Those guys are also opening "ad" issues on unrelated repositories[0]. Adding that to what others mentioned, it really doesn't inspire confidence in the software
When I saw that link I thought maybe it was one of those: "add X to the recommended libraries list" PRs or something like that. But this is wild... it's literally an advertisement.
The license used [1] would mean this very much wouldn't be widely considered open source, since the license sets limits on use and does not seem to provide open modification nor distribution.
I don't think it's even source-available? The repo has docs, a bunch of Lua scripts (for what software?), a small PHP module and a compiled "geo-ip firewall" binary. Most of the features mentioned on the Github page appear to only be in the paid version of the software, and this limited "free" version is delivered as a mystery-meat Docker image pulled from Huawei Cloud.
At best this is an advertisement that lies about being open source.
This is partly open sourced, not fully. All the rules are open sourced. Because the docker mirrors downloading from Huawei Cloud is faster, so we use it.
I would take this as two things at once, from personal opinion:
- There is probably a PRC backdoor somewhere in this
- This is probably very high quality software
I've dealt with Huawei security a little bit and in general Huawei as a company is really serious about security and handles low-level/deep security software pretty well.
Also based on what the top commenter posted about the license... I don't know how usable this actually is for anyone, lol.
Complete prejudice and lies, why do those from China have backdoors and those from the United States are very secure? At least publicly available information shows that Huawei has never intentionally left backdoors, while the NSA in the United States is notorious!
I have growing concerns with the increased costs of WAFs. I am certainly not getting excited about how expensive things are getting from places like Akamai and Cloudfront. I'm just idly waiting to see where things land. An OpenSource solution is nice although the costs for infrastructure do crank up. Wonder how this compares to Fastly?
I see others mention it isn't a truly free even if Open Source, is this thread an ad?
It's wild to see machine learning baked right into a free WAF - feels like having an AI watchdog that never sleeps. Curious to see how this shifts the security landscape long-term, especially for startups that can't afford heavyweight protection systems.
how does this compare to, say, https://github.com/corazawaf/coraza (Apache licensed, either embeddable as a library, as an nginx or caddy plugin, or standalone?)
https://github.com/goauthentik/authentik/issues/13521