Blog

Engineering notes from the Zentinel project

March 14, 2026 · 14 min read

NGINX Ingress Is Dead. Here's What to Do Next.

NGINX Ingress Controller maintenance halted in March 2026, with no more releases or security patches. We built a Gateway API controller for Zentinel. Here's the migration story.

gateway-apikubernetesnginxmigrationingress

March 10, 2026 · 21 min read

Three HTTP Smuggling CVEs in Pingora, and How Zentinel Responded

A security researcher found four vulnerabilities in Cloudflare's Pingora framework, including three HTTP request smuggling bugs. Here's what each one means for Zentinel, how operators could have mitigated before the fix, and why we were already running the patched version before the CVEs went public.

securitypingorainfrastructure

March 05, 2026 · 10 min read

Zentinel Upgrades to Pingora 0.8: Keepalive Limits, Stricter HTTP Framing, and a Leaner Builder API

Pingora 0.8.0 brings connection reuse limits, stricter HTTP/1 validation, upload write-pending diagnostics, and a new builder pattern for proxy services. Here's what changed in Zentinel and what operators should know.

infrastructurepingorasecurityrust

March 04, 2026 · 17 min read

598 Attack Payloads, Three WAF Engines, One Verdict

We built wafworth, an open-source WAF testing framework with 598 tests across 18 OWASP-aligned categories, and used it to benchmark Zentinel's three WAF agent implementations against each other. No engine won everywhere. Here's what the confusion matrices actually say.

securitywafagentsbenchmarksmodsecurity

February 23, 2026 · 5 min read

How zentinel bundle Works: A Static API, a Lock File, and 26 Agents

The zentinel bundle command installs agents from a static JSON API served by Zola. No database, no package manager runtime, no registry service to operate. Here's how api.zentinelproxy.io generates the metadata and how the CLI consumes it.

architectureagentsbundleregistry

February 18, 2026 · 3 min read

Sentinel Is Now Zentinel

We've rebranded from Sentinel to Zentinel and moved to a new home at zentinelproxy.io. Here's what changed, what didn't, and what you need to do.

announcementmigration

February 16, 2026 · 11 min read

Introducing the Zentinel Control Plane: Fleet Management Built on Elixir

The Zentinel Control Plane is a fleet management system for Zentinel reverse proxies — built with Elixir/Phoenix and LiveView. It handles configuration distribution, deployment orchestration, and real-time node monitoring. Here's what we built, why we chose Elixir, and how the internals work.

control-planeelixirfleet-managementrelease

February 02, 2026 · 5 min read

Zentinel Upgrades to Pingora 0.7: Dropping the Fork, Gaining New Capabilities

Cloudflare's Pingora 0.7 ships connection-level filtering, extensible TLS context, and the security fixes we were carrying in a fork. Zentinel now runs on upstream Pingora with zero patches — here's what changed and what it unlocks.

infrastructurepingorasecurityrust

January 29, 2026 · 5 min read

Zentinel 26.02: Every Binary Signed, Every Dependency Listed

Release 26.02 adds supply chain security to every Zentinel release — cosign signatures, SLSA provenance, and SBOMs in CycloneDX and SPDX formats. Here's what we built, why it matters, and how to verify your deployment in 30 seconds.

releasesecuritysupply-chain

January 28, 2026 · 8 min read

Benchmarking Zentinel Against the Established Proxies

We put Zentinel head-to-head with Envoy, HAProxy, nginx, and Caddy — then used the results to find and fix the per-request allocations that were costing us CPU. Three rounds of optimization later, Zentinel matches or beats every proxy we tested on tail latency.

performancerustbenchmarks