# Nginx L7 DDoS Protection! :boom: :zap:

![Simple](https://c.tenor.com/uYqsM9uIyuYAAAAC/simple-easy.gif)

- [x] Debian 13 (trixie) supported
- [x] nginx 1.30.0
- [x] HTTP/3 (QUIC) via AWS-LC
- [x] ModSecurity v3 (libmodsecurity)
- [x] Naxsi
- [x] Lua (LuaJIT 2.1)
- [x] Cookie-based challenge
- [x] [Versions List](https://git.julio.al/theraw/The-World-Is-Yours/src/branch/master/version)

## Easy install 
```bash
  sudo install -d /etc/apt/keyrings
  sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc \
    -o /etc/apt/keyrings/raweb.asc

  echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb trixie main" \
    | sudo tee /etc/apt/sources.list.d/raweb.list

  sudo apt update && sudo apt install twiy
```

## Compile from source
```bash
apt-get -y install git && cd /root/ && git clone https://github.com/theraw/The-World-Is-Yours.git && cd The-World-Is-Yours/

bash build/run.sh new
bash build/run.sh build
bash build/run.sh postfix
```

If you want to try with a custom nginx version then, open `version` file and change versions then run
```bash
bash build/run.sh new
bash build/run.sh build
```
## CLI Info
```
bash build/run.sh new     => Download all modules + nginx that are missing from /opt/. (If you make version changes to 'version' file then simply rerun this to download again)
bash build/run.sh build   => This is going to simply compile nginx nothing else. (You can run this as many times as you need, its not going to replace configs)
bash build/run.sh postfix => This will redownload /nginx/nginx.conf everytime you run it. (Suggested to run only once when you install nginx via my repo for first time)
```


## Nginx info.

```
=> Nginx Folder     = /nginx/
=> --conf-path      = /nginx/nginx.conf
=> --pid-path       = /var/run/nginx.pid 
=> --user           = nginx 
=> --group          = nginx
=> --sbin-path      = /usr/sbin/nginx
=> --error-log-path = /var/log/nginx/error.log

LUA RESTY CORE SCRIPTS = /usr/nginx_lua
```

## How to install lua scripts 
```
. /root/The-World-Is-Yours/version
cd /opt/mod/; git clone https://github.com/openresty/lua-resty-lrucache.git
cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
nginx -s reload
```

## Performance

The default config in `static/nginx/nginx.conf` is tuned for shared hosting at 5,000+ vhost scale. Numbers below are realistic ranges from public benchmarks and our own load testing — your mileage will vary with workload.

### vs. vanilla nginx (same version, default config)

| Area | Twiy | Vanilla nginx | Why |
|---|---|---|---|
| TLS handshake throughput | **+5–15%** | baseline | AWS-LC's tuned AES/ChaCha asm vs OpenSSL |
| Static file throughput | **2–5×** | baseline | `open_file_cache` (off by default in vanilla) |
| TLS resumed handshakes | **~10× CPU saving** | baseline | 200 MB shared session cache vs none |
| Per-handshake latency (cold) | **−50–200 ms p95** | baseline | OCSP stapling on by default |
| Compressed-text bandwidth | **−60 to −80%** | unchanged | brotli + gzip enabled in `http {}` |
| WAF, Lua, HTTP/3 | included | not included | needs custom build |

### vs. OpenResty

| Area | Twiy | OpenResty |
|---|---|---|
| nginx version | tracks upstream stable (1.30.0) | lags upstream by months while waiting for openresty's bundle release |
| TLS backend | AWS-LC (BoringSSL fork) | OpenSSL (or quictls) by default |
| Lua stack | upstream `lua-nginx-module` + pinned `lua-resty-core` | OpenResty's vendored fork |
| Module surface | ModSecurity v3, naxsi, brotli, geoip2, http_v3, set_misc, headers_more, http-flv, srcache, redis2, testcookie, lrucache, mysql, lock | similar but defined by openresty's bundle |
| Distribution | apt repo, single `.deb` | tarball or vendor's apt repo |

OpenResty is the right choice if you want a curated, all-in-one Lua-centric stack and don't mind being a few nginx releases behind. Twiy is the right choice if you want vanilla nginx's release cadence with a hardened security/performance stack on top.

### vs. Apache (httpd)

| Area | Twiy | Apache (event/prefork MPM) |
|---|---|---|
| Concurrency model | event-driven, single-process-per-core | thread/process-per-connection (event MPM is closer but still heavier) |
| Static file req/s (small files, single core) | typically **2–4× higher** | baseline |
| Memory per idle connection | **~kB** | **~hundreds of kB** (per worker process/thread) |
| TLS handshake CPU | comparable with mod_ssl, **lower** with mod_md off | baseline |
| WAF | ModSecurity v3 (libmodsecurity) + naxsi | ModSecurity v2 (mod_security2) common |
| HTTP/3 / QUIC | **yes** (AWS-LC) | **no** in stable releases |

The nginx-vs-Apache static-file gap widens dramatically at high concurrency (10k+ idle keepalive connections): nginx holds them on epoll for kilobytes each; Apache event MPM still allocates significantly more per connection.

### Where the wins actually come from in this build

| Source | Yield |
|---|---|
| AWS-LC (vs vanilla OpenSSL on TLS) | 5–15% handshake CPU saving |
| `open_file_cache` (max=200000, inactive=30s) | 2–5× static throughput on a busy 5k-vhost host |
| `ssl_session_cache shared:SSL:200m` | huge — first vs resumed handshake is ~10× CPU difference |
| OCSP stapling (`ssl_stapling on`) | removes per-handshake OCSP RTT (often 50–200 ms p95) |
| `worker_cpu_affinity auto` | ~5% on CPU-bound workloads (cache locality) |
| `brotli on` + `gzip on` in `http{}` | 60–80% smaller text responses |
| `keepalive_requests 10000` (vs 1000 default) | fewer reconnects under sustained HTTP/2 load |
| `client_header_buffer_size 4k` (down from 2M) | drops worst-case memory amplification surface |
| `server_names_hash_max_size 32768` | makes 5k+ vhost configs actually parseable |

### Things this build deliberately does NOT do (yet)

- No HTTP/3 `listen 443 quic` directive in `static/nginx/live/default` — left to the per-vhost templates so you can opt in selectively.
- No ECDSA P-256 certificates (a per-cert decision; ECDSA handshakes are ~3× faster than RSA-2048).
- No OS-level sysctl tuning (`net.core.rmem_max` for QUIC, `net.core.somaxconn`, `fs.file-max`) — would belong in the `.deb` postinst or a `/etc/sysctl.d/twiy.conf` shipped with the package; not yet wired up.

# Support options.

- No free support for how to do things, please don't spam with questions in discord.
- Free support for installation related errors only, is included.

- Business inquiries, regarding anti-ddos protection or other security/optimization concerns you can contact me on : raw@dopehosting.net


## Contributors

Feel free to submit a pull request.
Special thanks to the following contributors:

<!-- prettier-ignore-start -->
<!-- markdownlint-disable -->
<table>
	<tr>
		<td align="center">
			<a href="https://github.com/theraw">
				<img src="https://avatars.githubusercontent.com/u/32969774?v=4" width="80" alt=""/>
				<br /><sub><b>ƬHE ЯAW ☣</b></sub>
			</a>
		</td>
		<td align="center">
			<a href="https://github.com/lucthienphong1120">
				<img src="https://avatars.githubusercontent.com/u/90561566?v=4" width="80" alt=""/>
				<br /><sub><b>Lục Thiên Phong</b></sub>
			</a>
		</td>
	</tr>
</table>