Feature Request: 🔥 Simple per-App WAF with Templates (KISS) 🏰

imc67

Feature Request: Simple per-App WAF with Templates (KISS=Keep It Stupid Simple)

Cloudron is often used to host multiple web applications with very different exposure levels (e.g. public websites, WordPress instances, admin-only tools).
At the moment, most protection is instance-wide, which makes it hard to apply different security policies per app without external tooling.

Community Precedent – Cloudron Forum discussions

Users have repeatedly discussed the need for more granular access control / WAF-like features in Cloudron:

• In “Is there a way to rate limit connections to a site for certain user agent strings?”, users talk about using Bunkerweb as a workaround for the lack of built-in request filtering and mention that “Cloudron doesn’t have anything like WAF” and the desire to move away from Cloudflare WAF because Cloudron currently lacks native solutions.
  https://forum.cloudron.io/topic/14343/is-there-a-way-to-rate-limit-connections-to-a-site-for-certain-user-agent-strings

• Users have explicitly asked about limiting web-based access to individual Cloudron apps (e.g., basic auth, IP-based restrictions), indicating demand for app-level access controls.
  https://forum.cloudron.io/topic/8804/limiting-web-based-access-to-cloudron-apps

• In “What’s coming in Cloudron 6.3”, I suggested features inspired by Wordfence including blocking by IP/location and geo-blocking, and specifically calls out the idea of geo-blocking of countries as a desirable security improvement.
  https://forum.cloudron.io/topic/4723/what-s-coming-in-cloudron-6-3/4

• Related support threads show users trying to restrict access to the Cloudron login page by IP while keeping other apps public, again highlighting demand for more granular access controls.
  (See posts by user hiyukoim in support category)

I would like to propose a simple, KISS-oriented Web Application Firewall (WAF) on app level, tightly integrated into Cloudron.

---

Problem

• Not all apps should be equally reachable from the internet
• Admins often want basic access control (countries, IPs, paths) without deploying a full external WAF
• Instance-wide rules are often too coarse

---

Goals

• Per-app access control
• Very simple and predictable behavior
• No security expertise required
• Reusable defaults for admins managing many apps

---

Proposed Solution

1. Per-app WAF

Each web app can optionally enable its own WAF.

2. App-level rules

Within an app WAF, an admin can configure:

• IP whitelist / blacklist
• Geo allow / block (noise reduction, not “hard security”)
• Path-based rules (extra layer), for example:
  • /wp-login.php
  • /wp-admin/*
  • /api/*

Rules should be path-based only (no complex regex).

3. Instance-level WAF templates

At Cloudron instance level, admins can define WAF templates (profiles), such as:

• Public website
• WordPress hardened
• Admin-only app
• Internal / trusted IPs only

For each app:

• Select a template
• Optionally extend or override it locally

This avoids repetitive configuration and keeps policies consistent.

4. Clear precedence (important for predictability)

Suggested order:

1. IP whitelist
2. Geo allow
3. IP blacklist
4. Geo block
5. Path rules

Whitelist rules always take precedence.

---

Optional (still KISS)

• Per-app blocked requests log (read-only)
  • Timestamp
  • Source IP / country
  • Rule type (IP / Geo / Path)
• Report-only / dry-run mode for new rules
• Temporary disable WAF for this app (emergency switch)

---

Non-goals (explicitly out of scope)

• Full ModSecurity / OWASP CRS
• Regex-heavy rules
• Deep request inspection (headers, body, users, roles)
• Replacing a dedicated enterprise WAF

This feature is intended to cover the 80% use case in a Cloudron-native, admin-friendly way, while keeping configuration minimal and understandable.