SafeLine is a powerful, self-hosted Web Application Firewall (WAF) that operates independently of specific control panels like cPanel. This guide walks you through deploying SafeLine on a VPS that already runs cPanel.
⚠️ Disclaimer: SafeLine is not a native plugin for cPanel. It must be deployed independently and configured to proxy traffic to your cPanel-hosted sites. This guide assumes you are familiar with Linux server administration and Docker.
Prerequisites
- A VPS
- cPanel already installed on the VPS and functional.
- Root or sudo access to the VPS.
- CPU with SSSE3 instruction support (required by SafeLine).
- Public IP address or proper DNS pointing to the VPS.
- Docker and Docker Compose installed.
Step-by-Step Deployment
1. Install Docker & Docker Compose (if not already installed)
sudo apt update
sudo apt install -y docker.io docker-compose
sudo systemctl enable docker
sudo systemctl start docker
2. Install SafeLine
You can use the official installation script:
bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/manager.sh)" -- --en
This will pull and start SafeLine containers including the management panel.
By default, SafeLine’s management UI runs on port 9443. Ensure this port is not blocked by the server firewall or conflicting with cPanel services.
Configure Domains to Go Through SafeLine
Once SafeLine is running:
1. Update DNS Records
Point your domain’s DNS A record to your VPS public IP address (if not done already).
2. Add an Application in SafeLine
In the SafeLine web UI:
- Go to Applications.
- Create a new application.
- Set your domain name.
- For the upstream address, input the internal IP or 127.0.0.1: where your site is hosted (usually port 80 or 443).
If you want to avoid port conflicts, you can reconfigure cPanel sites to listen on internal-only ports (e.g., 8080) and let SafeLine handle 80 and 443 publicly.
⸻
Considerations
- SSL: SafeLine supports automatic HTTPS with Let’s Encrypt or uploading your own certificates.
- Rate Limiting, Bot Management, and Rules: All configurable in the SafeLine panel per application.
- Multiple Sites: You can create multiple “Applications” in SafeLine for each cPanel-hosted website.
⸻
Known Limitations
- No native cPanel integration: You must manually configure domain forwarding and traffic routing.
- Custom firewall rules in cPanel (like CSF) may block ports used by SafeLine. You may need to open or remap ports.
- Resource usage: Running both SafeLine and cPanel on the same VPS requires sufficient CPU and memory.
⸻
Final Tips
- Backup your server before introducing new reverse proxy rules.
- You can test SafeLine with one non-critical domain before deploying site-wide.
- Monitor application logs via SafeLine UI to ensure normal access and protection are in place.
⸻
Documentation & Support
- SafeLine Website: https://ly.safepoint.cloud/ShZAy9x
- Official Docs: https://docs.waf.chaitin.com/en/home
- SafeLine Demo: https://demo.waf.chaitin.com:9443
- Community Discord: https://discord.gg/dy3JT7dkmY
⸻
SafeLine is an excellent option for homelab users and developers who prefer full control and visibility over web application protection. While not tailor-made for cPanel, it can be effectively deployed on the same VPS with careful configuration.
Top comments (0)