Show HN: WGE – High-Performance WAF Library, 4x Faster Than ModSecurity

# WGE: High-Performance Web Application Firewall - 4x Faster than ModSecurity

Hey everyone! I'd like to introduce *WGE (Web Governance Engine)* - a high-performance Web Application Firewall library built with modern C++23 that our team has just open-sourced.

## Why Build Another WAF?

Existing WAF solutions often become performance bottlenecks when handling large-scale traffic. We discovered ModSecurity's limitations in high-concurrency scenarios within our commercial product, leading us to build a truly high-performance WAF engine from the ground up.

## Performance Numbers Don't Lie

We conducted detailed benchmark tests (Intel i5-10400, 32GB RAM, Ubuntu 20.04, 8 threads):

| Test Case | Memory Pool (TCMalloc) | ModSecurity | WGE | Performance Gain | |-----------|------------------------|-------------|-----|------------------| | CRS v4.3.0 | No | 4,010 QPS | 17,560 QPS | *4.38x* | | CRS v4.3.0 | Yes | 4,927 QPS | 18,864 QPS | *3.83x* |

This isn't the result of micro-optimizations, but comprehensive optimization from architectural design to implementation details.

## Technical Highlights

- *Modern C++23*: Leverages latest language features with zero-cost abstractions - *OWASP CRS Compatible*: Supports existing rule sets, low migration cost - *Thread-Safe*: True multi-threaded concurrent processing - *Memory Efficient*: Carefully designed memory management and object pooling - *Easy Integration*: Clean API design, integrates with just a few lines of code

## Architecture Design

We rethought the core WAF architecture from the ground up:

1. *Security Transform Engine*: Uses Ragel state machines for security-critical transformations (HTML entity decoding, URL decoding, JS decoding, etc.) to prevent evasion attacks - more efficient and maintainable than hand-written state machines 2. *Rules Engine*: ANTLR4-driven rule parsing supporting complex conditional logic 3. *Variable System*: Efficient variable storage and access mechanisms 4. *Operator Library*: String matching and pattern recognition optimized for WAF scenarios

## Real-World Application

WGE is already battle-tested in our commercial product Stone Rhino Web Governance Engine, handling large-scale production traffic. We're open-sourcing this to let more developers benefit from high-performance WAF technology.

## Quick Start

```cpp // Create engine Wge::Engine engine(spdlog::level::off);

// Load rules engine.loadFromFile("rules.conf"); engine.init();

// Process requests auto transaction = engine.makeTransaction(); transaction->processConnection(...); transaction->processUri(...); // ... other processing steps ```

## Open Source Commitment

- *MIT License*: Commercial-friendly - *Active Maintenance*: Continuous feature updates and performance optimization - *Community-Driven*: Contributions and feedback welcome

## Project Information

- *GitHub*: [stone-rhino/wge](https://github.com/stone-rhino/wge) - *Documentation*: Basic build instructions and usage examples (contributions welcome!) - *Testing*: Comprehensive unit tests and benchmarks included

## Why Choose WGE?

1. *Performance*: Handle 4x+ more traffic on the same hardware 2. *Compatibility*: Drop-in replacement for ModSecurity 3. *Modern*: C++23 brings both development efficiency and runtime performance 4. *Production-Proven*: Battle-tested in commercial environments at scale

We believe high-performance security infrastructure should be open and accessible. WGE isn't just a faster ModSecurity replacement—it represents our thinking and practice on modern WAF architecture.

Looking forward to hearing your thoughts and feedback! If you're seeking high-performance WAF solutions or interested in modern C++ applications in systems software, give WGE a try.

---

The Stone Rhino Team