CloFix Nano Agent | WAF Agent

01 What is the CloFix Agent?

The CloFix Agent is a lightweight, high-performance security proxy that runs inside your Kubernetes cluster as a DaemonSet. It intercepts all incoming traffic and validates each request against a central CloFix API Server.

🎯 Core Design Philosophy
✅ All security rules and licenses are managed on the server (central control plane).
✅ The agent is stateless, caching decisions for high performance.
✅ If the server becomes unreachable, the agent enters fallback mode for zero downtime.

02 Key Benefits

Full coverage against A01-A10 vulnerabilities including Injection, Broken Auth, XSS, SSRF, and more. 99.9% attack detection rate.

Write rules in JSON, Lua, Python, JavaScript, or Go plugins. Auto-reload on changes. 10x faster than traditional WAFs.

95% cache hit rate, <5µs processing for cached requests. Handles 50k+ RPS on single node.

Domain-based licensing, IP whitelisting, monthly quota, agent limits, and feature-based access control.

Nginx, Apache, HAProxy, Traefik, Caddy, AWS ALB, K8s Ingress, Cloudflare Workers, and Istio.

DaemonSet with hostNetwork, Helm chart, Prometheus metrics, and automatic sidecar injection.

OWASP Top 10 Complete Vulnerability Coverage

A01:2021

Broken Access Control

Path-based authorization checks
Forceful browsing prevention
Directory traversal detection
IDOR protection

A02:2021

Cryptographic Failures

TLS/SSL enforcement
Weak cipher detection
Secure header injection (HSTS, CSP)
Sensitive data exposure prevention

A03:2021

Injection Flaws

SQL/NoSQL Injection prevention
Command Injection blocking
LDAP Injection protection
ORM Injection detection

A04:2021

Insecure Design

Rate limiting & brute force prevention
Request throttling
Business logic flaw detection
Input validation rules

A05:2021

Security Misconfiguration

Security headers enforcement
Directory listing blocking
Default path protection
Debug mode detection

A06:2021

Vulnerable Components

CMS vulnerability blocking
Framework-specific attack prevention
Plugin vulnerability detection
Known exploit pattern matching

A07:2021

Identification & Auth Failures

Brute force protection
Credential stuffing prevention
Session hijacking detection
JWT validation

A08:2021

Software & Data Integrity

Deserialization attack prevention
Object injection detection
Parameter tampering protection
Request integrity validation

A09:2021

Security Logging Failures

Detailed attack logging
Audit trail generation
Alert webhooks (Slack, email)
Prometheus metrics integration

A10:2021

Server-Side Request Forgery

Internal IP blocking
Metadata endpoint protection
URL allowlist/blocklist
Port scanning prevention

Supported Platforms & Integrations

🟢

Nginx

Native auth_request module. Sub-request authentication with <5ms overhead.

auth_request /clofix-auth;

🟡

Apache

mod_auth_request + mod_proxy. Full compatibility with Apache 2.4+.

AuthRequest "/clofix-auth"

⎈

K8s Nginx Ingress

ExternalAuth with DaemonSet. Prometheus metrics. Auto-scaling with HPA.

nginx.ingress.kubernetes.io/auth-url

☁️

AWS ALB

AWS Load Balancer Controller. Target group routing with forward auth.

alb.ingress.kubernetes.io/auth-type: forward

🔄

Traefik

ForwardAuth middleware. Native Kubernetes CRD support.

forwardAuth.address: http://clofix-agent:8080

🔷

Istio

EnvoyFilter with external auth. Service mesh integration.

CUSTOM action with ext_authz

🚀

Caddy

Forward auth directive. Automatic HTTPS support.

forward_auth http://clofix-agent:8080

⚡

HAProxy

Lua-based external authentication. High-performance with <100µs overhead.

http-request lua.clofix-validate

Performance Metrics

99.99%

Uptime SLA

50k+

RPS per node

95%

Cache hit rate

50MB

Memory footprint

5min

Setup time

03 Simple, Transparent Pricing

🚀 For Production

Starter

$5/month

+ $5 per domain

Up to 1 IP
1 domain included
50K requests/month
Email support
99.9% SLA
Slack notifications

Professional

$45/month

+ $5 per domain

Up to 10 IPs
10 domains included
100K requests/month
Priority email support
99.99% SLA
Slack notifications
Prometheus metrics

💚 For Community

OPEN SOURCE SPIRIT

CloFix WAF Community

Free forever

No credit card required - never converts to paid

Core Security

Up to 3 agents
3 domain included
50,000 requests / month
OWASP Top 10 Security
Weekly rule updates

Monitoring

prometheus
Email alerts (5 per month)
99.5% SLA uptime guarantee

Integration

🐙 GitHub Access included

Support

Community forum support
Community life time free
Documentation access
Discord community
Training Session

Sign Up Form Join LinkedIn Group

Forever free for open source projects, homelabs, and learning

04 Domain-Based Pricing

How Domain Pricing Works

Each protected domain costs $5/month. You can protect any number of domains based on your plan's included domains + additional domains.

example.com → $5/monthapi.example.com → $5/month*.staging.com → $5/monthdashboard.company.com → $5/month

📊 Example Calculation
Professional Plan ($45/month) includes 10 domains.
If you need 20 domains → $45 + (10 × $5) = $95/month
Each additional domain beyond included limits is just $5/month.

No per-request fees – Flat pricing

No egress charges

No SSL termination fees

Free 24/7 support

No upgrade costs

05 Compliance Ready

PCI DSS 4.0

Complete logging & auditing for payment card industry.

GDPR

Data anonymization and privacy controls.

HIPAA

Audit trails for healthcare data.

SOC2

Access controls and security monitoring.

ISO 27001

Information security management certified.

06 Domain-Based Filtering

🌐 How Domain Filtering Works
✅ Allowed Domains (Server-Side) - Configure which domains the agent protects.
✅ Bypass for Other Domains - Requests to non-configured domains pass through without validation.
✅ Central Management - All domain configurations are stored on the API server.
✅ Per-Domain Pricing - $5 per domain per month.

json

{"license_key": "CLOFIX-XXXX", "allowed_domains": ["example.com", "api.example.com"], "bypass_others": true}

07 High Availability

┌─────────────────────────────────────────────────────────┐
│              Normal Operation (Server UP)               │
│  Request → Agent → API Server → Validation → Allow/Block │
└─────────────────────────────────────────────────────────┘
                         ⬇
┌─────────────────────────────────────────────────────────┐
│            Server DOWN (Automatic Fallback)              │
│  Request → Agent → Cache → Bypass/Deny → Service Continues│
└─────────────────────────────────────────────────────────┘

🔄 Fallback Modes
Bypass: Allow all when server down (High availability)
Cache Only: Use cached decisions
Deny: Block when server down (Maximum security)

08 Scalability

                    ┌─────────────┐
                    │   Load      │
                    │  Balancer   │
                    └──────┬──────┘
                           │
           ┌───────────────┼───────────────┐
           │               │               │
      ┌────▼────┐     ┌─────▼────┐    ┌─────▼────┐
      │ Agent 1 │     │ Agent 2  │    │ Agent N  │
      └────┬────┘     └─────┬────┘    └─────┬────┘
           └────────────────┼───────────────┘
                            │
                    ┌───────▼───────┐
                    │   API Server  │
                    └───────────────┘

09 Protected Against

SQL Injection (Union, Time-based, Boolean blind)

XSS (Reflected, Stored, DOM-based)

Path Traversal & LFI/RFI

Command Injection

SSRF & CSRF

Bot attacks & Scrapers

DDoS & Brute force

API abuse & GraphQL attacks

Credential stuffing

Log4Shell & Zero-day exploits

Session hijacking & Fixation

Email spoofing & Phishing

Malicious file uploads

XXE & XML attacks

Deserialization attacks

Cloud metadata access (AWS/GCP/Azure)

Rate limiting bypass attempts

IP spoofing & rotation attacks

And more...

10 Core Benefits Summary

Category	Benefit	Impact
Security	99.97% threat detection	Blocks SQLi, XSS, bot attacks
Performance	<2ms latency	No noticeable slowdown
Availability	99.99% SLA	Smart fallback when server down
Cost	70-80% reduction	Lower than traditional WAF
Pricing	$5/domain	Pay only for what you protect

11 How to Integrate

bash

# Deploy agent as DaemonSet
kubectl apply -f https://clofix.com/k8s/clofix-agent-daemonset.yaml

# Configure ingress with auth-url
kubectl annotate ingress my-app \
  nginx.ingress.kubernetes.io/auth-url="http://clofix-agent:8080/validate"

12 Where to Integrate

Select a service from the left panel to see detailed setup steps and configuration snippets.

Nginx

auth_request module

Apache

mod_auth_request

K8s Nginx Ingress

auth-url annotation

AWS ALB

Lambda / Target group

Traefik

ForwardAuth middleware

Istio

EnvoyFilter ext_authz

Caddy

forward_auth directive

HAProxy

http-request / lua

Nginx Integration

nginx.conf snippet

upstream clofix_agent { server 127.0.0.1:8080; }\nserver {\n    location = /clofix-auth { internal; proxy_pass http://clofix_agent/validate; }\n    location / { auth_request /clofix-auth; proxy_pass http://backend; }\n}

Make sure CloFix Nano Agent is running on port 8080 with valid license.

13 Features

Feature	Description
`Server-side validation`	Agent forwards request to central API for decision
`Smart caching`	90% cache hit rate, configurable TTL
`Domain filtering`	Only configured domains are validated
`Per-domain pricing`	$5 per domain – pay only for what you protect
`Fallback modes`	bypass / cache_only / deny when server down
`Prometheus metrics`	Request counts, latency, cache hit ratio

14 Deployment

bash

# DaemonSet (K8s)
kubectl apply -f https://clofix.com/k8s/agent-daemonset.yaml

# Docker
docker run -d --name clofix-agent -p 8080:8080 clofix/agent:latest

# Binary
./clofix-agent --license=YOUR_KEY --api=http://api.clofix.com:8081

15 FAQ

❓ How does domain pricing work?
Each domain you protect costs $5/month. Your plan includes a certain number of domains.

❓ What if I have 100 domains?
Enterprise plan offers unlimited domains with volume discounts.

❓ Does the agent store security rules?
No. Only caches decisions. Rules are on the API server.

❓ What if API server is down?
Enters fallback mode (bypass/cache_only/deny). No downtime.

❓ Is there a free trial?
Yes! Contact us for a 14-day free trial with 5 domains included.

Lightweight CloFix Nano Agent

01 What is the CloFix Agent?

02 Key Benefits

OWASP Top 10 Complete Vulnerability Coverage

Broken Access Control

Cryptographic Failures

Injection Flaws

Insecure Design

Security Misconfiguration

Vulnerable Components

Identification & Auth Failures

Software & Data Integrity

Security Logging Failures

Server-Side Request Forgery

Supported Platforms & Integrations

Nginx

Apache

K8s Nginx Ingress

AWS ALB

Traefik

Istio

Caddy

HAProxy

Performance Metrics

03 Simple, Transparent Pricing

Starter

Professional

CloFix WAF Community

Core Security

Monitoring

Integration

Support

04 Domain-Based Pricing

How Domain Pricing Works

05 Compliance Ready

PCI DSS 4.0

GDPR

HIPAA

SOC2

ISO 27001

06 Domain-Based Filtering

07 High Availability

08 Scalability

09 Protected Against

10 Core Benefits Summary

11 How to Integrate

12 Where to Integrate

Nginx

Apache

K8s Nginx Ingress

AWS ALB

Traefik

Istio

Caddy

HAProxy

Nginx Integration

13 Features

14 Deployment

15 FAQ