DEV Community

Arina Cholee
Arina Cholee

Posted on

How to Integrate SafeLine WAF with Ingress-Nginx in Kubernetes

#websecurity #waf #safeline #cybersecurity

If you're running workloads in Kubernetes, you’re probably already using Ingress-Nginx to manage external access to your services.

But as your apps grow, so does the need to protect them from real-world threats like SQL injection, XSS, and RCE attacks.

That’s where SafeLine Community Edition comes in — a free, high-performance Web Application Firewall (WAF) you can easily integrate with Ingress-Nginx to add an extra layer of security.

In this guide, we’ll walk through how to connect SafeLine with Ingress-Nginx, using either Helm or a custom image build.

Prerequisites

Before you begin, make sure:

  • You’re running SafeLine version ≥ 5.6.0
  • You have access to a Kubernetes cluster
  • You have kubectl and Helm installed

Step 1: Prepare SafeLine Configuration

We’ll use a ConfigMap to define the SafeLine detection engine’s host and port.

# safeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: safeline
  namespace: ingress-nginx
data:
  host: "detector_host"  # Replace with your SafeLine detection engine address
  port: "8000"           # Default port for SafeLine
Enter fullscreen mode Exit fullscreen mode

Apply the configuration:

Step 2: Fresh Installation with Helm

If you don’t already have Ingress-Nginx, install it with Helm.
Then, modify your values.yaml to use the SafeLine plugin:

Step 3: Build Your Own Ingress-Nginx Image

Prefer building it yourself?
Here’s a sample Dockerfile that adds the SafeLine plugin:

Step 4: Add SafeLine to an Existing Ingress-Nginx

If you already have Ingress-Nginx running, follow these steps:

Install the SafeLine Plugin

Refer to the Dockerfile above and install the plugin manually via Luarocks.

Configure the SafeLine Plugin

Apply your ConfigMap:

Enable SafeLine in the controller config:

Inject SafeLine Environment Variables

Add environment variables to your Ingress-Nginx deployment or DaemonSet:

Step 5: Test the Integration

Run a test request to simulate a malicious payload:

curl http://localhost:80/ -H "Host: example.com" \
-H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'echo hello'"
Enter fullscreen mode Exit fullscreen mode

If the integration is successful, you’ll get a 403 Forbidden response:

You can then check your SafeLine dashboard for detailed logs and analysis.

By following this guide, you’ll have Ingress-Nginx integrated with SafeLine, helping you enhance the security of your Kubernetes clusters with minimal effort.

GitHub Repository: https://ly.safepoint.cloud/rZGPJRF
Official Website: https://ly.safepoint.cloud/eGtfrcF
Live Demo: https:https://ly.safepoint.cloud/DQywpL7

Secure your Kubernetes Ingress.
Start integrating SafeLine today.

Top comments (0)