Bunkerized NGINX

beginner

NGINX Docker image secure by default with built-in security features.

Overview

Bunkerized NGINX is a security-hardened Docker image that transforms the popular NGINX web server into a comprehensive security solution by integrating Web Application Firewall (WAF) capabilities, anti-bot protection, and security headers management. Built on top of NGINX's proven high-performance architecture, this container combines NGINX's efficient reverse proxy functionality with ModSecurity WAF rules, bad behavior detection, and automatic security hardening measures that typically require manual configuration and ongoing maintenance. This security-first approach addresses the growing need for web applications to defend against automated attacks, bot traffic, and common web vulnerabilities without requiring extensive security expertise. The container automatically applies OWASP ModSecurity Core Rule Set, implements rate limiting based on behavioral analysis, and provides real-time threat detection while maintaining NGINX's performance characteristics for legitimate traffic. This solution is ideal for developers and system administrators who need production-ready web server security without the complexity of manually configuring and maintaining separate WAF solutions, security rule updates, and threat intelligence feeds. Organizations running public-facing applications, API endpoints, or content delivery networks can deploy comprehensive web security protection with minimal configuration overhead.

Key Features

ModSecurity Web Application Firewall with OWASP Core Rule Set integration
Behavioral-based bad bot detection and automatic IP blocking
Real-time security headers injection including CSP, HSTS, and X-Frame-Options
Automatic Let's Encrypt SSL certificate provisioning and renewal
Anti-bot challenge system with JavaScript verification and CAPTCHA
Geographic IP filtering and country-based access control
Rate limiting with burst protection and sliding window algorithms
Automatic security rule updates and threat intelligence feed integration

Common Use Cases

1E-commerce websites requiring PCI compliance and fraud protection
2API endpoints needing protection from automated scraping and abuse
3Content management systems vulnerable to common web attacks
4SaaS applications requiring multi-tenant security isolation
5Development teams needing security-by-default in CI/CD pipelines
6Small businesses lacking dedicated security teams but needing enterprise-grade protection
7Reverse proxy deployments for microservices requiring centralized security policy

Prerequisites

Docker Engine 20.10+ and Docker Compose v2 for container orchestration
Minimum 512MB RAM allocated to container for ModSecurity rule processing
Ports 80 and 443 available on host system for HTTP/HTTPS traffic
Valid domain name configured in DNS for Let's Encrypt SSL certificates
Basic understanding of NGINX configuration for custom rule modifications
Network connectivity for automatic security rule updates and threat feeds

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

1services: 
2  bunkerized-nginx: 
3    image: bunkerity/bunkerweb:latest
4    container_name: bunkerweb
5    restart: unless-stopped
6    environment: 
7      SERVER_NAME: localhost
8      AUTO_LETS_ENCRYPT: "no"
9      USE_MODSECURITY: "yes"
10      USE_BAD_BEHAVIOR: "yes"
11    ports: 
12      - "80:8080"
13      - "443:8443"
14    networks: 
15      - bunker-network
16
17networks: 
18  bunker-network: 
19    driver: bridge

.env Template

.env

1SERVER_NAME=localhost
2AUTO_LETS_ENCRYPT=no

Usage Notes

1Docs: https://docs.bunkerweb.io/
2Security features enabled by default - ModSecurity WAF, bad bot blocking
3Set SERVER_NAME to your domain for proper SSL with Let's Encrypt
4Auto Let's Encrypt: set AUTO_LETS_ENCRYPT=yes
5Security headers, rate limiting, antibot challenge automatically applied
6Whitelist IPs with WHITELIST_IP env var if needed

Quick Start

terminal

1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  bunkerized-nginx:
5    image: bunkerity/bunkerweb:latest
6    container_name: bunkerweb
7    restart: unless-stopped
8    environment:
9      SERVER_NAME: localhost
10      AUTO_LETS_ENCRYPT: "no"
11      USE_MODSECURITY: "yes"
12      USE_BAD_BEHAVIOR: "yes"
13    ports:
14      - "80:8080"
15      - "443:8443"
16    networks:
17      - bunker-network
18
19networks:
20  bunker-network:
21    driver: bridge
22EOF
23
24# 2. Create the .env file
25cat > .env << 'EOF'
26SERVER_NAME=localhost
27AUTO_LETS_ENCRYPT=no
28EOF
29
30# 3. Start the services
31docker compose up -d
32
33# 4. View logs
34docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal

1curl -fsSL https://docker.recipes/api/recipes/bunkerized-nginx/run | bash

Troubleshooting

ModSecurity blocking legitimate traffic: Adjust USE_MODSECURITY_CRS environment variable or whitelist specific IP ranges with WHITELIST_IP
Let's Encrypt certificate generation failing: Verify SERVER_NAME matches actual domain and ports 80/443 are accessible from internet
High CPU usage during bot attacks: Enable USE_ANTIBOT=yes and configure ANTIBOT_AUTO_BLOCK_TIME for automatic mitigation
WebSocket connections being dropped: Set USE_MODSECURITY_SEC_AUDIT_LOG=no to reduce processing overhead for real-time connections
Custom application returning 403 errors: Review ModSecurity audit logs and add application-specific rules using CUSTOM_CONF_SERVER_HTTP
Container failing to start with permission errors: Ensure Docker daemon has proper file system permissions and SELinux contexts if enabled

Community Notes

Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

bunkerized-nginx

Related Recipes

Ad Space

Shortcuts: C CopyF FavoriteD Download