DEV Community

Lulu
Lulu

Posted on

SafeLine WAF Optimization Tips: A Practical Guide for System Operators

After installing the SafeLine WAF, some users may want to tweak a few settings but aren’t sure where to start. Here’s a guide based on my own experience.

Before making any changes to SafeLine configuration files, remember to back up the original content. Also, be aware that updates to SafeLine might overwrite your changes, so be sure to reapply them after an upgrade!

Adjusting HSTS Header (Standard Duration, Preload, etc.)

First, uncheck the "Force HTTPS" option.

Image description

Then, add the following lines to /data/safeline/resources/nginx/proxy_params:

if ($is_https = https) {
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
}

if ($is_https = http) {
    rewrite ^ https://$host$request_uri permanent;
}
Enter fullscreen mode Exit fullscreen mode

Next, add the following to the end of /data/safeline/resources/nginx/nginx.conf, just above the include statement:

map $scheme $is_https {
    default https;
    http http;
}
Enter fullscreen mode Exit fullscreen mode

Finally, reload Nginx via SSH:

docker exec safeline-tengine nginx -s reload
Enter fullscreen mode Exit fullscreen mode

This method has been tested and verified on my site.

Adjusting TLS Versions

In /data/safeline/resources/nginx/nginx.conf, locate the following section:

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
Enter fullscreen mode Exit fullscreen mode

Modify it to:

# Intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
Enter fullscreen mode Exit fullscreen mode

Then, reload Nginx via SSH:

docker exec safeline-tengine nginx -s reload
Enter fullscreen mode Exit fullscreen mode

This method has also been tested and verified on my site.

Note: This configuration may prevent very old devices from connecting. Use with caution if you need perfect compatibility.

Connecting to the SafeLine PG Database

First, install the PostgreSQL client on your Linux machine:

sudo apt install postgresql-client
Enter fullscreen mode Exit fullscreen mode

Image description

Next, find the SafeLine database password in /data/safeline/.env:

Image description

Then, locate the IP address of the safeline-pg container:

docker inspect safeline-pg | grep "IPAddress"
Enter fullscreen mode Exit fullscreen mode

Image description

Now, connect to the database with the following command:

psql -h 172.22.222.2 -p 5432 -U safeline-ce
Enter fullscreen mode Exit fullscreen mode

Image description

Success! You are now connected.

Top comments (0)