NyxGuard Manager
FREE SELF-HOSTED WAF FOR DOCKER

A free self-hosted web application firewall and nginx reverse proxy for protecting Docker services from SQL injection, XSS, abusive bots, and application-layer floods. Keep traffic policy, TLS, GeoIP controls, SSO, and monitoring on infrastructure you control.

Built by NyxCloud · Cardei Vlad-Eusebiu

nginx
Core Engine
Docker
Deployment
WAF
Built-In
GeoIP
Intelligence
SSO
Authentik
6
Languages
12
Themes

A free WAF and application firewall — complete security operations platform

NyxGuard Manager combines every layer of protection and visibility you need to run self-hosted infrastructure with confidence. No separate tools, no cloud dependencies, no compromises.


Protect web applications without handing control to a hosted security service

NyxGuard Manager sits in front of your applications, terminates TLS, evaluates requests, and forwards allowed traffic to the correct service.

Run it on your infrastructure

Deploy NyxGuard on a Linux host with Docker. Configuration, certificates, rules, and security events remain under your control.

Protect multiple applications

Manage HTTP, HTTPS, TCP, and UDP proxy hosts while applying WAF, bot, GeoIP, rate-limit, and access policies per application.

See why traffic was blocked

Use live traffic, attack events, audit history, Prometheus metrics, and Grafana dashboards to investigate and tune protection.

An nginx security gateway between the internet and your apps

NyxGuard Manager is designed for homelabs, self-hosted services, small organizations, and operators who need more control than a basic reverse proxy provides. Public requests first reach NyxGuard's nginx edge. TLS and hostname routing are handled there, and enabled security controls inspect the request before it is sent to the private upstream service.

The management interface connects proxy configuration with security operations. Instead of maintaining unrelated WAF snippets, ban lists, certificate jobs, dashboards, and authentication services by hand, operators can manage them from one application while retaining access to generated nginx configuration and logs.

  • Request filtering: detect common SQL injection, cross-site scripting, path traversal, scanner, and malicious request patterns.
  • Abuse controls: apply rate limits, bot rules, IP and CIDR decisions, country policy, and automatic bans.
  • Identity and access: use access lists, SSO/OIDC, TOTP two-factor authentication, and LAN-aware administration.
  • Operations: automate Let's Encrypt certificates and inspect traffic, events, metrics, alerts, and audit history.

Self-hosted WAF compared with common alternatives

The best option depends on who operates the infrastructure and where attacks need to be absorbed.

CapabilityNyxGuard ManagerBasic reverse proxyHosted cloud WAF
DeploymentYour Linux/Docker hostYour infrastructureProvider edge network
WAF and bot controlsBuilt in and operator-managedUsually manual or separateProvider-managed features
Configuration and event dataStored on your systemsStored on your systemsStored or processed by provider
Recurring software subscriptionNone requiredVariesFree tier or paid plan
Volumetric attack absorptionLimited by your connectionLimited by your connectionUsually a core advantage
Operational limitation: no origin-hosted WAF can stop traffic after it has already saturated the origin's internet connection. For volumetric DDoS risk, combine NyxGuard's application-layer controls with an upstream CDN, ISP, or scrubbing service.

Free self-hosted WAF questions

What is a self-hosted WAF?

A self-hosted web application firewall runs on infrastructure you control and inspects HTTP traffic before it reaches your applications. NyxGuard combines this filtering layer with an nginx reverse proxy.

Is NyxGuard Manager free?

Yes. NyxGuard Manager can be installed and operated without a subscription, and its source code is available on GitHub.

Does NyxGuard run with Docker?

Yes. NyxGuard is distributed as a Docker deployment for Linux and includes an installer for supported Ubuntu and Debian hosts. See the installation guide for current requirements.

Which attacks can NyxGuard block?

NyxGuard can filter SQL injection, cross-site scripting, path traversal, abusive bots, unwanted countries or networks, and excessive application-layer requests. Rules must still be tuned and monitored for each application.

Does NyxGuard replace upstream DDoS protection?

No. NyxGuard provides application-layer rate limiting and automatic IP controls, but a self-hosted origin can still require ISP, CDN, or scrubbing-provider protection against attacks that saturate its internet connection.


Ready to secure your self-hosted infrastructure?

Get NyxGuard Manager running in minutes with a single install command. No cloud. No subscription. Full control.