This Helm chart deploys ModSecurity with the official OWASP Core Rule Set (CRS) Docker container, allowing users to integrate a Web Application Firewall (WAF) into their infrastructure. The setup enables ModSecurity to function as a reverse proxy, sitting between an Ingress controller and an application to filter and block malicious traffic.
- Deploys ModSecurity using the official OWASP CRS Docker container
- Easily integrates into existing Kubernetes environments
- Configurable rule set and logging options
- Deployable as a standalone proxy or in conjunction with an Ingress controller
- Supports custom ModSecurity configurations
- Supports GeoIP Blocking via DB-IP or MaxMind GeoLite2 database
The chart deploys the latest v4.x version (see chart's appVersion and image.tag value) of OWASP's CRS Apache container.
The Apache container is based on ModSecurity v2.9.x for better stability and performance.
- A running Kubernetes cluster
- Helm installed (Installation Guide)
- An existing Ingress Controller (optional, if using ModSecurity as an additional WAF layer)
- MaxMind GeoLite2 account (optional, for GeoIP-based blocking)
helm install --create-namespace -n your-namespace modsecurity-crs-proxy oci://registry-1.docker.io/phoenixmedia/modsecurity-crs-proxy --version 0.1.0 -f values.yamlAlternatively, install with default settings:
helm install --create-namespace -n your-namespace --set BACKEND=http://my-app-service modsecurity-crs-proxy oci://registry-1.docker.io/phoenixmedia/modsecurity-crs-proxyCheck if the pods are running:
kubectl get pods -n your-namespaceThis Helm chart supports GeoIP-based blocking using the DB-IP or MaxMind GeoLite2-Country database.
To enable checkout one of the values_geoip_*.yaml example files and set the required values.
This Helm chart allows customization through the values.yaml file. Below are some key configurable parameters:
| Parameter | Description | Default |
|---|---|---|
image.repository |
The Docker image repository for ModSecurity with CRS | owasp/modsecurity-crs |
image.tag |
The image tag to use (see chart appVersion) | `` |
backup |
URL of the backend service | http://my-app-service.svc.cluster.local:80 |
securityRules |
Custom ModSecurity settings and rules | [] |
service.port |
Port for the ModSecurity proxy | 8080 |
geoip.enabled |
Enable GeoIP-based blocking | false |
For a full list of configurable parameters, see the values.yaml file.
To deploy ModSecurity as a standalone reverse proxy filtering traffic before reaching your application, use:
backend: "http://my-app-service.svc.cluster.local:80"This ensures that ModSecurity processes traffic before reaching your backend services.
ModSecurity supports three engine modes: "On", "Off" and "DetectionOnly". Modify the environment variable to change the setting:
env:
- name: MODSEC_RULE_ENGINE
value: "DetectionOnly"Note: In order to modify a single environment variable you have to copy the whole env block from the values.yaml
To remove the Helm deployment, run:
helm uninstall modsecurity-crs-proxyThis Helm chart is released under the Apache 2.0 License. The official OWASP CRS container follows the same licensing terms.
Contributions are welcome! Please open an issue or submit a pull request on GitHub.