How to Configure an Open Source WAF, SafeLine

This article is written by a SafeLine user, Tale365

Why

My tiny blog was hacked before, and many malicious advertisements were injected into the articles. It took a significant amount of time to clean up and recover my articles. Unfortunately, some of the content was destroyed and couldn’t be recovered.

My storage was targeted by a CC attack, resulting in an excessive number of HTTPS requests and traffic that I had to pay for.

This experience has made me realize the importance of a WAF (Web Application Firewall). Previously, I was using a free WAF provided by Baidu, but now they are charging for it, and the cost is too high for a personal blog.

Therefore, I started looking for a free WAF that I could install on my own server. During my search, I came across SafeLine WAF, which caught my attention due to an attractive comparison. After a month-long trial, I found its performance and effectiveness satisfactory, although there is still room for improvement. I intend to continue using it for the time being until a better option becomes available.

Configure the WAF

For how to install and upgrade the SafeLine WAF, please refer to the official doc. Here we only talk about the configurations.

Let’s take a look at the dashboard first. It is quite easy to comprehend the statistics and geographical information.

Enable HTTPS/SSL access

We need to upload the SSL certificates through the “Settings > Certifications” section. In order to enable the WAF admin page to use the customized certificates, we should select the correct certificates in the “Waf Backend Cert” section.

Secondly, we should enforce HTTPS by going to “Settings > General > force HTTPS”.

The remaining options are beneficial:

• HTTP2: If the web server supports HTTP/2, enabling it can help improve performance.
• Joining the Intelligence Sharing Plan: It is recommended to choose this option so that we can contribute any malicious IP addresses detected to the community.

Add the sites we want to protect

In the “Protected Sites” section, add configurations to enable SSL on port 443 and non-SSL on port 80. The previous “force HTTPS” setting will redirect HTTP traffic on port 80 to HTTPS on port 443. Select the uploaded certificates and input the upstream server. Here, I connected to an internal web server. Unfortunately, using “localhost” is not allowed in this context.

Ban the malicious IPs

There are two approaches to adding IPs. The first one is to add IPs in “Settings > IP Groups”. In this section, you will find a “Malicious IP Group by Community” contributed by the community, which is linked to the “Joining the Intelligence Sharing Plan” option.

The second approach is to add IPs through the “Events” section.

Regardless of which approach you choose, please remember to configure them in “Protections > Allow/Deny List”. Otherwise, they will not be effective.

Whitelist the search engines

Add “Allowlist” entry to allow the spiders from the search engines

/.*(Googlebot|Google Favicon|Storebot-Google|Google-
InspectionTool|GoogleOther|Google-Extended|APIs-Google|AdsBot-
Google|Mediapartners-Google|FeedFetcher-Google|GoogleProducer|Google-
Read-Aloud|Google-Site-
Verification|bingbot|MicrosoftPreview|Yahoo|YandexBot|Baiduspider|Sog
ou web spider|360Spider|YisouSpider|Bytespider).*/i

Other configurations

Secure SSL Protocol and Ciphers

By default, SafeLine WAF allows TLS 1.0 and TLS 1.1, and it allows some insecure ciphers of TLS 1.2. If we want to make the website more secure, we need to modify the configurations in Nginx.

vi /data/safeline/resources/nginx/nginx.conf

nginx.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-
SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-
RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-
POLY1305";

We can use https://www.ssllabs.com/ssltest/ for testing the result.

Memory Limit

To check the memory consumption, please use the following command:

docker stats --no-stream

To control the memory consumption of SafeLine WAF, we can edit the compose.yaml file and mem_limit directive. Below is just an example:

vi /data/safeline/compose.yaml

compose.yaml
services:
  postgres:
    container_name: safeline-postgres
    restart: always
    image: postgres:15.2
    mem_limit: 96m

Unfortunately, those configurations in compose.yaml will be overwritten during an upgrade, and we will need to reconfigure them again. And recreate the images.

docker compose up -d --force-recreate

Notes

The priority of the logics:Whitelist > Backlist > reCaptcha > Semantics

Issues

I have identified some issues that were raised in the GitHub support. There is still room for improvement, and I hope that SafeLine WAF can continue to enhance its performance while remaining free of charge.

• ECC support: [建议] 申请免费证书可否用ecc算法 · Issue #400 · chaitin/SafeLine (github.com)
• HTTP/3 support: [建议] 443端口支持UDP · Issue #356 · chaitin/SafeLine (github.com)
• Secure SSL support: [建议] 可以添加SSL协议设置，比如禁用TLS 1.2以下的版本吗？ · Issue #355 · chaitin/SafeLine (github.com)
• localhost support: [建议] 本机安装WAF是否可以使用localhost作为上游？ · Issue #322 · chaitin/SafeLine (github.com)
• Blocking 127.0.0.1: [Bug] 误拦截本机发起的请求 · Issue #320 ·chaitin/SafeLine (github.com)

Reference

SSL Server Test (Powered by Qualys SSL Labs)
Google Crawler (User Agent) Overview | Google Search Central | Documentation | Google for Developers
Which Crawlers Does Bing Use – Bing Webmaster Tools