A lot of people on your SafeLine video asked about this particular WAF, (that's how I became aware of it's existence) and you delivered already. Big props and thanks to you for that video and honest review. IMHO, Let's Encrypt wildcard certs (or any SSL/TLS protection feature for that matter), shouldn't be used as business tactics.
Thanks to your videos Jim, I ended up buying my own 3 ms-01 proxmox cluster setup this week. I got them all on sale because of black friday sales, ended up getting 96GB ram, multiple MVE 1TB drives for each, setting up the backhaul network etc also. I really appreciate what you did here! Hopefully the guys at Minisforum gave you great compensation for your work!
Looks like a great app, but I totally agree that the SSL paywall is frustrating! It’s disappointing that essential features like wildcard certificates are locked behind a paywall, which limits the app's full potential, especially for homelab enthusiasts who value flexibility without extra costs. If they offered cloud support or had an open donation model instead of holding back core functionality, I think it would open up a lot more engagement from the community. It’s a shame to see such valuable features restricted this way-otherwise, BunkerWeb would be a fantastic WAF choice. Great walkthrough though; your testing with Docker really helped clarify the setup :)
Thanks Jim for bringing up the subjects of features which should be free, hopefully they listen. But I do think wildcard is supported via port 80, at least it worked for me when I tested safeline.
If we already have nginxreverseproxy or Traeffik working with wildcard DNS/SSL, can Bunkerweb use that instead of using or passing BW's Let's Encrypt DNS plugin?
Yeah, stopping any consideration (for now)at 3:20 -- that really is a deal breaker for a home lab; continuing to tune in to see if it fits a pro use case (and to make sure you get the view!)
I there a way to double up a CloudFlare tunnel and a WAF like this in my home lab? I know CF tunnels have protections available but I’d love to utilise both so I can take advantage of the crowdsourcing!
Is this just a WAF or can it also be used as a reversed proxy? Looking to get rid of NPM and if this can do the same + adds a lot of protection then it's a no-brainer.
Is it going to work on system with less RAM? I am trying your compose file on RPi5 and 1st bunkerweb container cannot start with ngx failing: no memory
Great to know!! It was my only apprehension, only due to my limited ability to justify an additional expenditure (bullshit speak for currently not making money).
I already have Nginx configured as a reverse proxy for my web apps. Can I set up BunkerWeb to work alongside this setup? I assume I’ll need to configure port forwarding so that traffic routes through BunkerWeb before reaching Nginx?
Yes as it acts as a reverse proxy. And even don't think about to install the binary version on your linux machine with nginx. I've already done this for you and I cannot recommend this approach :-D It will destroy your nginx config. Use the docker version in that case & choose some ports which are not in use...
Update: The Founder has responded to feedback and stated that the paywalled LetsEncrypt will be removed in the next version.
You have made a difference in your feedback, Fantastic
@@Jims-Garage awesome!
Great. Everyone wants to make money, but paywalling LetsEncrypt should not be one of them.
A lot of people on your SafeLine video asked about this particular WAF, (that's how I became aware of it's existence) and you delivered already. Big props and thanks to you for that video and honest review. IMHO, Let's Encrypt wildcard certs (or any SSL/TLS protection feature for that matter), shouldn't be used as business tactics.
@@panthonyy I totally agree. Hopefully a bit of heat might make them change their mind...
totally agree, now we know not to go with bunkerweb. But great the SSL paywall gets changed with the next version
Thanks to your videos Jim, I ended up buying my own 3 ms-01 proxmox cluster setup this week. I got them all on sale because of black friday sales, ended up getting 96GB ram, multiple MVE 1TB drives for each, setting up the backhaul network etc also. I really appreciate what you did here! Hopefully the guys at Minisforum gave you great compensation for your work!
@@LanceBryantGrigg hey, that's awesome! Welcome to the club. Nope, I didn't receive any kickback but I'd do it again. They're great devices!
Thanks for the demo and info. Another great fantastic video Jim. Have a wonderful day
Glad you enjoyed it
Looks like a great app, but I totally agree that the SSL paywall is frustrating! It’s disappointing that essential features like wildcard certificates are locked behind a paywall, which limits the app's full potential, especially for homelab enthusiasts who value flexibility without extra costs. If they offered cloud support or had an open donation model instead of holding back core functionality, I think it would open up a lot more engagement from the community. It’s a shame to see such valuable features restricted this way-otherwise, BunkerWeb would be a fantastic WAF choice. Great walkthrough though; your testing with Docker really helped clarify the setup :)
@@Deffcolony totally agree. Let's hope they re-evaluate the decision...
Thanks Jim for bringing up the subjects of features which should be free, hopefully they listen. But I do think wildcard is supported via port 80, at least it worked for me when I tested safeline.
If we already have nginxreverseproxy or Traeffik working with wildcard DNS/SSL, can Bunkerweb use that instead of using or passing BW's Let's Encrypt DNS plugin?
@@GundamExia88 yes, you can use that. To be honest you can add crowdsec to Traefik anyway, and add bunkerweb integration.
I think I'll keep my Traefik + CrowSec configuration.
Hiding DNS-Challenge certificates behind a paywall is really silly.
@@chummy7294 I agree 👍
SSL Paywall absolute no-go!
Jim for me You are Legend :D
@@PCMagikHomeLab thanks 👍
Yeah, stopping any consideration (for now)at 3:20 -- that really is a deal breaker for a home lab; continuing to tune in to see if it fits a pro use case (and to make sure you get the view!)
Great video! I agree with your points regarding SSL cwrts and paywall. I still think traefik + plugins is more sustainable for homelabbers.
I there a way to double up a CloudFlare tunnel and a WAF like this in my home lab? I know CF tunnels have protections available but I’d love to utilise both so I can take advantage of the crowdsourcing!
Should be doable. Check my Cloudflare Tunnels video where I do this with Traefik and crowdsec
@Jims-Garage cheers!
Is this just a WAF or can it also be used as a reversed proxy? Looking to get rid of NPM and if this can do the same + adds a lot of protection then it's a no-brainer.
Multisite makes it act like a reverse proxy
Is it going to work on system with less RAM? I am trying your compose file on RPi5 and 1st bunkerweb container cannot start with ngx failing: no memory
@@madburbel try adding some limits to each container
@@Jims-Garage I have added mem_limit: "1024MB" on each container, no change
@madburbel try 512 perhaps?
@@Jims-Garage at the end I found old issue with ARM based CPUs. Works fine on x64 i5.
Great to know!! It was my only apprehension, only due to my limited ability to justify an additional expenditure (bullshit speak for currently not making money).
If its open source, cant you just edit the limits like the plugin limit?
No, certain things are locked behind a licence key.
Great video JIm. Traefik 3 plus Coraza plugin next in the WAF series please.
I already have Nginx configured as a reverse proxy for my web apps. Can I set up BunkerWeb to work alongside this setup? I assume I’ll need to configure port forwarding so that traffic routes through BunkerWeb before reaching Nginx?
@@michaeldziegiel4954 yes, with non multisite it behaves like a proxy
Yes as it acts as a reverse proxy. And even don't think about to install the binary version on your linux machine with nginx. I've already done this for you and I cannot recommend this approach :-D It will destroy your nginx config. Use the docker version in that case & choose some ports which are not in use...
Great video...thanks for sharing. Would be nice to see how this would be configured in front of an real web application instead of protecting itself.
Thanks, I plan to cover that if and when they change the certificate issue. It's similar to Traefik via the use of a label.
Thanks for the vid but I'll stick with SWAG with crowdsec and Fail2Ban integrated
bunkerweb doesnt have Anti-exploit and no Nginx modules like anti-bot and rate-limiting. Better go for something like SafeLine
@@LabMonkey-k2j fairly certain it has both of those features
Considering security protection performance, SafeLine is better.
Looks unnecessarily complex to host
Perhaps, but what's your comparitor? Might be a bit more leg work initially but once it's done it's infra as code.
Crowdsec over bunker. You cant be trying to help keep the web secure and then paywall FREE letsencrypt certs. Thats just, wow...