SafeLine WAF High Availability Solution

The SafeLine WAF High Availability solution ensures business continuity and guarantees the availability of SafeLine. This tutorial introduces how to build a high-availability WAF cluster using SafeLine's master-slave synchronization feature.

Prerequisites

• SafeLine WAF version 7.0.0 or higher
• At least two running SafeLine WAF servers
• Each SafeLine WAF has Professional Edition or higher license activated with consistent license versions

Applicable Scenarios

Scenario Description

Considering the continuous security protection requirements of enterprise applications and the business interruption risks caused by single points of failure, a high-availability WAF protection solution is needed. This is especially important in the following scenarios:

• Industries with high business continuity requirements such as finance and e-commerce
• Critical business systems requiring 24/7 uninterrupted protection
• Scenarios with SLA commitments for security protection
• Multi-data center architectures requiring cross-regional deployment

Solution

Through master-slave configuration synchronization, SafeLine's website applications, engine rules, black/white rules, etc are automatically synchronized to different slave nodes in near real-time. Specific implementation methods and features:

• Master node responsible for configuration management and rule distribution
• Slave nodes synchronize master node configurations in real-time
• Automatic traffic takeover by slave nodes when master node fails
• Support for multiple slave nodes deployment, providing higher availability
• Automatic configuration synchronization without manual intervention

Solution Advantages

1. High Availability: Ensures WAF service never interrupts through master-slave architecture and automatic failover
2. Configuration Consistency: All nodes maintain synchronized configurations, avoiding security vulnerabilities due to configuration inconsistencies
3. Strong Scalability: Supports dynamic addition of slave nodes to meet business growth needs
4. Easy Maintenance: Centralized configuration management reduces operational complexity
5. Cost-Effective: Better cost-performance ratio compared to traditional dual-machine hot backup solutions
6. Zero Business Interruption: Transparent failover process to business, no manual intervention required

Enabling Configuration Synchronization

Demo Data

Server information used in this tutorial:

• Master Server: 172.28.222.122
• Slave Server: 172.28.222.123

Master Node Operations

1. Get Synchronization Command

   • Log in to WAF Console -> Settings -> Config Auto Sync, click "Become Master Node"

2. Modify Communication Address

   • By default, the current console access address is used as the communication address for slave nodes to connect to the master node
   • For security and stability, if the obtained address is a public network address, it's recommended to change it to an internal(local) network address

3. Copy Synchronization Command

   • Copy the displayed synchronization command for use on slave nodes

Slave Node Operations

Execute the synchronization command on the slave node

Wait for Master-Slave Synchronization

Expected wait time is 1-2 minutes. The master node interface will show:

The slave node interface will show:

Confirm Configuration Synchronization

When the last synchronization time updates to within the last one or two minutes, you can verify the synchronization status of website applications and various protection configurations on the slave node.

Frontend Load Balancing

After completing the master-slave configuration of SafeLine WAF, you can use Nginx to configure load balancing to distribute traffic to master and slave nodes. Nginx is a high-performance HTTP and reverse proxy server, making it an excellent choice for load balancing.

Install Nginx

Install Nginx on the load balancer server:

# CentOS/RHEL
yum install nginx

# Ubuntu/Debian
apt-get install nginx

Configure Nginx Load Balancing

Edit the Nginx configuration file /etc/nginx/nginx.conf or create a new configuration file:

http {
    upstream safeline_cluster {
        ip_hash;  # Use IP hash algorithm to ensure requests from the same client are always sent to the same backend server
        server 172.28.222.122:80;  # Master node
        server 172.28.222.123:80;  # Slave node
    }

    server {
        listen 80;
        server_name your-domain.com;  # Replace with your domain name

        location / {
            proxy_pass http://safeline_cluster;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

Configuration Details

1. The ip_hash directive ensures that requests from the same IP are always forwarded to the same backend server, which is crucial for WAF session persistence
2. Configure master and slave node IP addresses and ports in the upstream block
3. Set proxy headers to ensure backend servers receive correct client information

Start Nginx

# Test configuration file syntax
nginx -t

# Start Nginx
systemctl start nginx

# Enable auto-start on boot
systemctl enable nginx

Set Domain Resolution

Point your domain name to the IP address of the server running the Nginx load balancer. After DNS propagation, test normal access through the domain name.

Monitoring and Maintenance

1. Regularly check Nginx access and error logs
2. Configure Nginx status monitoring page
3. Set up appropriate log rotation policies
4. Adjust Nginx performance parameters based on actual requirements

Summary

Through the above configuration, we have successfully built a high-availability SafeLine WAF cluster. This solution not only provides continuous security protection capabilities but also achieves automatic switching when nodes fail, ensuring stable operation of business systems. In actual deployment, it's recommended to choose an appropriate number of nodes based on business scale and requirements, and regularly conduct failure drills to verify the reliability of the high-availability solution. At the same time, attention should be paid to monitoring and alerting to promptly discover and handle potential issues, providing more reliable security protection for business systems.

FAQ

Q: Are there other SLB solution options?

A: SLB solutions are not limited, common cloud vendor solutions can be chosen, or even simple Nginx can be used.

Q: Why does it always show "Synchronizing"?

A: "Synchronizing" only indicates that the master-slave synchronization mode is running normally, not the data synchronization completion status. Therefore, there are only two states: synchronizing and not synchronized.

Q: Can slave nodes edit configurations?

A: No. Slave nodes are read-only and can only follow master node configurations.

Q: Do slave nodes need separate licenses?

A: Yes, each slave node needs a separate license.

Q: Why hasn't the last synchronization time updated or why is there a large time gap?

A: Check if there are obvious errors in the master-slave mgt container logs, or try unbinding and re-synchronizing.

Q: Can master and slave nodes receive traffic simultaneously?

A: Yes.

• SafeLine Website: https://ly.safepoint.cloud/ShZAy9x
• Live Demo: https://demo.waf.chaitin.com:9443/statistics
• Discord: https://discord.gg/dy3JT7dkmY
• Doc: https://docs.waf.chaitin.com/en/home

Comments

[manjxro]

The Nginx Config file doesn't work.

[Carrie]

Could you please explain more details? And if you want to talk further, join our Discord server to chat with our engineers. Or you can send us your email via "Contact us" on our website!