CodeNewbie Community 🌱

Sharon428931
Sharon428931

Posted on

SafeLine WAF's Hidden Config: Understanding the .env File

SafeLine is a free and open-source Web Application Firewall (WAF) that’s fast to deploy and easy to use. Whether you're running a personal website or managing cloud-native services, SafeLine helps protect your web apps against modern attacks—without needing to write a single line of code.

It filters and monitors all HTTP traffic between users and your application, shielding your services from a wide range of threats like:

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Code/Command Injection
  • CRLF, LDAP, XPath Injection
  • RCE, XXE, SSRF
  • Path Traversal
  • Backdoors
  • Brute-force attacks
  • Web crawlers / scrapers
  • CC attacks and more

But did you know that one of the most important parts of SafeLine is actually... a hidden file?

Let’s take a look at the .env file inside the SafeLine installation directory and break down what it does.


Sample .env File

Image description

SAFELINE_DIR=/data/safeline
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=7Y2WuXYxWQfquUWzo8wE0xIPvrtTrRTS
REDIS_PASSWORD=vVIBGagmn9VW1M9ikttGlsgy8SovwGqM
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline
Enter fullscreen mode Exit fullscreen mode

What Each Variable Means

SAFELINE_DIR=/data/safeline

This defines the directory on the host machine where SafeLine stores its data and config files.

✅ Ensures data persists across container restarts.


IMAGE_TAG=latest

Specifies the Docker image version to use.

✅ Setting it to latest means Docker will always pull the most up-to-date image.


MGT_PORT=9443

Sets the port for the SafeLine web management UI.

✅ The default is 9443, and you can access the dashboard via https://<host>:9443.


POSTGRES_PASSWORD=...

Defines the password used by SafeLine to connect to its PostgreSQL database.

✅ This value should be kept secure.


REDIS_PASSWORD=...

Sets the password for the Redis instance used by SafeLine.

✅ Like PostgreSQL, Redis handles session and cache data.


SUBNET_PREFIX=172.22.222

Defines the subnet prefix used for Docker networking.

✅ It helps assign static IPs to individual containers in SafeLine.


IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline

Specifies the Docker image registry path from which SafeLine images are pulled.

✅ In this case, it's hosted on Huawei Cloud.


Customizing SafeLine

These values are the default settings, but you’re free to modify them as needed. Want to change the default port? Use a different subnet? Point to a private image registry? Just edit the .env file and restart your containers.

This gives you full control over how SafeLine runs in your environment—whether it’s a personal VPS or part of a large-scale cloud deployment.


Why This Matters

Most users ignore the .env file—but in SafeLine, it’s the central place to configure paths, credentials, networking, and image sources.

Understanding these variables allows you to:

  • Avoid port conflicts
  • Use custom passwords for better security
  • Run SafeLine in air-gapped or enterprise environments
  • Tune network settings for container communication

Take five minutes to review your .env—you might save hours down the road.


Join SafeLine Community

Top comments (0)