PatternsProduction-grade WAF rules, on autopilot.
Automated OWASP Core Rule Set and bad-bot patterns, converted into native configurations for Nginx, Apache, Traefik, and HAProxy — refreshed every day.
Skip to contentCapabilities Integrations
Engineered for production
Six guarantees that turn a daily scrape of upstream rules into something your traffic can actually live behind — quietly, predictably, and without operator toil.
- 01
OWASP CRS coverage
Rules for SQL injection, XSS, RCE, LFI, and RFI, derived from the same Core Rule Set behind ModSecurity.
- 02
Native multi-server output
One source, four idiomatic backends — Nginx maps, Apache SecRule, Traefik middleware, HAProxy ACL files.
- 03
Bad-bot blocking
Curated User-Agent lists from public sources — scrapers, AI crawlers, scanners, with allow-lists for legitimate engines.
- 04
Daily automated rebuild
A scheduled GitHub Actions workflow re-fetches the latest CRS release and republishes every archive — no maintenance.
- 05
Pre-built archives
Drop-in zips published on every run: nginx_waf.zip, apache_waf.zip, traefik_waf.zip, haproxy_waf.zip.
- 06
Composable pipeline
Each backend is a small Python converter on a single JSON intermediate. Adding a platform is a few hundred lines.
Four web servers, one source of truth
The same OWASP CRS rule set is converted into the native syntax of each platform — so you get equivalent protection regardless of the proxy in front of your stack.
600+
OWASP CRS patterns
Extracted from upstream daily
Daily
Refresh cadence
Scheduled GitHub Actions
4
Server backends
Native, idiomatic output
MIT
License
Open-source, no vendor lock
Quick start
bash
curl -LO https://github.com/fabriziosalmi/patterns/releases/latest/download/nginx_waf.zip
unzip nginx_waf.zip -d /etc/nginx/waf_patternsOr build from source — full toolchain instructions in Getting Started.