Expand description
bext-waf — Web Application Firewall for the bext server.
Provides IP filtering (CIDR), geo-blocking, request inspection (SQLi/XSS/traversal/scanner), bot detection, DDoS mitigation, enhanced rate limiting, and audit logging.
All regex patterns are compiled once via OnceLock — zero per-request compilation cost.
Re-exports§
pub use audit::WafAuditLog;pub use audit::WafAuditStats;pub use audit::WafEvent;pub use bot::BotConfig;pub use bot::BotDetector;pub use bot::BotMode;pub use ddos::DdosConfig;pub use ddos::DdosGuard;pub use geo::GeoBlocker;pub use geo::GeoConfig;pub use geo::GeoMode;pub use ip_filter::IpFilter;pub use ip_filter::IpFilterConfig;pub use ip_filter::IpFilterMode;pub use rate_limit::EnhancedRateLimiter;pub use rate_limit::RateLimitRule;pub use rules::custom::CustomRule;pub use rules::custom::CustomRuleAction;pub use rules::custom::MatchConfig;pub use rules::RuleConfig;pub use rules::RuleEngine;
Modules§
- audit
- WAF audit logging — bounded event buffer with statistics and Prometheus export.
- bot
- Multi-signal bot detection with configurable response modes.
- ddos
- DDoS mitigation — connection, body size, and header abuse guards.
- geo
- Geo-blocking — country-level access control via MaxMind GeoLite2.
- ip_
filter - IP allow/deny filtering with CIDR range support.
- rate_
limit - Token-bucket rate limiting with per-rule path matching.
- rules
- Attack-pattern detection engine — orchestrates 16 specialised rule modules with 20+ security checks.
Structs§
- WafConfig
- Full WAF configuration.
- WafEngine
- The main WAF engine composing all sub-systems.
- WafRequest
- A protocol-agnostic representation of an HTTP request.
- WafStats
- WAF statistics.
Enums§
- WafDecision
- The decision made by the WAF for a given request.