With ingress-nginx set to reach end-of-life in March 2026, many of us are looking for alternatives. I've looked into a few options and Traefik seems promising, but I'm concerned about replicating the WAF feature that relies on the OWASP Core Rule Set with ModSecurity since there doesn't seem to be a direct replacement. How is everyone planning to handle this transition?
5 Answers
Since we use AKS, we're probably going to transition to Azure FrontDoor along with WAF. We might wait a few months while assessing the risk before fully committing, but my intuition says there might be some pushback about the retirement, and hopefully, the K8s team will consider continuing support.
I switched to Envoy Gateway using the Coraza WASM as a filter. Just a heads-up, you might face increased memory usage and higher latency though.
I went with the Airlock WAF since it offers a community version with reasonable limits. This way, I can utilize GatewayAPI and ensure solid enterprise-level WAF capabilities.
I've moved everything to Envoy Gateway as the architecture allows for extensive customization. For instance, I created my own "extproc" service that leverages Coraza's Go library. Although I can get major memory issues with the WASM filter, I'm finding that my performance is actually better than with ingress-nginx.
You could try the Coraza plugin with its middleware on Traefik; it's available for free. It could really serve those of us wanting to stick with Ingress objects.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures