no cloud dependencies, no compromises.
HTTP/TCP/UDP hosts, Let's Encrypt SSL, HTTP/2, custom nginx config.
Explore →Block SQLi, XSS, path traversal. Custom signatures with live nginx apply.
Explore →Rate limiting, auto IP banning, SEO-safe bot filtering.
Explore →Country and CIDR IP rules. GeoIP attribution across all attack views.
Explore →Restrict admin to trusted LAN IPs and MAC addresses with ARP discovery.
Explore →Authentik OIDC + TOTP two-factor. RS256 JWT, timing-safe auth stack.
Explore →Live dashboards, Prometheus metrics, Grafana, Event Center, and alert channels.
Explore →Webhook, Slack, Email alerts. Token-based Prometheus scrape endpoint.
Explore →12 built-in themes including Obsidian Guard, Void Black, Premium Nyx, and more.
Explore →Auto-detects latest Docker Hub tag. Up and running in minutes.
Install →nginx + Node.js + React + MariaDB. Single container, known dependencies.
Explore →Check, changelog, and apply updates from the UI. Data always preserved.
Explore →NyxGuard Manager sits in front of your applications, terminates TLS, evaluates requests, and forwards allowed traffic to the correct service.
Deploy NyxGuard on a Linux host with Docker. Configuration, certificates, rules, and security events remain under your control.
Manage HTTP, HTTPS, TCP, and UDP proxy hosts while applying WAF, bot, GeoIP, rate-limit, and access policies per application.
Use live traffic, attack events, audit history, Prometheus metrics, and Grafana dashboards to investigate and tune protection.
NyxGuard Manager is designed for homelabs, self-hosted services, small organizations, and operators who need more control than a basic reverse proxy provides. Public requests first reach NyxGuard's nginx edge. TLS and hostname routing are handled there, and enabled security controls inspect the request before it is sent to the private upstream service.
The management interface connects proxy configuration with security operations. Instead of maintaining unrelated WAF snippets, ban lists, certificate jobs, dashboards, and authentication services by hand, operators can manage them from one application while retaining access to generated nginx configuration and logs.
The best option depends on who operates the infrastructure and where attacks need to be absorbed.
| Capability | NyxGuard Manager | Basic reverse proxy | Hosted cloud WAF |
|---|---|---|---|
| Deployment | Your Linux/Docker host | Your infrastructure | Provider edge network |
| WAF and bot controls | Built in and operator-managed | Usually manual or separate | Provider-managed features |
| Configuration and event data | Stored on your systems | Stored on your systems | Stored or processed by provider |
| Recurring software subscription | None required | Varies | Free tier or paid plan |
| Volumetric attack absorption | Limited by your connection | Limited by your connection | Usually a core advantage |
A self-hosted web application firewall runs on infrastructure you control and inspects HTTP traffic before it reaches your applications. NyxGuard combines this filtering layer with an nginx reverse proxy.
Yes. NyxGuard Manager can be installed and operated without a subscription, and its source code is available on GitHub.
Yes. NyxGuard is distributed as a Docker deployment for Linux and includes an installer for supported Ubuntu and Debian hosts. See the installation guide for current requirements.
NyxGuard can filter SQL injection, cross-site scripting, path traversal, abusive bots, unwanted countries or networks, and excessive application-layer requests. Rules must still be tuned and monitored for each application.
No. NyxGuard provides application-layer rate limiting and automatic IP controls, but a self-hosted origin can still require ISP, CDN, or scrubbing-provider protection against attacks that saturate its internet connection.
Get NyxGuard Manager running in minutes with a single install command. No cloud. No subscription. Full control.