Looking to add a powerful open-source WAF to your API gateway?
In this tutorial, we'll walk you through integrating SafeLine WAF with Apache APISIX, enabling full traffic protection and blocking malicious requests like SQL injection, XSS, and more.
Official plugin documentation:
👉 https://apisix.apache.org/zh/docs/apisix/plugins/chaitin-waf/
About APISIX and SafeLine
Apache APISIX is a dynamic, high-performance, cloud-native API gateway. It provides load balancing, dynamic upstreams, traffic splitting, circuit breaking, observability, and more.
SafeLine WAF, developed by Chaitin Tech, is an open-source Web Application Firewall that offers advanced HTTP protection and a built-in detection engine.
Starting from APISIX v3.5.0, the chaitin-waf plugin is built-in and can be used to route traffic through SafeLine for security checks.
Requirements
- APISIX ≥ 3.5.0
- SafeLine ≥ 5.6.0
Step 1: Configure SafeLine to Accept Traffic via TCP
By default, SafeLine’s detection engine listens via Unix socket. To integrate with APISIX, we need to switch it to TCP mode.
Edit the SafeLine detector config:
cd /data/safeline/resources/detector/
Open detector.yml and modify/add the following:
bind_addr: 0.0.0.0
listen_port: 8000
This makes the detector listen on port 8000 over TCP.
Step 2: Expose Port 8000 from the Detector Container
Open compose.yaml in your SafeLine installation directory:
cd /data/safeline/
In the detect service, add the ports section:
detect:
...
ports:
- 8000:8000
Then restart SafeLine:
docker compose down
docker compose up -d
Optional: Change SafeLine Management Port
If both APISIX and SafeLine are on the same machine, they’ll conflict on port 9443.
Edit the .env file in the SafeLine directory:
MGT_PORT=9444
Restart SafeLine again to apply the new port.
Step 3: Install APISIX (Docker Method)
Clone and run APISIX using Docker:
git clone https://github.com/apache/apisix-docker
cd apisix-docker/compose
echo 'APISIX_DOCKER_TAG=3.5.0-debian' >> .env
docker compose -f docker-compose-release.yaml up -d
- Business endpoint: http://127.0.0.1:9080/
- Admin API: http://127.0.0.1:9180/
Step 4: Connect SafeLine to APISIX
Use the Admin API to bind SafeLine’s detector engine to APISIX:
Replace 192.168.99.11 with your SafeLine host IP.
curl http://127.0.0.1:9180/apisix/admin/plugin_metadata/chaitin-waf \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
-X PUT -d '
{
"nodes":[
{
"host": "192.168.99.11",
"port": 8000
}
]
}'
Step 5: Create an APISIX Route with WAF Enabled
Replace 192.168.99.12:80 with your upstream server address.
curl http://127.0.0.1:9180/apisix/admin/routes/1 \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
-X PUT -d '
{
"uri": "/*",
"plugins": {
"chaitin-waf": {}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"192.168.99.12:80": 1
}
}
}'
Step 6: Test the Protection
Normal request:
curl 'http://127.0.0.1:9080/'
Simulate an SQL injection attack:
curl 'http://127.0.0.1:9080/' -d 'a=1 and 1=1'
Expected response:
{
"code": 403,
"success": false,
"message": "blocked by Chaitin SafeLine Web Application Firewall",
"event_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
You’ll also see this event logged in the SafeLine dashboard.
Final Tip: Re-enable Local WAF Site Protection
After switching the detector to TCP, SafeLine’s site-based protection UI won't work unless you also update NGINX config.
1. Duplicate config file:
cp /data/safeline/resources/nginx/safeline_unix.conf /data/safeline/resources/nginx/safeline_http.conf
2. Edit nginx.conf:
Comment out the old config and include the new one:
# include /etc/nginx/safeline_unix.conf;
include /etc/nginx/safeline_http.conf;
3. Get the detector’s internal IP:
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' safeline-detector
4. Modify safeline_http.conf:
upstream detector_server {
keepalive 256;
#server unix:/resources/detector/snserver.sock;
server DETECTOR_IP:8000; # Replace with IP from step 3
}
Restart SafeLine again to take effect.
You're Done!
You now have a full API security stack with:
- APISIX as your blazing fast API gateway
- SafeLine WAF analyzing every request in real-time
Let the bots try — they won’t get far.
Top comments (0)