Free WAF & Application Firewall — Defense-in-depth, out of the box
NyxGuard Manager implements multiple independent security layers — from the network edge down to authentication. No plugin required, no cloud dependency.
NyxGuard's WAF operates directly inside nginx — rules are evaluated before traffic ever reaches your backend application. This means zero additional latency overhead and no bypass via direct backend access. Rules are managed per application from the UI and written to nginx config on save.
Rate limiting is enforced at the nginx layer using named limit zones. When a client exceeds the configured threshold, requests are queued (burst) then rejected. Persistent threshold breach triggers an automatic IP ban logged to the attack monitor.
Configuration
Requests per second threshold
Burst queue size
Auto-ban duration (minutes/hours)
Per-application or global scope
Configurable poll interval via env var
Monitoring
Real-time DDoS event stream
Historical DDoS graphs (24h/7d/30d/90d)
Per-IP ban list with unban option
Prometheus metric export
Alert channel notification on spike
Bot & Crawler Protection
user-agent + signature
NyxGuard distinguishes between legitimate crawlers (which should never be blocked for SEO reasons) and malicious automated tools. The SEO-safe mode ensures Googlebot, Bingbot, and other major search crawlers are always allowed through even when bot protection is active.
Always Allowed (SEO-safe)
Googlebot / Google-InspectionTool
Bingbot / AdIdxBot
Cloudflare verification bots
Other major SEO crawlers
Configurable Blocking
Known bad-bot signature list
Custom user-agent blocklist
Headless browser signatures
Scraper / mass-harvesting tools
GlobalGate — Network Access Control
GeoIP2 + CIDR
GlobalGate provides a global access control layer that sits in front of all proxy hosts. Rules can be set globally (apply to all apps) or overridden per application. Country filtering uses the GeoIP2 database evaluated locally inside the container — no runtime API calls.
Rule Types
Single IP address
CIDR block (e.g. 192.168.1.0/24)
Country code (ISO 3166-1 alpha-2)
Block mode (default allow, explicit deny)
Allowlist mode (default deny, explicit allow)
Scope
Global rules applied to all proxy hosts
Per-application override rules
"Partial" badge when apps diverge from global
Immediate nginx config reload on save
LAN Access Control
admin panel only
This layer protects the NyxGuard admin panel itself — not proxied applications. When enabled, only clients matching the configured LAN rules (IP/CIDR and/or MAC address) can access the admin interface on port 8443. Proxy hosts on 80/443 are completely unaffected.
Rule Types
IPv4 address or CIDR range
MAC address (requires ARP visibility)
Named rule entries for clarity
Enable/disable per rule
Safety Features
ARP scan for LAN device discovery
Warning when no rules are active
Critical alert when enabled with no rules
LAN Access routes always exempt (no lockout)
🔐
Authentication Security
RS256 JWT · TOTP · OIDC
NyxGuard's authentication stack is designed to prevent common attack vectors: credential enumeration, timing attacks, token forgery, and session replay. All tokens are asymmetrically signed and verified. TOTP 2FA adds a second factor requiring physical device access.
Token Security
RS256 asymmetric JWT signing
Public key verification (not shared secret)
Configurable token expiry
Scope-based claims (admin/user)
256-bit integration tokens
Timing-safe token comparison
Login Hardening
Dummy bcrypt hash compare on unknown email
Consistent response time regardless of email existence
TOTP verification before token issue
Recovery codes for 2FA lockout
SSO CSRF protection via in-memory state
SSO errors never leak email addresses
🔒
Transport & Header Security
nginx TLS + CSP
All traffic to managed applications is encrypted via TLS with automatic certificate management. The admin panel enforces strict HTTP headers including a Content Security Policy to mitigate XSS and data injection attacks.