A practical step-by-step guide to adding SafeLine WAF to your Kubernetes Ingress-nginx deployment.
Overview
SafeLine WAF is a professional open-source Web Application Firewall (WAF) developed by Chaitin Tech. Unlike traditional rule-based WAFs, SafeLine uses semantic-aware detection algorithms to accurately identify attacks like XSS, SQLi, and 0-days, with significantly fewer false positives.
In this article, weβll walk through how to integrate SafeLine WAF into an existing Ingress-nginx setup in Kubernetes β from installation to plugin injection and troubleshooting.
Step 0: Manual Installation of SafeLine WAF
You can deploy SafeLine either inside your K8s cluster or on any external node that can communicate with your cluster.
Official install docs: Manual Installation Guide
1. Prepare directory
mkdir -p /data/safeline
2. Download Docker Compose script
cd /data/safeline
wget "https://waf-ce.chaitin.cn/release/latest/compose.yaml"
3. Create .env config
cd /data/safeline
touch .env
Edit `.env` and insert:
SAFELINE_DIR=/data/safeline
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=Aa87654321
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline
4. Download and load Docker images
cd /data/safeline
wget https://demo.waf-ce.chaitin.cn/image.tar.gz
cat image.tar.gz | gzip -d | docker load
5. Start SafeLine
cd /data/safeline
docker compose up -d
6. Initialize admin account
docker exec safeline-mgt resetadmin
Step 1: Switch Detection Engine to TCP Mode
By default, SafeLine uses UNIX socket. We need to switch it to TCP for Ingress plugin compatibility.
1. Edit detector.yml
# /data/safeline/resources/detector/detector.yml
bind_addr: 0.0.0.0
listen_port: 8000
2. Expose TCP Port in compose.yaml
# /data/safeline/compose.yaml
detect:
...
ports:
- 8000:8000
3. Restart SafeLine
cd /data/safeline
docker compose down
docker compose up -d
4. Verify Connectivity
tcping <SafeLine-IP> 8000
# Example:
# 172.30.233.87:8000 - Connected - 40.317ms
Step 2: Ingress-nginx Integration
1. Create ConfigMap for Engine Address
# safeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: safeline
namespace: ingress-nginx
data:
host: "172.30.233.87" # SafeLine detection engine address
port: "8000" # Detection engine port
# Create the ConfigMap
kubectl create namespace ingress-nginx
kubectl apply -f safeline.yaml
2. Inject Environment Variables into DaemonSet
Edit your Ingress-nginx DaemonSet and add:
env:
- name: SAFELINE_HOST
valueFrom:
configMapKeyRef:
name: safeline
key: host
- name: SAFELINE_PORT
valueFrom:
configMapKeyRef:
name: safeline
key: port
3. Build Custom Ingress-nginx with SafeLine Plugin
Create Dockerfile:
FROM rancher/nginx-ingress-controller:nginx-0.49.3-rancher1
USER root
RUN apk add --no-cache make gcc unzip wget
RUN wget https://luarocks.org/releases/luarocks-3.11.0.tar.gz && \
tar zxpf luarocks-3.11.0.tar.gz && \
cd luarocks-3.11.0 && \
./configure && \
make && \
make install && \
cd .. && \
rm -rf luarocks-3.11.0*
RUN luarocks install ingress-nginx-safeline && \
ln -s /usr/local/share/lua/5.1/safeline /etc/nginx/lua/plugins/safeline
USER www-data
Build the image:
docker build -t nginx-ingress-controller-waf:nginx-1.1.0-rancher1 .
4. Replace Existing DaemonSet Image
kubectl edit daemonset nginx-ingress-controller -n ingress-nginx
# Change image:
# image: nginx-ingress-controller-waf:nginx-1.1.0-rancher1
5. Enable the Plugin
# ingress-nginx-controller config
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
data:
plugins: "safeline"
6. Test the Integration
curl "http://xxxxx.com/login?user=admin%27or%201%3D1"
# Expected response:
# {
# "code": 403,
# "success": false,
# "message": "blocked by Chaitin SafeLine Web Application Firewall",
# "event_id": "cd4642c861834b58991f883916ffe73e"
# }
Troubleshooting Tips
If WAF doesnβt seem to block requests:
- Check controller logs:
kubectl logs <pod-name> -n ingress-nginx
- Inspect env vars inside the container:
kubectl exec -it <pod-name> -n ingress-nginx -- bash
echo $SAFELINE_HOST
echo $SAFELINE_PORT
You should see:
172.30.233.87
8000
Final Thoughts
This guide shows how to enhance Kubernetes ingress security by integrating SafeLine WAF with Ingress-nginx. Once configured, SafeLine provides powerful real-time protection and customizable rules to stop attacks at the edge of your cluster.
If you're using Ingress-nginx and want full visibility into malicious traffic, this is a must-have upgrade for your setup.
Top comments (0)