To further strengthen our internal security, we decided to supplement our existing hardware WAF with the SafeLine Community Edition. Acting as a software WAF on top of our internal network, SafeLine helped us create a multi-WAF protection architecture.
During our research, we discovered that SafeLine WAF’s upstream forwarding is based on Tengine, which led us to an idea: why not configure SafeLine to handle both WAF functionality and load balancing with failover?
Here’s how we did it.
01. Setting Up a Simple HTTP Server for Testing
First, we need to prepare a basic HTTP server for testing. The key is to implement a /status route that returns a 200 status code, regardless of the content.
Here’s the Go code for our HTTP server:
package main
import (
"os"
"fmt"
"net/http"
)
func Hello1Handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "I am 11111")
}
func Hello2Handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "I am 22222")
}
func check(w http.ResponseWriter, r *http.Request){
fmt.Fprintf(w, "check")
}
func main () {
if len(os.Args) > 1 {
http.HandleFunc("/hello", Hello1Handler)
http.HandleFunc("/status", check)
http.ListenAndServe(":8001", nil)
} else {
http.HandleFunc("/hello", Hello2Handler)
http.HandleFunc("/status", check)
http.ListenAndServe(":8002", nil)
}
}
- This code sets up two servers, one on port
8001and the other on port8002.
Next, start both services, running them on the respective ports.
02. Configuring SafeLine WAF
Now, in SafeLine, create a new site and point the upstream server to the first node.
After testing, you should see that the requests are being properly forwarded to the HTTP server on port 8001.
03. Modifying the SafeLine Nginx Configuration
Next, we modify SafeLine’s Nginx configuration file for load balancing and failover.
- File path:
/data/safeline/resources/nginx/sites-enabled - You’ll find several configuration files here, named with the format
IF_backend_*. Each new website you create will generate a new configuration file in this format.
Find the configuration file for the site you just created (you can use cat to check the port it's listening on to identify the correct file). In my case, the file was named IF_backend_2.
Next, add an upstream server to enable health-check-based load balancing.
Here’s a basic configuration, but feel free to customize it according to your needs:
04. Validating and Restarting Nginx
After modifying the configuration, validate the Nginx configuration and restart SafeLine’s Nginx service.
- To validate the configuration:
docker exec safeline-tengine nginx -t
If the output confirms the configuration is valid, proceed to the next step.
2.Restart Nginx to apply the changes:
docker exec safeline-tengine nginx -s reload
05. Testing the Results
- Load Balancing Test:
Since we set the weight for both nodes equally, requests will be distributed evenly between the two nodes (8001 and 8002).
-
Failover Test:
If we shut down the server on port
8002, all requests will be routed to the remaining server on8001. This demonstrates the failover capability working as expected.
Conclusion
SafeLine’s integration with Tengine (Nginx) offers a wealth of features, including load balancing and health monitoring. With a few configuration tweaks, you can easily enhance your WAF with these additional capabilities, ensuring both robust security and high availability.
SafeLine’s built-in Nginx is highly configurable and supports various common load-balancing configurations. Now, it's up to you to explore more!
Top comments (0)