I'm hosting a Kubernetes cluster at home, and while I have some services exposed to the internet, I only allow HTTP(S) traffic from Cloudflare IPs. This setup works fine for web apps, but it's problematic for media hosting since Cloudflare has limitations on larger file uploads, like big Docker images. I'm also seeing some unwanted requests trying to access sensitive files, like `.git` and `.env`.
Currently, I'm using `nginx-ingress`, but I'm not interested in the paid F5 WAF they offer. I'd prefer to implement something like [Coraza](https://coraza.io/) or a similar free solution, though I haven't found clear integration documentation.
My goals are to:
- Filter HTTP(S) traffic within my Kubernetes cluster.
- Use a free tool that can safely receive traffic outside of Cloudflare.
- Ideally, set up domain-specific rules (e.g., some domains would only accept Cloudflare traffic while others could handle traffic from any source).
- Ensure support for services like Docker Registry and Nextcloud.
If I consider alternatives to `nginx-ingress`, they should support cert-manager & Let's Encrypt, work with websockets, and correctly fetch the real IP from Cloudflare headers, as well as the original router's IP for incoming traffic.
What are your recommendations?
2 Answers
Consider deploying `owasp/modsecurity-crs` as a sidecar to proxy your traffic through it. It's a solid setup for filtering malicious requests as it helps guard against common vulnerabilities.
You might want to look into Crowdsec. It has WAF capabilities that could be useful. Just keep in mind that my past experience with it showed some performance issues under heavy loads, so testing it thoroughly would be wise.
I had similar concerns! I started small, and it seemed fine, but once I ramped up traffic, it really struggled. Performance dropped drastically, so I had to step back and reevaluate.