DEV Community

Lulu
Lulu

Posted on

The New WAF Choice for Developers: SafeLine

What is a WAF?

A Web Application Firewall (WAF) acts as a security shield for your server exposed to the internet. Without a WAF, your server is vulnerable to various attacks such as SQL injection, code injection, and website backdoors. Even if these threats don't concern you directly, hackers can exploit these vulnerabilities to deploy mining scripts on your server, leading to CPU overload and resource exhaustion.

Why Choose SafeLine?

  1. Cost Control:

    SafeLine offers both a Community Edition and a Professional Edition. The free Community Edition provides all the essential features to meet my current needs without any additional cost.

  2. Easy Deployment:

    As a frequent Docker user, I appreciate that SafeLine supports containerized deployment. It’s ready to use out of the box, saving me from unnecessary setup hassles.

  3. Security Protection:

    For personal websites, having a secure and stable environment is paramount. SafeLine delivers a straightforward yet reliable security solution, ensuring your small space remains safe and sound.

Introduction to SafeLine

SafeLine is a WAF meticulously developed by Chaitin Technology over nearly a decade. Its core detection capabilities are driven by intelligent semantic analysis algorithms. The traffic processing engine is built on Nginx and operates as a reverse proxy, intercepting traffic before it reaches your web server. SafeLine inspects and cleans malicious traffic, forwarding only sanitized traffic to your server.

This architecture ensures that external attack traffic never reaches your web server, providing robust protection.

Architecture Diagram

Image description

Deploying SafeLine

1. Installation

SafeLine offers multiple installation methods. For detailed instructions, refer to the official documentation: SafeLine Installation Guide.

To quickly install SafeLine, execute the following command:

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"
Enter fullscreen mode Exit fullscreen mode

Upon successful installation, you'll receive access details. Make sure to save them:

[SafeLine] Initial username: admin
[SafeLine] Initial password: **********
[SafeLine] Done
Enter fullscreen mode Exit fullscreen mode
2. Log into the Console

Open your browser and navigate to the backend management page at https://<your-server-ip>:9443. Enter the username and password provided during installation to access the homepage.

3. Configure Your Site

My original setup was: Domain → Nginx listening on port 80 and forwarding → Application. To integrate SafeLine, I simply configured SafeLine to proxy Nginx, as shown below:

Image description

Of course, SafeLine can also work alongside Nginx if preferred.

Image description

3.1 Start Configuration

Navigate through the menu: Web ServicesAdd Web Service

Image description

  • Domain: Your domain or server IP
  • Port: 80
  • Upstream Server: Your server IP + application port

Image description

Submit the configuration. Access your domain or IP directly and check the homepage to ensure your requests are being processed through SafeLine.

3.2 Test Protection

If you see your requests, it means SafeLine has been successfully integrated. You can perform some test attacks to verify, but avoid repeated attempts as SafeLine will block your IP after multiple attacks.

For example:

  • Simulate SQL Injection: Visit http://<your-domain>:<port>/?id=1%20AND%201=1
  • Simulate XSS: Visit http://<your-domain>:<port>/?html=<script>alert(1)</script>

If you see the protective shield icon, your site is secure.

Image description

3.3 Configure Dynamic Protection

Dynamic protection helps safeguard your website’s source code. To configure it, follow these steps: MenuWeb ServicesDynamic

Image description

3.4 Other Features
  • Rate Limiting: Enable high-frequency access and attack rate limiting to prevent your site from being overwhelmed by repeated requests. Even if your site doesn’t hold critical data, you don’t want it constantly under attack.

Image description

  • Force HTTPS: In the proxy settings, you can enforce HTTPS. If you don’t have an SSL certificate, you can apply for a free one with a one-year validity. Upload the certificate in SafeLine’s certificate management.

Image description

Change your listening port to 443, enable SSL, select your certificate, and submit. Enjoy the added security provided by SafeLine!

Note: If you need more detailed information, please refer to the official documentation: SafeLine Documentation

Top comments (0)