Want to add a powerful open-source Web Application Firewall (WAF) to your API gateway? In this tutorial, we’ll walk you through integrating SafeLine WAF with Apache APISIX, enabling comprehensive traffic protection and blocking malicious requests like SQL injection, XSS, and more.
Official plugin documentation:
👉 Apache APISIX - Chaitin WAF Plugin Docs
What Is APISIX and SafeLine?
Apache APISIX is a high-performance, cloud-native API gateway that provides dynamic routing, traffic splitting, and load balancing, among other features.
SafeLine WAF, developed by Chaitin Tech, offers advanced HTTP protection and a built-in detection engine to secure web applications.
With APISIX v3.5.0 or later, the chaitin-waf plugin can easily route traffic through SafeLine for security checks.
Prerequisites
- APISIX ≥ 3.5.0
- SafeLine ≥ 5.6.0
Step 1: Configure SafeLine for TCP Traffic
By default, SafeLine uses Unix sockets for communication. For integration with APISIX, switch to TCP mode.
cd /data/safeline/resources/detector/
Edit detector.yml and add the following:
bind_addr: 0.0.0.0
listen_port: 8000
This configures SafeLine to listen on port 8000 for TCP traffic.
Step 2: Expose Port 8000
Modify compose.yaml to expose port 8000 for the SafeLine container:
cd /data/safeline/
Add the ports section to the detect service:
detect:
...
ports:
- 8000:8000
Restart SafeLine:
docker compose down
docker compose up -d
Step 3: Install APISIX (via Docker)
Clone and run APISIX using Docker:
git clone https://github.com/apache/apisix-docker
cd apisix-docker/compose
echo 'APISIX_DOCKER_TAG=3.5.0-debian' >> .env
docker compose -f docker-compose-release.yaml up -d
Access:
- Business endpoint: http://127.0.0.1:9080/
- Admin API: http://127.0.0.1:9180/
Step 4: Connect SafeLine to APISIX
Bind SafeLine's detector engine to APISIX using the Admin API:
curl http://127.0.0.1:9180/apisix/admin/plugin_metadata/chaitin-waf \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
-X PUT -d '
{
"nodes":[
{
"host": "192.168.99.11",
"port": 8000
}
]
}'
Step 5: Create an APISIX Route with WAF Enabled
Create a route in APISIX with SafeLine WAF protection:
curl http://127.0.0.1:9180/apisix/admin/routes/1 \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
-X PUT -d '
{
"uri": "/*",
"plugins": {
"chaitin-waf": {}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"192.168.99.12:80": 1
}
}
}'
Step 6: Test Your Security Setup
Test with a normal request:
curl 'http://127.0.0.1:9080/'
Simulate an SQL injection attack:
curl 'http://127.0.0.1:9080/' -d 'a=1 and 1=1'
Expected response:
{
"code": 403,
"success": false,
"message": "blocked by Chaitin SafeLine Web Application Firewall",
"event_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
Final Tip: Re-enable Site Protection for Local WAF
After switching to TCP mode, don’t forget to update NGINX config for local site protection.
- Duplicate config file:
cp /data/safeline/resources/nginx/safeline_unix.conf /data/safeline/resources/nginx/safeline_http.conf
- Edit
nginx.conf:
# include /etc/nginx/safeline_unix.conf;
include /etc/nginx/safeline_http.conf;
- Restart SafeLine:
docker restart safeline
Conclusion
By following these steps, you’ve successfully integrated SafeLine WAF with APISIX to protect your API gateway. You can now secure your APIs from common attacks like SQL injection, XSS, and more.
Top comments (0)