Looking for a modern WAF alternative to ModSecurity (Coraza integration with pfSense/HAProxy/Nginx)

Posted by Own_Cat6291@reddit | sysadmin | View on Reddit | 2 comments

Title: Looking for a modern WAF alternative to ModSecurity (Coraza integration with pfSense/HAProxy/Nginx)

Hello everyone,

I'm currently redesigning my company's infrastructure and looking for a modern Web Application Firewall (WAF) solution as an alternative to ModSecurity.

Our current stack consists of Nginx as a reverse proxy/frontend. I'm also currently moving network traffic to a pfSense + HAProxy configuration at the edge, which will then route traffic to our internal Nginx backends.

What I'm looking for:

A valid alternative to ModSecurity (since it seems to consume a lot of RAM).
Key requirement: An official or native web UI/dashboard, if possible. I need to be able to monitor blocks, view graphs, and easily manage/whitelist rules without having to parse raw text log files every time a false positive occurs.
High performance and good integration with an Nginx or HAProxy-based workflow.

Options I've seen so far:

Coraza WAF: It appears to be the modern, Go-based successor to ModSecurity. I've seen the experimental coraza-nginx module and the SPOE HAProxy integration, though it doesn't appear to be easily compatible with the HAProxy package on pfSense out of the box.

My questions for you:

If you're using Coraza in a similar environment, what is the best way to integrate it alongside pfSense + HAProxy or Nginx? Should I look into a standalone Coraza proxy layer between them?
How do you handle monitoring, log visualization, and rule tuning/whitelisting with Coraza given the lack of an official native GUI?
Are there any other open-source or self-hosted WAFs with a good Web UI that I might have overlooked for this specific stack?

Thanks in advance for your advice and suggestions!

[-]

RepulsiveDuck331@reddit

Honestly, if you want a real UI out of the box, Coraza isn't there yet. We tried the nginx module on a couple of edge boxes last year and it works but tuning false positives still means tailing logs.

What actually stuck for us: run Coraza as a standalone reverse proxy (caddy-coraza is solid) in front of the nginx backends, ship the audit logs to Loki/Grafana or Wazuh, and build the FP workflow there. Wazuh especially gives you a halfway decent dashboard for blocks and rule hits.

Also look at BunkerWeb if you want batteries-included with a GUI, and SafeLine has been getting attention. ModSec's RAM use is usually CRS bloat, not the engine itself, fwiw.

Puzzleheaded-Art8267@reddit

For your stack, Coraza as a standalone proxy layer sitting between HAProxy and your Nginx backends is probably the cleanest approach rather than trying to force the nginx module or pfSense SPOE integration. Less friction and easier to maintain independently.

For the UI and monitoring gap, most people pair Coraza with an ELK stack or Grafana + Loki. Coraza outputs structured JSON logs so piping them into Grafana is straightforward and you get the graphs, block monitoring and false positive management you are looking for without any native GUI dependency.

If you want something more out of the box, have a look at Crowdsec. It is not a traditional WAF but works really well alongside Nginx and HAProxy, has a proper dashboard, community threat intelligence built in, and the resource footprint is very reasonable compared to ModSecurity. You can run both Coraza and Crowdsec together for layered coverage.

SafeLine is another one worth checking, open source, Go based, has a native web UI and is designed to drop into Nginx based setups without much configuration overhead.