Most developers know SafeLine WAF as a free, self-hosted web application firewall. But here’s something you might not expect: thanks to its Tengine (an Nginx fork) core, SafeLine can also double as a load balancer with automatic failover.
That means you don’t just get multi-WAF defense for free — you can also improve availability and traffic distribution without adding extra infrastructure.
Here’s how we made SafeLine work as both a WAF and load balancer.
1. Setting Up a Test HTTP Server
We first created two basic HTTP servers for testing. The only requirement is a /status route that always returns 200 OK.
Here’s the Go code we used:
package main
import (
"os"
"fmt"
"net/http"
)
func Hello1Handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "I am 11111")
}
func Hello2Handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "I am 22222")
}
func check(w http.ResponseWriter, r *http.Request){
fmt.Fprintf(w, "check")
}
func main () {
if len(os.Args) > 1 {
http.HandleFunc("/hello", Hello1Handler)
http.HandleFunc("/status", check)
http.ListenAndServe(":8001", nil)
} else {
http.HandleFunc("/hello", Hello2Handler)
http.HandleFunc("/status", check)
http.ListenAndServe(":8002", nil)
}
}
Run both versions of the service — one on port 8001, the other on 8002.
2. Initial SafeLine WAF Setup
Inside the SafeLine admin UI, create a new site and point the upstream to one of the test servers (e.g., port 8001).
Test the configuration by sending a few requests — they should route properly to your first test server.
3. Modifying SafeLine’s Nginx Configuration
Now it’s time to tweak SafeLine’s internal Nginx config to support load balancing with health checks.
Navigate to:
/data/safeline/resources/nginx/sites-enabled
Each configured site creates a file named like IF_backend_*.conf.
Identify your target site’s file (by checking its port or using cat).
In our case, the config file was IF_backend_2.
Edit this file to define an upstream block that includes both servers (8001 and 8002), and add an upstream server to enable health-check-based load balancing.
4. Validating and Reloading Nginx
Validate your configuration:
docker exec safeline-tengine nginx -t
If valid, reload Nginx to apply the changes:
docker exec safeline-tengine nginx -s reload
5. Testing Load Balancing & Failover
Load Balancing Test
With equal weights, SafeLine should now distribute traffic evenly between port 8001 and 8002 servers.
Failover Test
Stop the service on port 8002. All traffic will automatically shift to port 8001, confirming that your failover logic is working as expected.
Conclusion
SafeLine isn’t only about blocking attacks — it can also help you build a more resilient network architecture. With just a few tweaks to its built-in Nginx, you get multi-WAF protection, load balancing, and failover out of the box.
If you’re already running SafeLine, give it a try. You might find it’s not just a WAF — it’s also a hidden DevOps tool in your stack.
Top comments (0)