Most active commenters

    Ask HN: Cloudflare WAF Alternatives?

    28 points rco8786 | 17 comments | 05 Dec 25 20:10 UTC | HN request time: 0.786s | source | bottom

    I don't know if we're ready to pull the trigger yet, but curious if other folks are looking at alternatives.

    The WAF is great, but recent events have made it obvious that having a single point of failure entirely defeats the purpose of DNS being a distributed/decentralized service.

    Is anyone doing anything creative here? We like the features that the WAF provides - but not at the expense of global outages. If you have a 3 9s availability SLA, you've just blown 90% of your allotted downtime because of Cloudflare's WAF.

    1. yearolinuxdsktp ◴[05 Dec 25 21:05 UTC] No.46167294[source]
    AWS Route53, built-in DDoS basic protections, plus AWS WAF (can be expensive depending on your budget).
    replies(1): >>46168882 #
    2. mappu ◴[05 Dec 25 21:23 UTC] No.46167502[source]
    The ability of a WAF to respond to an 0day incident is rapid rollout, 100% of endpoints, which is a SPOF no matter whether it's done via a big company or by a distributed system.
    replies(1): >>46172478 #
    3. grim_io ◴[05 Dec 25 22:20 UTC] No.46168130[source]
    Being down because half the internet is down is an easier sell than being down because you fucked it up yourself.
    4. synack ◴[05 Dec 25 23:39 UTC] No.46168882[source]
    I've been using Cloudfront Functions to do some of the filtering that a WAF would do. It's quite flexible, but you've gotta figure out your own rules.
    replies(1): >>46169469 #
    5. 882542F3884314B ◴[06 Dec 25 00:00 UTC] No.46169040[source]
    Akamai is a decent alternative.
    6. BOOSTERHIDROGEN ◴[06 Dec 25 00:37 UTC] No.46169317[source]
    CrowdSec
    7. y-curious ◴[06 Dec 25 01:01 UTC] No.46169469{3}[source]
    AWS WAF has some presets you can use
    8. ◴[06 Dec 25 01:25 UTC] No.46169637[source]
    9. 3rube ◴[06 Dec 25 02:43 UTC] No.46170101[source]
    Fastly (US) and BunnyCDN (EU) are excellent options
    10. stevefan1999 ◴[06 Dec 25 03:42 UTC] No.46170458[source]
    What about open source alternative built with Nginx/OpenResty? I forgot the name but that's the spirit
    11. server_man3000 ◴[06 Dec 25 07:34 UTC] No.46171439[source]
    Not worth. Competitors like Bunny CDN which is much smaller will inevitably have a much worse incident as they grow. Every large company will inevitably have a couple bad incidents so asking “what other large company will never have incidents” is a moronic perspective IMO
    12. poguemahoney ◴[06 Dec 25 11:24 UTC] No.46172478[source]
    Assuming there are still 2 WAF makers they hopefully do two mostly independent rollouts at least with separate reviewers.. It is a little shocking to me how far we have slid down the slope to letting one monopoly decide when each part of of computing environment is up.. But if bigger organizations are down it is socially acceptable to have an outage.
    13. mindcrash ◴[06 Dec 25 12:35 UTC] No.46172835[source]
    some alternatives which can be self hosted:

    open-appsec (by checkpoint), their proxy/gateway integration and your favorite firewall daemon:

    https://docs.openappsec.io/getting-started/start-with-linux

    appsec (by crowdsec), their proxy/gateway integration and your favorite firewall daemon:

    https://docs.crowdsec.net/u/getting_started/installation/lin...

    14. tguvot ◴[06 Dec 25 17:52 UTC] No.46175183[source]
    imperva
    15. dennis16384 ◴[06 Dec 25 19:51 UTC] No.46176103[source]
    Google Cloud Armor plus Load Balancer?

    You can balance traffic to external networks or clouds with it too.

    16. Carriethebest ◴[09 Dec 25 09:55 UTC] No.46203180[source]
    I would recommend SafeLine. It's self-hosted and easy to setup