CodeNewbie Community 🌱

Sharon428931
Sharon428931

Posted on

How We Built Load Balancing and Failover Into SafeLine WAF

To boost our internal network security, we decided to deploy the SafeLine alongside our existing hardware WAF. Acting as a software-based WAF within our infrastructure, SafeLine enabled us to build a multi-layered protection system.

During testing, we noticed that SafeLine’s upstream forwarding is based on Tengine, a high-performance web server built on Nginx. That sparked an idea: what if we use SafeLine not only as a WAF, but also for load balancing and automatic failover?

Here's a step-by-step breakdown of how we made it work.


1. Setting Up a Test HTTP Server

We first created two basic HTTP servers for testing. The only requirement is a /status route that always returns 200 OK.

Here’s the Go code we used:

package main
import (
    "os"
    "fmt"
    "net/http"
)

func Hello1Handler(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "I am 11111")
}

func Hello2Handler(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "I am 22222")
} 

func check(w http.ResponseWriter, r *http.Request){
    fmt.Fprintf(w, "check")
}

func main () {
    if len(os.Args) > 1 {
        http.HandleFunc("/hello", Hello1Handler)
        http.HandleFunc("/status", check)
        http.ListenAndServe(":8001", nil)
    } else {
        http.HandleFunc("/hello", Hello2Handler)
        http.HandleFunc("/status", check)
        http.ListenAndServe(":8002", nil)
    }
}
Enter fullscreen mode Exit fullscreen mode

Run both versions of the service — one on port 8001, the other on 8002.


2. Initial SafeLine WAF Setup

Within SafeLine’s admin UI, create a new site and point the upstream to one of the test servers (e.g., port 8001).

Test the configuration by sending a few requests — they should route properly to your first test server.


3. Modifying SafeLine’s Nginx Configuration

Now it’s time to tweak SafeLine’s internal Nginx config to support load balancing with health checks.

Navigate to:

/data/safeline/resources/nginx/sites-enabled
Enter fullscreen mode Exit fullscreen mode

Each configured site creates a file named like IF_backend_*.conf. Identify your target site’s file (by checking its port or using cat).

In our case, the config file was IF_backend_2.

Edit this file to define an upstream block that includes both servers (8001 and 8002), and add an upstream server to enable health-check-based load balancing.

Here’s a basic configuration, but feel free to customize it according to your needs:


4. Validating and Reloading Nginx

Once you’ve edited the config, validate it by running:

docker exec safeline-tengine nginx -t
Enter fullscreen mode Exit fullscreen mode

If the output confirms the configuration is valid, proceed to the next step.

If all is good, restart Nginx to apply the changes:

docker exec safeline-tengine nginx -s reload
Enter fullscreen mode Exit fullscreen mode

5. Testing Load Balancing & Failover

Load Balancing Test

With equal weights, SafeLine should now distribute traffic evenly between port 8001 and 8002 servers.

Failover Test

Stop the service on port 8002. All traffic will automatically shift to port 8001, confirming that your failover logic is working as expected.


Conclusion

Thanks to its tight integration with Tengine (a powerful Nginx fork), SafeLine WAF isn’t just a security tool — it can also act as a load balancer with built-in health checks and failover.

With a few manual tweaks, you can unlock more advanced networking capabilities from SafeLine, helping you achieve both multi-WAF defense and high availability.

SafeLine’s built-in Nginx is highly flexible — go ahead and explore more!


Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

Top comments (0)