ModSecurity V3 Envoy Filter
Switch branches/tags
Nothing to show
Clone or download
Latest commit 713f2a0 Aug 28, 2018


The ModSecurity-Envoy is Envoy version compiled with HTTP filter (can be opt-in/out) running ModSecurity (V3). In other words you can run and configure WAF (ModSecurity) rules on HTTP Traffic that flows through envoy.

The most common use case is for ModSecurity-Envoy is to apply WAF on East-West traffic inside kubernetes deployments. As Envoy is the de-facto standard proxy in kubernetes deployments and is usually deployed in every pod you can deploy this Envoy version and Enable ModSecurity-Envoy Filter on all pods or on the most important ones.

Some of the ideas behind the project are desribed in this blog


  • This repo use git-lfs so please install it from here before git clone
  • Bazel
sudo apt-get install -y libtool cmake realpath clang-format-5.0 automake 
sudo apt-get install -y g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev


To build the envoy static binary with ModSecurity-Envoy filter:

git clone
cd ModSecurity-envoy
git submodule update --init
bazel build //http-filter-modsecurity:envoy # sometimes the build timesout and you should rerun it

Download OWASP ModSecurity Core Rule Set (CRS). CRS is a set of generic attack detection rules for use with ModSecurity and aims to protect web applications from wide range of attacks. For more information check out

tar xvzf v3.0.2.tar.gz
cp owasp-modsecurity-crs-3.0.2/crs-setup.conf.example crs-setup.conf



How it works

First let's run an echo server that we will use as our upstream

docker run -p 5555:80 kennethreitz/httpbin

Now let's run the envoy

sudo ./bazel-bin/http-filter-modsecurity/envoy -c envoy-modsecurity-example.yaml -l info

Make our first request

curl -X GET "" -H "accept: application/json"

Let's download Nikto which is the most popular Open Source web server scanner

perl nikto-master/program/ -h localhost:5555

Now we can cat /var/log/modsec_audit.log and see all detected attacks which in production can be piped to a SIEM of your choice or any other centralized log.

Let's try and add our own RULE as each WAF are designed to be configurable to protect different web applications.

Paste the following line in modsecurity-example.conf

SecRule ARGS:param1 "test" "id:1,deny,msg:'this',msg:'is',msg:'a',msg:'test'"

This line will detect any url with argument ?param1=test param.

rerun envoy and execute the following command curl -X GET "" -H "accept: application/json"

check the logs via tail -f and you will see the following output

ModSecurity: Warning. Matched "Operator `Rx' with parameter `test' against variable `ARGS:param1' (Value: `test' ) [file "crs-setup.conf"] [line "7"] [id "1"] [rev ""] [msg "test"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/"] [unique_id "152991475598.002681"] [ref "o0,4v13,4"]


The current version only works in detection mode.