APISIX Forge
Production-ready API gateway stack: from 3 days of manual config to under 5 minutes.
The problem
Deploying a robust API Gateway architecture (gateway + WAF + observability) typically requires 3+ days of manual configuration for an experienced engineer. There is no open-source, self-hosted solution that ships everything pre-wired.
The solution
APISIX Forge packages the full stack into a single Docker Compose deployment: Apache APISIX as the gateway, Coraza WAF compiled to WebAssembly for zero-overhead threat detection, a complete observability pipeline (Prometheus, Grafana, Loki, Promtail), and a Next.js management dashboard. No manual config files, no vendor subscription, no cloud dependency.
Technical highlights
WebAssembly WAF with zero network overhead
Coraza WAF is compiled to WebAssembly and embedded natively inside APISIX via its Wasm plugin system. Unlike sidecar or reverse proxy WAF deployments, there is no additional network hop; threat detection runs in-process at the gateway level.
Structured observability pipeline
Promtail collects Docker container logs and parses Coraza WAF events into structured Loki streams with labels (waf_action, client_ip, method, request_uri, rule_id, severity). Two Grafana dashboards are provisioned automatically: one for gateway metrics, one for WAF events, both connected to real traffic.
Admin API security design
The APISIX Admin API is a common attack vector when left exposed. APISIX Forge isolates it on a restricted port, enforces API key authentication, and documents the hardening steps needed before any network exposure, reflecting a defense-in-depth mindset.
Building this project reinforced that security must never come at the cost of developer experience. A WAF that takes days to configure will be skipped. The goal of DevSecOps is to make the secure path the easy path.