Secure Your Web Apps in Minutes: OpenAppSec WAF with NGINX Proxy Manager
In today's digital landscape, protecting your web applications from threats is not just an option—it's a necessity.
With OpenAppSec, a modern, open-source WAF designed for simplicity and powerful, pre-emptive threat protection. When combined with the popular NGINX Proxy Manager (NPM), you get a robust, easy-to-use solution for securing your containerized applications.
This guide will walk you through deploying OpenAppSec with NGINX Proxy Manager using Docker, all managed from the slick OpenAppSec SaaS Web UI. Let's get started!
Prerequisites
Before we begin, ensure you have the following ready:
A Linux server or VM with Docker and Docker Compose installed.
Internet access to pull Docker images and connect to the OpenAppSec cloud.
(Optional) A backend web application you want to protect. For this guide, we'll assume an application is running on port
3000.Deployment Model:
Fetch the Deployment Blueprint
Create a folder for your new open-appsec deployment and switch to that folder, e.g.
mkdir open-appsec-deployment
cd ./open-appsec-deployment
Download the docker compose file for your desired open-appsec integration
wget https://raw.githubusercontent.com/openappsec/openappsec/main/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml
Download the .env file for your desired open-appsec integration and adjust the configuration to your requirements as described below:
wget https://raw.githubusercontent.com/openappsec/openappsec/main/deployment/docker-compose/nginx-proxy-manager-centrally-managed/.env
Link Your Agent to the OpenAppSec Cloud
To manage our new WAF, we need to connect it to the central management portal. This is done using a secure token:
Navigate to the OpenAppSec Portal: https://my.openappsec.io/
Sign up for a free account or log in using your email, Google, or GitHub.
From the "Getting Started" page, follow these steps:
Check the box for "I deployed an Agent".
Click Manage and select the Docker Profile.
For the subtype, choose "NGINX Proxy Manager application security".
Click Enforce Policy.
You will now be presented with a unique management token. Copy this token.
Back in your server's terminal, add this token as an environment variable. This allows Docker Compose to inject it into the agent container upon startup.
(Remember to replace YOUR_TOKEN_HERE with the actual token you copied.)
export TOKEN="YOUR_TOKEN_HERE"
Launch the Stack!
With the configuration in place, it's time to bring everything online. Run the following command to start the services in detached mode (-d), which lets them run in the background.
docker-compose up -d
Docker will now pull the necessary images and start the containers. To verify that everything is running correctly, use the docker ps command:
docker ps -a
You should see an output similar to this, with the appsec-agent and npm-centrally-managed-attachment containers showing an "Up" status:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5204903ec4fe ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:latest "/init" 9 seconds ago Up 6 seconds 0.0.0.0:80-81->80-81/tcp, :::80-81->80-81/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp npm-centrally-managed-attachment
4905a185b6fd ghcr.io/openappsec/agent:latest "/cp-nano-agent --to…" 9 seconds ago Up 7 seconds appsec-agent
You should now see the application on the open-appsec Web UI!
Configure Your First Proxy Host
Now that the stack is running, we need to tell NGINX Proxy Manager how to route traffic to your backend application.
Access the NGINX Proxy Manager web portal at http://<your-server-ip>:81.
On your first login, you'll be prompted to create an admin user and change the password.
Click Add Proxy Host.
Fill in the details for your application. For example, if you have an app named acmeaudit running on the same Docker host:
Domain Names: acmeaudit.local (or your actual domain)
Scheme: http
Forward Hostname / IP: acmeaudit
Forward Port: 3000
Click Save.
Now, you can run the following curl command again and that NGINX Proxy Manager is now serving ACME Audit application on port 80:
curl http://localhost
Activate Protection in the OpenAppSec Portal
In the open-appsec Web UI: Create an asset defining the specific resources that open-appsec should protect, don't forget to enforce the policy afterwards. When logged in to the open-appsec portal, click on the Assets option in the top navigation menu.
The final and most crucial step is to enable the WAF policy for your application.
Return to your OpenAppSec Web UI.
Click on the Assets tab in the top navigation menu.
Click Create a new asset and fill in the details:
Profile: Choose the Docker profile you created earlier.
Web application URL: To protect all traffic to your site, enter http://*/*. You can make this more specific if needed.
Switch to the Web tab within the asset configuration.
Change the Threat Prevention Mode from Detect to Prevent. This tells the WAF to actively block malicious traffic, not just log it.
Click the Enforce policy button in the top right corner.
That's it! Your application is now actively protected by the OpenAppSec WAF. Any changes you make to the security policy in the SaaS portal will be automatically synced to your agent.
Conclusion
You have successfully deployed a powerful, cloud-managed Web Application Firewall in front of your application using Docker. This combination of OpenAppSec and NGINX Proxy Manager provides a streamlined, modern, and highly effective way to manage your web security posture.
From here, you can explore the OpenAppSec portal to fine-tune security rules, monitor traffic, and analyze security events across all your protected assets.
