Mcaster1BackDraft - Web Application Firewall & nginx Log Analyzer | Mcaster1 DNAS

Production deployment. BackDraft is currently the WAF for the entire Mcaster1 / CasterClub / Audiorealm domain fleet — 27+ sites under its inspection on OVH US-West and US-East. Operating in learning mode with selective enforce-mode rules.

One Binary. Three Ports. One Process.

nginx proxies the request to BackDraft on port 9432. BackDraft inspects, scores, logs to MariaDB, and forwards via FastCGI to PHP-FPM. nginx returns the PHP response to the browser. No proxy loops. No sidecar binaries. No external Lua dependencies.

Browser → nginx (443) → location = /page.php → proxy_pass to BackDraft (9432) → WAF inspects, scores, logs to MySQL → FastCGI forward to PHP-FPM (unix socket) → PHP executes, returns response → nginx returns to browser

Port	Role
`9432`	WAF proxy — receives nginx-proxied traffic, inspects, scores, logs, forwards to PHP-FPM via FastCGI
`8862`	Web UI — PHP dashboard via FastCGI, dark cybersecurity theme, Chart.js analytics
`8832`	REST API — rule management, user/session admin, site enrollment, threat queries, runtime stats

WAF Rule Engine

Nine production rules plus a learning mode that builds custom rules from observed traffic patterns.

SQL Injection (basic + advanced)

XSS — reflected and stored

Path Traversal

Command Injection

RFI / LFI

Bot User-Agent

Rate Limiting

IP Blocklist (geo + manual)

Request Pattern Anomaly

Key Features

A full WAF you can actually read the source code of.

Pure C++17, Single Binary

One executable. One systemd unit. No Go sidecar, no Lua module, no Node.js shim. Hardware-aware thread pool for inspection at line rate.

Native FastCGI Integration

BackDraft speaks FastCGI directly to PHP-FPM after inspection. The request flow is straightforward and debuggable — no extra hop, no transparent rewrite magic.

Learning Mode

Inspect-and-log without blocking. Watch real traffic build a baseline. Switch rules to enforce mode per-site once you trust the false-positive rate.

BotProof CAPTCHA

Built-in CAPTCHA challenge for suspicious sessions. Solve once, pass for the session. No reCAPTCHA dependency, no Google JS phone-home.

Secure Lock OTP

Email-OTP challenge for sensitive paths (admin areas, billing). Configurable per site, per path, per role.

ClamAV Upload Scanning

File uploads scanned inline with ClamAV before reaching PHP. Malware, EICAR, suspicious binaries rejected at the WAF layer.

Real-Time Dashboard

Chart.js analytics in a dark cybersecurity theme. Threat timeline, top-blocked rules, geo heat-map, per-site request volume, suspicious user-agent ranking.

MariaDB-Backed

All threats, sessions, rule hits, and audit events persist to MariaDB. Schema is hireable PHP-shop standard — readable, prepared statements only, no FK constraint cliffs.

SOC2-Friendly Audit Log

HMAC-chained audit log on rule changes, user actions, and IP block adjustments. Tamper-evident, append-only, per-record signatures.

Technical Specifications

Engineering details for evaluators.

Language	C++17 (daemon), PHP 8.4 (web admin)
Build	Autotools, single static binary
Architecture	Celenite Stack — compiled C++ core + PHP-FPM via FastCGI
Ports	9432 (WAF proxy), 8862 (web UI), 8832 (REST API)
Threat Database	MariaDB / MySQL, prepared statements only
Rules	9 built-in + custom rules + learning-mode generation
Anti-Malware	ClamAV integration for upload scanning
Audit Log	HMAC-chained, append-only, per-record integrity
nginx Hook	`proxy_pass http://127.0.0.1:9432` per location block
OS	Linux (Debian Trixie tested, Ubuntu 22.04+ supported)
License	Proprietary — MCaster1 LLC
Production Footprint	27+ domains across OVH US-West and US-East
Repository	https://github.com/davestj/Mcaster1BackDraft

Who It's For

Three audiences this was built for.

Single-Operator Hosters

You run nginx for your own sites and a few client sites. Cloudflare WAF costs more than your hosting. BackDraft is one binary on the same box — no edge dependency, no DNS migration.

Multi-Tenant PHP Shops

Per-site rule sets, per-site dashboards, per-site CAPTCHA toggles. FastCGI native, so you keep PHP-FPM and don’t bolt on a separate proxy layer.

Air-Gapped & Regulated

No SaaS phone-home. No external CAPTCHA service. ClamAV scans locally. Audit log is HMAC-chained and exportable for SOC2 / ISO 27001 evidence.

Part of the Mcaster1 Ecosystem

BackDraft is the front door for every Mcaster1 web property. Its threat data feeds back into Mcaster1StackSmith’s alert engine, and its audit log lives alongside the StackSmith and DBOpsMan audit streams — one chain of custody across the platform.

Source on GitHub All Downloads