F5 NGINX ModSecurity WAF Is Transitioning to End-of-Life

Thelen Blum Thumbnail
Thelen Blum
Published May 10, 2022

For the past five years, F5 NGINX has been pleased to provide our customers with the NGINX ModSecurity WAF module for NGINX Plus with support against standard classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS). However, due to recent changes to third‑party support for ModSecurity WAF, we regret that we are transitioning NGINX ModSecurity WAF to End-of-Life (EoL) effective March 31, 2024.

Our decision is due in part to the recent announcement from Trustwave, the organization that has been maintaining ModSecurity, that as of July 1, 2024, it will:

  • Stop supporting the ModSecurity open source code and WAF
  • Return responsibility for maintaining the ModSecurity code to the open source community
  • No longer provide Commercial Rules

Additionally, while the OWASP ModSecurity Core Rule Set (CRS) project plans to continue its support for ModSecurity, it is transitioning its focus to a new WAF called Coraza, having concerns over the viability of the ModSecurity project given the actions and announcement to changes in support by Trustwave.

NGINX ModSecurity WAF is based on open source ModSecurity v3 and is backed by our support and testing that ensures the NGINX ModSecurity WAF module works correctly with NGINX Plus. We do not, however, maintain the ModSecurity code itself and the lack of support from Trustwave combined with reduced contribution to the open source ModSecurity project leave NGINX Plus customers with a product that might not meet their requirements for security and stability.

NGINX moved to End-of-Sale (EoS) and stopped selling NGINX ModSecurity WAF on April 1, 2022. If you are a customer with an active license, you can renew your subscription and receive full support – including updates to the NGINX ModSecurity WAF package – until the EoL date (March 31, 2024). NGINX plans to have NGINX ModSecurity package updates until March 31, 2024, with the goal of providing customers with enough time to migrate to a new solution. Your account manager will reach out to you directly to discuss your application security solution needs going forward. If you would like to contact your account manager at any time, please reach out to us. As of April 1, 2023, no further renewals will be accepted.

Dedication to Open Source Remains Integral to NGINX DNA

Although the NGINX ModSecurity WAF product is moving to EoL, we remain committed to our participation in and support of the open source community. NGINX values the collaboration and innovation of open source community members who are dedicated to advancing technology and making it better. We believe that open source encourages the broader use of core foundational security and benefits us all by reducing the attack surface of the global application infrastructure.

In line with those values, NGINX continues to lead the NGINX Open Source and NGINX Unit projects. We take great pride in our security efforts while also recognizing that it takes a broader team to secure the technology fabric we all increasingly rely on in our daily lives. As such, we are pleased to support OSS projects that directly enhance the security of the Internet, including sponsorship of the OWASP Core Rule Set (CRS), Let’s Encrypt, and Open SSL projects.

Has Digital Transformation Changed Your Security Needs?

You may have initially chosen NGINX ModSecurity WAF as a supported version of the open source ModSecurity WAF to protect your apps against general classes of vulnerabilities with the OWASP CRS or to comply with PCI DSS compliance requirements in a standard WAF implementation. Over the past two years, however, the COVID‑19 pandemic has forced organizations to accelerate their digital transformation to keep pace with demand as businesses and consumers alike have shifted to online purchase and consumption of goods and services.

With cyberattacks against web applications and APIs on the rise, it might be the right time to re‑evaluate what you need from a WAF and to implement a more comprehensive level of protection, reliability, and performance required to drive business growth. We offer F5 NGINX App Protect WAF as an alternative security solution that can scale with your business.

NGINX App Protect WAF – Advanced Security for Your Modern Apps and APIs

NGINX App Protect WAF provides several advantages:

  • NGINX App Protect WAF is based on F5’s Advanced WAF engine, which has been battle‑tested by thousands of enterprise customers for dozens of years. If you deploy other F5 products, you have a single point of support for our entire suite of security solutions, which includes speedy bug fixes and rule updates, plus influence on our long‑term roadmap. Further, you can easily port WAF rules among F5 solutions for consistent protection across your entire infrastructure.
  • The default ModSecurity rules are written and maintained by open source community members and are designed to cover general vulnerabilities. NGINX App Protect WAF rules are based on the wide range of vulnerabilities and threat reports tracked by F5 Labs. The result is a richer set of rules, delivering greater application security protection to keep pace with evolving threats.
  • ModSecurity rules involve evaluation of regular expressions, so each additional control you enable directly degrades performance – forcing a choice between good performance and comprehensive protection. NGINX App Protect WAF rules are precompiled into bytecode for high performance no matter how many rules you enable.
  • NGINX App Protect WAF is platform agnostic, with a small footprint and low resource demands, making it ideal for cloud deployments.
  • NGINX App Protect WAF meets the demands of DevOps teams, with declarative policies for “security as code” and easy integration into your CI/CD tool chain.
  • NGINX App Protect WAF delivers consistent security controls for web apps, microservices, containers, and APIs.

Learn why automobile tire vendor chose NGINX App Protect WAF over NGINX ModSecurity WAF when it needed to improve its online performance and meet internal and external security and compliance standards. As e‑commerce consultant to Sascha Petranka explains, “We decided to go with NGINX App Protect WAF because it gave us the best performance, the best long‑term solution, and the combined expertise of NGINX and F5 together.”

Enable Your Business with Optimal App Security

NGINX App Protect WAF can help your organization improve the security and performance of its applications and APIs while bringing DevOps and SecOps teams closer together. It is a lightweight security solution that enables businesses to protect against revenue impacting attacks, data theft, reputational damage, and regulatory non‑compliance. To test drive NGINX App Protect WAF for yourself, start a free 30-day trial or contact us to discuss your use cases.

"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous links will redirect to similar NGINX content on"