WHY BUILD ANOTHER WAF?
Existing WAF solutions often become performance bottlenecks when handling large-scale traffic. We discovered ModSecurity's limitations in high-concurrency scenarios within our commercial product, leading us to build a truly high-performance WAF engine from the ground up.
PERFORMANCE NUMBERS DON'T LIE
We conducted detailed benchmark tests (Intel i5-10400, 32GB RAM, Ubuntu 20.04, 8 threads):
Test Case: CRS v4.3.0 without TCMalloc - ModSecurity: 4,010 QPS - WGE: 17,560 QPS - Performance Gain: 4.38x
Test Case: CRS v4.3.0 with TCMalloc - ModSecurity: 4,927 QPS - WGE: 18,864 QPS - Performance Gain: 3.83x
This isn't the result of micro-optimizations, but comprehensive optimization from architectural design to implementation details.
TECHNICAL HIGHLIGHTS
- Modern C++23: Leverages latest language features with zero-cost abstractions
- OWASP CRS Compatible: Supports existing rule sets, low migration cost
- Thread-Safe: True multi-threaded concurrent processing
- Memory Efficient: Carefully designed memory management and object pooling
- Easy Integration: Clean API design, integrates with just a few lines of code
ARCHITECTURE DESIGN
We rethought the core WAF architecture from the ground up:
1. Security Transform Engine: Uses Ragel state machines for security-critical transformations (HTML entity decoding, URL decoding, JS decoding, etc.) to prevent evasion attacks - more efficient and maintainable than hand-written state machines
2. Rules Engine: ANTLR4-driven rule parsing supporting complex conditional logic
3. Variable System: Efficient variable storage and access mechanisms
4. Operator Library: String matching and pattern recognition optimized for WAF scenarios
REAL-WORLD APPLICATION
WGE is already battle-tested in our commercial product Stone Rhino Web Governance Engine, handling large-scale production traffic. We're open-sourcing this to let more developers benefit from high-performance WAF technology.
QUICK START
// Create engine
Wge::Engine engine(spdlog::level::off);
// Load rules
engine.loadFromFile("rules.conf");
engine.init();
// Process requests
auto transaction = engine.makeTransaction();
transaction->processConnection(...);
transaction->processUri(...);
// ... other processing steps
- MIT License: Commercial-friendly
- Active Maintenance: Continuous feature updates and performance optimization
- Community-Driven: Contributions and feedback welcome
PROJECT INFO
- GitHub: https://github.com/stone-rhino/wge
- Documentation: Basic build instructions and usage examples (contributions welcome!)
- Testing: Comprehensive unit tests and benchmarks included
WHY CHOOSE WGE?
1. Performance: Handle 4x+ more traffic on the same hardware
2. Compatibility: Drop-in replacement for ModSecurity
3. Modern: C++23 brings both development efficiency and runtime performance
4. Production-Proven: Battle-tested in commercial environments at scale
We believe high-performance security infrastructure should be open and accessible. WGE isn't just a faster ModSecurity replacement—it represents our thinking and practice on modern WAF architecture.
Looking forward to hearing your thoughts and feedback! If you're seeking high-performance WAF solutions or interested in modern C++ applications in systems software, give WGE a try.
--- The Stone Rhino Team
westurner•2mo ago
> Shouldn't eBPF be fast at sorting and running rules?
Re: eBPF and WAFs: https://news.ycombinator.com/item?id=45753629#45755142
> What are good metrics for evaluating WAFs?