Awesome Open Source
Awesome Open Source

Ironclad: WAF on Kubernetes

This is a reference configuration for running a web application firewall (WAF) on Kubernetes. It is a container build of ModSecurity+Nginx running the ModSecurity Core Rule Set along with a Go helper.

The Ironclad container runs as a sidecar for your application. It proxies inbound requests to your application over localhost within the confines of a single Kubernetes Pod.

The Go helper helps the process integrate more nicely in a Kubernetes environment:

Proof of Concept

This code is a work in progress and is meant as a simple proof of concept. File an issue or talk to @mattmoyer if you have ideas or want to help.

Configuration Format

# If true, ModSecurity will not block requests it thinks are malicious.
detectionOnly: false

# The TCP port on which Nginx should listen for requests.
listenPort: 80

# The TCP port to which Nginx should forward requests.
# Your application should be configured to listen on
backendPort: 8080

# Emit logs in JSON format (default is a text-based format)
logFormat: json

# Log at INFO level (includes alerts).
logLevel: info

# Prepend zero or more rules to the ModSecurity Core Rule Set.
prependRules: []

# Append zero or more rules to the ModSecurity Core Rule Set.
 # For example, change the default "block" action to a redirect:
 - SecDefaultAction "phase:1,nolog,auditlog,redirect:"
 - SecDefaultAction "phase:2,nolog,auditlog,redirect:"


This product includes GeoLite2 data created by MaxMind, available from

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
go (14,898
kubernetes (1,732
waf (53