SafeLine WAF (Web Application Firewall) is a powerful, open-source tool for securing your web applications against various types of attacks. In this guide, weβll walk through how to log in to SafeLine, explore multiple deployment methods, and perform basic security testing.
1. Logging Into SafeLine
To access the SafeLine dashboard, open your browser and visit:
https://<waf-ip>:9443
Make sure your browser allows self-signed certificates if you're running a local or test deployment.
2. SafeLine Deployment Methods
SafeLine supports multiple deployment strategies to suit different infrastructures. Below are three common setups.
2.1 Deploying SafeLine on a Separate Device
This is the recommended approach. Deploy SafeLine on a dedicated machine and route all web traffic through it to filter out malicious requests before they reach your web server.
Steps:
- Point your domain (via DNS) to SafeLineβs IP.
- Block direct access to the origin web server using firewall rules or private networks.
Example Setup:
-
SafeLine IP:
192.168.65.8(www.waf.ct) -
Web Server IP:
192.168.65.4(www.server.ct)
Nginx Configuration (SafeLine):
upstream backend_monitor_servers {
server 192.168.65.4:80;
}
server {
listen 81;
server_name www.waf.ct;
location / {
limit_req zone=five burst=10;
proxy_pass http://backend_monitor_servers;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
add_header Strict-Transport-Security "max-age=31536000";
}
access_log /data/log/nginx/access.log;
error_log /data/log/nginx/error.log;
}
Test It:
You can simulate an SQL injection attempt to test SafeLine's detection:
curl -v "http://www.waf.ct?id=1'union select * from dps"
2.2 Deploying SafeLine on the Same Machine (Not Recommended)
While possible, running SafeLine on the same host as your web server is not ideal due to potential resource conflicts and operational risks.
Steps:
- Change your web server to listen on a non-standard port (e.g.,
8080). - Let SafeLine listen on ports
80and443to act as the frontend. - Restrict direct access to your web server to
localhost.
Example:
- Web app listens on port 8080
- SafeLine listens on port 80 and 443, and proxies traffic to your web server.
Test:
Run the following command to test the configuration:
curl -H "Host: <domain>" http://<SafeLine IP>:<SafeLine lisenting port>
For example:
curl -H "Host: 192.168.65.8" http://192.168.65.8:80
If your web app responds and the "Today's Visit Count" metric increases in the dashboard, the setup is successful.
2.3 Deploying SafeLine with Other Reverse Proxies
You can also integrate SafeLine as part of a multi-proxy chain. In this case, SafeLine sits between your upstream proxy/load balancer and the backend server.
Configuration Tip:
- Just configure SafeLine to receive traffic from the previous proxy and set the "Upstream Server" to the next hop IP or domain.
Conclusion
SafeLine offers flexible deployment options to match your infrastructure, including:
- Dedicated standalone mode
- Inline on the same host (for testing)
- Alongside other reverse proxy systems
No matter your architecture, SafeLine can help protect your applications from real-world attacks. Choose the setup that fits your environment best β and start securing your traffic today.
Top comments (2)
Thanks for the detailed setup guide! SafeLine looks like a solid open-source WAF for beginners and pros alike. Its flexibility with deployment methods makes it ideal for many use cases, especially in production environments. For those who find configuring Nginx and WAFs tricky, itβs a smart move to hire React developer or a web security expert to help integrate SafeLine smoothly with your application. Great work sharing this hands-on walkthrough!
SafeLine is extremely useful for those who need to use information quickly in a short time. This also raises concerns about whether all the features Poor Bunny are fully utilized or not?