1. Home
  2. Knowledge Base
  3. Bastion – Secure ADC

Bastion – Secure ADC

Edgewatch Bastion is a secure application delivery controller designed to protect, publish, and operate web applications from a hardened self-hosted gateway. It combines reverse proxying, load balancing, web application firewall capabilities, traffic inspection, rate limiting, firewall controls, clustering, certificate management, telemetry, and SIEM integration into a single deployable security appliance.

Bastion is built around an OpenResty/Nginx traffic layer with ModSecurity-based WAF protection, GeoIP2 integration, advanced header control, Lua-driven policy enforcement, and support for HTTP/HTTPS application publishing. It is intended to sit at the edge of customer infrastructure as the main ingress point for protected web services, APIs, portals, and administrative applications.

The platform is designed for environments that require strong control over application exposure, including regulated organizations, private infrastructure, MSP/MSSP environments, and customers that prefer an on-premise or self-hosted alternative to external SaaS WAF and ADC platforms. The product specification defines Bastion as a clustered Secure ADC with application-layer protection, L7 DDoS mitigation, load balancing, traffic inspection, firewall control, monitoring, SOC/SIEM integration, and operational observability.

Deployment formats

Edgewatch Bastion is available in two main installation formats:

1. ISO appliance image

The ISO image provides a complete Bastion appliance installation for new deployments. It is intended for bare metal servers, virtual machines, private cloud environments, Proxmox, VMware, KVM, and similar infrastructure.

The ISO deployment includes the operating system baseline, Bastion packages, default security configuration, firewall baseline, reverse proxy stack, and initial bootstrap tooling.

2. Debian APT repository

Bastion is also available through an official Debian package repository. This allows administrators to install and update Bastion components using standard Debian package management tools.

The Debian repository provides packages such as:

bastion-base
bastion-agent
bastion-api
bastion-firewall
bastion-wazuh
bastion-redis
bastion-syncthing
bastion-frontend
bastion-node

The repository-based installation is intended for existing Debian systems, automated deployments, CI/CD provisioning, and customers who want controlled package updates through apt.

Core capabilities

Bastion provides:

  • Secure HTTP/HTTPS reverse proxying.
  • Load balancing for backend applications.
  • ModSecurity WAF integration.
  • OWASP CRS-compatible rule handling.
  • GeoIP2-based traffic classification.
  • Header manipulation and normalization.
  • TLS certificate management, including ACME support.
  • Domain, subdomain, IPv4, and IPv6 protected service definitions.
  • Clustered configuration synchronization.
  • Shared blocklists across Bastion instances.
  • Closed-by-default firewall posture.
  • Wazuh/SIEM integration.
  • Optional Redis support for sessions, challenges, and distributed state.
  • API and frontend management interfaces.
  • Audit logging and operational telemetry.

Security model

By default, Bastion is designed with a restrictive perimeter model. Only ports 80 and 443 are exposed publicly. Administrative, API, SSH, synchronization, Redis, metrics, and cluster-related ports are filtered and only accessible from explicitly whitelisted networks.

The default management whitelist includes:

178.255.228.0/25

Bastion separates operational runtime configuration from confidential data. Critical runtime files required by OpenResty/Nginx may exist in plaintext so the node can continue serving traffic, while sensitive data such as API keys, provider credentials, ACME account keys, Redis credentials, Wazuh enrollment secrets, and private management secrets are protected through encrypted storage and strict access control.

Clustering

Bastion supports clustered deployments where multiple instances share configuration, certificates, blocklists, WAF policies, and runtime state needed for active-active operation. This allows DNS load balancing to point traffic at any healthy Bastion instance.

Syncthing is used as the default configuration and state synchronization layer, with Bastion managing member registration, approval, shared folders, and signed configuration revisions.

Typical use cases

  • Publishing protected web applications.
  • Protecting customer APIs.
  • Replacing fragmented reverse proxy, WAF, and firewall setups.
  • Providing a self-hosted alternative to cloud WAF/SaaS ADC services.
  • Securing administrative portals.
  • Enforcing rate limits and access controls at the edge.
  • Feeding security events into SOC/SIEM workflows.
  • Operating a clustered application gateway across multiple nodes.
Was this article helpful?
Yes No

Need Support?

Can't find the answer you're looking for?
Contact Support