How to Deploy SafeLine WAF on a Hestia Control Panel VPS

Maxim Cravtov — Fri, 22 Aug 2025 06:38:31 +0000

SafeLine is a powerful, self-hosted Web Application Firewall (WAF) that operates independently of specific control panels like Hestia Control Panel. This guide walks you through deploying SafeLine on a VPS that already runs Hestia Control Panel.

⚠️ Disclaimer: SafeLine is not a native plugin for Hestia Control Panel. It must be deployed independently and configured to proxy traffic to your Hestia Control Panel-hosted sites. This guide assumes you are familiar with Linux server administration and Docker.

Prerequisites

A VPS
Hestia Control Panel already installed on the VPS and functional.
Root or sudo access to the VPS.
CPU with SSSE3 instruction support (required by SafeLine).
Public IP address or proper DNS pointing to the VPS.
Docker and Docker Compose installed.

Step-by-Step Deployment

Install Hestia Control Panel We will use Ubuntu 24.04 To generate installation instruction you can visit official page - Official Web Site But I will use next commands

wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh
and bash hst-install.sh --multiphp '7.4,8.0,8.1,8.2,8.3,8.4' --named no --fail2ban no

(in my case i dont need DNS server and fail2ban service running also i would like to have diffirent version of php 7.4-8.3)

During install you will be asked for a few questions like

Please enter administrator username: (valid username)

Please enter administrator password: (valid password)

Please enter admin email address: (valid email where you will get CP notifications)

Please enter FQDN hostname (and a hostname of your server)

Installation will take up to 10-15 minutes at the end VM will be rebooted

After reboot login to your server via ssh and we need to edit a few settings before starting to install SafeLine WAF

Open nginx folder embed /etc/nginx/conf.d/ here you will see config file with called ip_of_your_server.conf open it and change ports 80 and 443 to 7080 and 7443 restart nginx - service nginx restart

And finaly open - /usr/local/hestia/conf/hestia.conf and change

PROXY_PORT='80'
PROXY_SSL_PORT='443'

PROXY_PORT='7080'
PROXY_SSL_PORT='7443'

This changes will allow to install unlimited number of Applications under Hestia Control Panel ready to be added to SafeLine WAF

Now we are ready to install SafeLine WAF

Install Docker in your system

Add Docker's official GPG key:

sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

Add the repository to Apt sources:

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

and start docker

service docker start

And now lets install SafeLine

mkdir -p "/data/safeline"
cd "/data/safeline"
cd "/data/safeline"
touch ".env"

Write the following content in the ".env" file

SAFELINE_DIR=/data/safeline
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD={postgres-password}
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=chaitin
ARCH_SUFFIX=
RELEASE=lts
REGION=-g

More detailed Guide - Official Web Site

Now open Safeline webUI https://serverIP:9443
You will see a Software License agreement just - AGREE,START USING

To get login credentials execute next command from server shell

docker exec safeline-mgt resetadmin

you will get output example

[INFO] Initial username：admin
[INFO] Initial password：YourPassword
[INFO] Done

Open Application section and click Add Aplication

In Domain section put your domain name
Under SSL Cert press Add New cert (new tab will be opened)

Press ADD CERT and upload your existing SSL cert or reques a free one by selecting get free cert

After adding you cert you can go back to previos screen with application under SSL cert section select your added ssl under upstren add http://$server_IP:7080

And now open your domain in browser and check how it works.

You also can test WAF working state by sending a few test requests
for ex.

Code Injection: https://$domain/?id=phpinfo();system('id') 
SQL Injection: https://$domain/?id=1+and+1=2+union+select+1

On this request you will get an Access Forbidden Page

Also this Attack test will be loged in SafeLine dashboard under Attack section

Also under main Statistic section you can track all activiy stats in real time

Thats all.

⸻

Considerations

SSL: SafeLine supports automatic HTTPS with Let’s Encrypt or uploading your own certificates.
Rate Limiting, Bot Management, and Rules: All configurable in the SafeLine panel per application.
Multiple Sites: You can create multiple “Applications” in SafeLine for each Hestia Control Panel-hosted website. ⸻

Known Limitations

Resource usage: Running both SafeLine and Hestia Control Panel on the same VPS requires sufficient CPU and memory.
⸻

Final Tips

Backup your server before introducing new reverse proxy rules.
You can test SafeLine with one non-critical domain before deploying site-wide.
Monitor application logs via SafeLine UI to ensure normal access and protection are in place.
⸻

Documentation & Support

SafeLine Website: https://ly.safepoint.cloud/ShZAy9x
Official Docs: https://docs.waf.chaitin.com/en/home
SafeLine Demo: https://demo.waf.chaitin.com:9443
Community Discord: https://discord.gg/dy3JT7dkmY
⸻

SafeLine is an excellent option for homelab users and developers who prefer full control and visibility over web application protection. While not tailor-made for Hestia Control Panel, it can be effectively deployed on the same VPS with careful configuration.

DEV Community: Maxim Cravtov