PatternsOWASP WAF Rules for Web Servers

Automated OWASP CRS patterns and Bad Bot detection for Nginx, Apache, Traefik, and HAProxy

Get Started

View on GitHub

🛡️

OWASP CRS Protection

Leverages OWASP Core Rule Set for web application firewall defense against SQLi, XSS, RCE, and LFI attacks.

🤖

Bad Bot Blocking

Blocks known malicious bots and scrapers using regularly updated public bot lists.

⚙️

Multi-Server Support

Generates WAF configs for Nginx, Apache, Traefik, and HAProxy with consistent protection across platforms.

🔄

Daily Updates

GitHub Actions automatically fetch new OWASP rules daily and push updated configurations.

📦

Pre-Generated Configs

Download ready-to-use WAF configurations from GitHub Releases without building from source.

🧩

Extensible Design

Modular architecture makes it easy to extend support to other web servers or load balancers.

Quick Start

Download the latest configurations from GitHub Releases or build from source:

bash

git clone https://github.com/fabriziosalmi/patterns.git
cd patterns
pip install -r requirements.txt
python owasp2json.py
python json2nginx.py  # or json2apache.py, json2traefik.py, json2haproxy.py

Supported Platforms

Platform	Config Format	Documentation
Nginx	`.conf` files	Read more →
Apache	ModSecurity rules	Read more →
Traefik	Middleware TOML	Read more →
HAProxy	ACL files	Read more →

Using Caddy?

Check out the caddy-waf project for Caddy-specific WAF support.