Free WAF & Application Firewall — Defense-in-depth, out of the box

NyxGuard Manager implements multiple independent security layers — from the network edge down to authentication. No plugin required, no cloud dependency.

Web Application Firewall (WAF)

nginx-level

NyxGuard's WAF operates directly inside nginx — rules are evaluated before traffic ever reaches your backend application. This means zero additional latency overhead and no bypass via direct backend access. Rules are managed per application from the UI and written to nginx config on save.

Detection Patterns

  • SQL injection (UNION, SELECT, DROP, etc.)
  • Cross-site scripting (script tags, event handlers)
  • Path traversal (../, %2e%2e)
  • Command injection attempts
  • Custom user-defined regex patterns

Response Actions

  • Block request (403 response)
  • Log-only mode for tuning
  • Per-rule action override
  • Real-time event logging
  • Attack dashboard aggregation

DDoS Protection & Rate Limiting

nginx zones

Rate limiting is enforced at the nginx layer using named limit zones. When a client exceeds the configured threshold, requests are queued (burst) then rejected. Persistent threshold breach triggers an automatic IP ban logged to the attack monitor.

Configuration

  • Requests per second threshold
  • Burst queue size
  • Auto-ban duration (minutes/hours)
  • Per-application or global scope
  • Configurable poll interval via env var

Monitoring

  • Real-time DDoS event stream
  • Historical DDoS graphs (24h/7d/30d/90d)
  • Per-IP ban list with unban option
  • Prometheus metric export
  • Alert channel notification on spike

Bot & Crawler Protection

user-agent + signature

NyxGuard distinguishes between legitimate crawlers (which should never be blocked for SEO reasons) and malicious automated tools. The SEO-safe mode ensures Googlebot, Bingbot, and other major search crawlers are always allowed through even when bot protection is active.

Always Allowed (SEO-safe)

  • Googlebot / Google-InspectionTool
  • Bingbot / AdIdxBot
  • Cloudflare verification bots
  • Other major SEO crawlers

Configurable Blocking

  • Known bad-bot signature list
  • Custom user-agent blocklist
  • Headless browser signatures
  • Scraper / mass-harvesting tools

GlobalGate — Network Access Control

GeoIP2 + CIDR

GlobalGate provides a global access control layer that sits in front of all proxy hosts. Rules can be set globally (apply to all apps) or overridden per application. Country filtering uses the GeoIP2 database evaluated locally inside the container — no runtime API calls.

Rule Types

  • Single IP address
  • CIDR block (e.g. 192.168.1.0/24)
  • Country code (ISO 3166-1 alpha-2)
  • Block mode (default allow, explicit deny)
  • Allowlist mode (default deny, explicit allow)

Scope

  • Global rules applied to all proxy hosts
  • Per-application override rules
  • "Partial" badge when apps diverge from global
  • Immediate nginx config reload on save

LAN Access Control

admin panel only

This layer protects the NyxGuard admin panel itself — not proxied applications. When enabled, only clients matching the configured LAN rules (IP/CIDR and/or MAC address) can access the admin interface on port 8443. Proxy hosts on 80/443 are completely unaffected.

Rule Types

  • IPv4 address or CIDR range
  • MAC address (requires ARP visibility)
  • Named rule entries for clarity
  • Enable/disable per rule

Safety Features

  • ARP scan for LAN device discovery
  • Warning when no rules are active
  • Critical alert when enabled with no rules
  • LAN Access routes always exempt (no lockout)
🔐

Authentication Security

RS256 JWT · TOTP · OIDC

NyxGuard's authentication stack is designed to prevent common attack vectors: credential enumeration, timing attacks, token forgery, and session replay. All tokens are asymmetrically signed and verified. TOTP 2FA adds a second factor requiring physical device access.

Token Security

  • RS256 asymmetric JWT signing
  • Public key verification (not shared secret)
  • Configurable token expiry
  • Scope-based claims (admin/user)
  • 256-bit integration tokens
  • Timing-safe token comparison

Login Hardening

  • Dummy bcrypt hash compare on unknown email
  • Consistent response time regardless of email existence
  • TOTP verification before token issue
  • Recovery codes for 2FA lockout
  • SSO CSRF protection via in-memory state
  • SSO errors never leak email addresses
🔒

Transport & Header Security

nginx TLS + CSP

All traffic to managed applications is encrypted via TLS with automatic certificate management. The admin panel enforces strict HTTP headers including a Content Security Policy to mitigate XSS and data injection attacks.

TLS

  • Let's Encrypt automatic provisioning
  • HTTP → HTTPS redirect enforcement
  • Self-signed cert for admin panel on boot
  • Custom certificate upload supported
  • Certbot DNS-01 challenge (Cloudflare, etc.)

Headers

  • Content-Security-Policy on admin panel
  • Configurable proxy timeout (default 60s)
  • Long-running endpoints: 15min timeout
  • Trusted proxy IP forwarding
  • X-Forwarded-Proto trust configuration

Attack vectors your free WAF protects against

Attack TypeDetection MethodResponseLayer
SQL InjectionWAF pattern matchingBLOCKnginx WAF
XSSWAF pattern matchingBLOCKnginx WAF
Path TraversalWAF pattern matchingBLOCKnginx WAF
DDoS / Floodnginx rate zone breachBAN + BLOCKnginx zones
Credential EnumerationDummy hash compareSILENT EQUAL TIMEAuth backend
Token ForgeryRS256 signature verifyREJECT 401API middleware
Brute Force LoginAPI rate limiter (IP+user)429 Too Many RequestsExpress middleware
Malicious BotsUser-agent signaturesBLOCKnginx WAF
GeoIP ViolationsGeoIP2 country lookupBLOCKnginx access
Unauthorized Admin AccessLAN IP/MAC checkBLOCKnginx + middleware
CSRF (SSO flow)In-memory state validationREJECTSSO backend
Email Enumeration via SSOGeneric error responsesGENERIC MSG ONLYSSO backend