What is a WAF?
A Web Application Firewall (WAF) acts as a security shield for your server exposed to the internet. Without a WAF, your server is vulnerable to various attacks such as SQL injection, code injection, and website backdoors. Even if these threats don't concern you directly, hackers can exploit these vulnerabilities to deploy mining scripts on your server, leading to CPU overload and resource exhaustion.
Why Choose SafeLine?
-
Cost Control:
SafeLine offers both a Community Edition and a Professional Edition. The free Community Edition provides all the essential features to meet my current needs without any additional cost.
-
Easy Deployment:
As a frequent Docker user, I appreciate that SafeLine supports containerized deployment. It’s ready to use out of the box, saving me from unnecessary setup hassles.
-
Security Protection:
For personal websites, having a secure and stable environment is paramount. SafeLine delivers a straightforward yet reliable security solution, ensuring your small space remains safe and sound.
Introduction to SafeLine
SafeLine is a WAF meticulously developed by Chaitin Technology over nearly a decade. Its core detection capabilities are driven by intelligent semantic analysis algorithms. The traffic processing engine is built on Nginx and operates as a reverse proxy, intercepting traffic before it reaches your web server. SafeLine inspects and cleans malicious traffic, forwarding only sanitized traffic to your server.
This architecture ensures that external attack traffic never reaches your web server, providing robust protection.
Architecture Diagram
Deploying SafeLine
1. Installation
SafeLine offers multiple installation methods. For detailed instructions, refer to the official documentation: SafeLine Installation Guide.
To quickly install SafeLine, execute the following command:
bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)" Upon successful installation, you'll receive access details. Make sure to save them:
[SafeLine] Initial username: admin [SafeLine] Initial password: ********** [SafeLine] Done 2. Log into the Console
Open your browser and navigate to the backend management page at https://<your-server-ip>:9443. Enter the username and password provided during installation to access the homepage.
3. Configure Your Site
My original setup was: Domain → Nginx listening on port 80 and forwarding → Application. To integrate SafeLine, I simply configured SafeLine to proxy Nginx, as shown below:
Of course, SafeLine can also work alongside Nginx if preferred.
3.1 Start Configuration
Navigate through the menu: Web Services → Add Web Service
- Domain: Your domain or server IP
- Port: 80
- Upstream Server: Your server IP + application port
Submit the configuration. Access your domain or IP directly and check the homepage to ensure your requests are being processed through SafeLine.
3.2 Test Protection
If you see your requests, it means SafeLine has been successfully integrated. You can perform some test attacks to verify, but avoid repeated attempts as SafeLine will block your IP after multiple attacks.
For example:
- Simulate SQL Injection: Visit
http://<your-domain>:<port>/?id=1%20AND%201=1 - Simulate XSS: Visit
http://<your-domain>:<port>/?html=<script>alert(1)</script>
If you see the protective shield icon, your site is secure.
3.3 Configure Dynamic Protection
Dynamic protection helps safeguard your website’s source code. To configure it, follow these steps: Menu → Web Services → Dynamic
3.4 Other Features
- Rate Limiting: Enable high-frequency access and attack rate limiting to prevent your site from being overwhelmed by repeated requests. Even if your site doesn’t hold critical data, you don’t want it constantly under attack.
- Force HTTPS: In the proxy settings, you can enforce HTTPS. If you don’t have an SSL certificate, you can apply for a free one with a one-year validity. Upload the certificate in SafeLine’s certificate management.
Change your listening port to 443, enable SSL, select your certificate, and submit. Enjoy the added security provided by SafeLine!
Note: If you need more detailed information, please refer to the official documentation: SafeLine Documentation