Self-hosted Reverse Proxy WAF with HAProxy and OWASP Coraza
Guard Proxy is a Web Application Firewall (WAF) solution designed for self-hosted environments. It combines HAProxy as a reverse proxy with Coraza WAF engine and OWASP Core Rule Set for threat detection, managed through a web-based admin panel.
This project is being developed as a master's thesis at Wroclaw University DSW.
- HAProxy 2.8+ as reverse proxy with SPOE integration
- Coraza WAF 3.x with OWASP CRS for threat detection
- Per-vhost policies with configurable paranoia levels (PL1-PL4)
- Anomaly scoring for intelligent threat detection
- Admin panel (FastAPI + React) for managing policies and monitoring
- Docker-based deployment for easy setup
graph TB
C[Clients] -->|HTTP/HTTPS| H[HAProxy]
H -.->|SPOE| CS[Coraza WAF]
CS -.->|Allow/Deny| H
H --> APP[Backend Apps]
FE[React UI] -->|API| BE[FastAPI]
BE -->|Config| H
BE --> DB[(PostgreSQL)]
- Proxy: HAProxy 2.8+ with SPOE
- WAF: Coraza 3.x + OWASP CRS 4.x
- Backend: Python 3.13, FastAPI, SQLAlchemy, PostgreSQL
- Frontend: React, TypeScript, Tailwind CSS
- Infrastructure: Docker Compose, Prometheus, Grafana
Status: In development — backend MVP
See project board for detailed task breakdown. Or view milestones
- Architecture - System architecture and data flow
- Development Commands - All development commands
- Testing Strategy - Testing approach and targets
MIT License - see LICENSE