CarrieIntroduction
Our servers had no security configurations in place, just a basic Nginx setup to intercept irregular requests, prevent hotlinking, and restrict IP addresses. These rules were added reactively after being attacked. Since our team does not have a background in security, our understanding of attack behaviors is limited, and we couldn't automate defenses. Thus, it's necessary to adopt security tools.
Research
After a comprehensive comparison of various WAF tools, we found that SafeLine offers a complete ecosystem with both free and commercial versions, and it is continuously maintained and updated (which is crucial). Many free open-source WAFs, like HTTPWAF, haven't been updated in years.
SafeLine Community Edition
The SafeLine Community Edition, available here, is derived from the enterprise version of SafeLine Web Application Protection System. Its core detection capabilities are driven by an intelligent semantic analysis algorithm pioneered by Chaitin. The project has open-sourced the core engine of the semantic analysis algorithm and related security plugins, though the console is not open-sourced. It provides good protection, fast iteration, and a clean, user-friendly interface. While it has fewer features than the enterprise version, it fully meets basic WAF needs.
For those with higher security demands, the professional edition is recommended as it offers more comprehensive protection features to ensure that your system remains secure against hackers.
Protection Effectiveness:
- Excellent protection against both common and uncommon vulnerabilities with minimal false positives.
- Advanced Technology: The core technology is a semantic analysis algorithm, which offers better performance and higher resistance to attacks compared to regex rules.
- Project Quality: The project possesses all basic WAF capabilities, is not entirely open-sourced, has relatively complete documentation, and offers a discussion group for resolving various issues (with active staff providing timely responses).
Community Recognition:
- 11.9k+ stars on GitHub, with over 12,000 installations.
- Active community with regular updates (community edition is planned to be updated weekly, and enterprise version offers better service).
Installation
SafeLine WAF offers three installation methods:
- Online Installation: Recommended installation method.
- Offline Installation: Chosen when the server cannot connect to Docker Hub.
- One-Click Installation: The simplest installation method.
I chose offline installation, suitable for environments without external network access.
Steps:
- Download Docker image package.
- Download orchestration scripts.
- Follow the official documentation to write the installation script and implement offline one-click installation.
One-Click Installation Script:
#!/bin/bash
echo Loading image
cat image.tar.gz | gzip -d | docker load
echo Creating installation directory
DIR=/data/docker/safeline/
mkdir -p $DIR
echo Copying orchestration files
cp -f compose.yaml $DIR
cd ..
rm -rf waf/
echo Adding configuration
cat >> ${DIR}.env << EOF
SAFELINE_DIR=${DIR}
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)
REDIS_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)
SUBNET_PREFIX=169.254.0
EOF
cat ${DIR}.env
echo Starting image
docker-compose -f ${DIR}compose.yaml up -d
echo Installation successful
echo Visit http://ip:9443 to access the SafeLine console
Upload the image package, orchestration files, and installation script to the server:
chmod +x install.sh && ./install.sh
Access the SafeLine console upon successful installation.
Configuration
Original Deployment Architecture:
Now, we need to place SafeLine WAF at the first layer to provide security protection and intercept invalid requests directly.
Deployment Architecture with SafeLine WAF:
Step 1:
- Modify the original Nginx configuration:
- Change port 80 to port 81.
- Comment out port 443.
- Restart Nginx.
Step 2:
- Configure SafeLine WAF:
- Add protection sites.
- Configure port 80.
- Configure port 443.
HTTP to HTTPS Redirection:
Modify SafeLine WAF's Nginx configuration to redirect port 80 requests to port 443. SafeLine reserves custom configuration parameters.
In the installation path: safeline/resources/nginx/custom_params
Add the following configuration:
return 307 https://www.waf.com$request_uri;
Restart SafeLine WAF's Nginx:
docker exec safeline-tengine nginx -t
There are many useful features such as site maintenance, black and white lists, and CAPTCHA. These are all very practical features and completely free.
PS: Custom Pages
Many users want to customize 403 pages and maintenance pages, but SafeLine WAF does not allow modifications by default as these pages are overwritten every minute.
SafeLine Community Edition
https://github.com/chaitin/SafeLine
Upgrade
Recently, SafeLine WAF released version 6.9.0.
For offline versions, having a one-click upgrade is essential.
- Download the latest image package and orchestration files from the official website.
- Write the upgrade script.
Upgrade Script:
#!/bin/bash
# SafeLine WAF installation directory
DIR=/data/docker/safeline/
echo Backing up YAML
mv ${DIR}compose.yaml ${DIR}compose.yaml.old
cp -f compose.yaml ${DIR}
echo Loading image
docker load -i image.tar.gz
cd $DIR
echo Adding configuration
sed -i "s/IMAGE_TAG=.*/IMAGE_TAG=latest/g" ".env"
grep "SAFELINE_DIR" ".env" > /dev/null || echo "SAFELINE_DIR=$(pwd)" >> ".env"
grep "IMAGE_TAG" ".env" > /dev/null || echo "IMAGE_TAG=latest" >> ".env"
grep "MGT_PORT" ".env" > /dev/null || echo "MGT_PORT=9443" >> ".env"
grep "POSTGRES_PASSWORD" ".env" > /dev/null || echo "POSTGRES_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)" >> ".env"
grep "REDIS_PASSWORD" ".env" > /dev/null || echo "REDIS_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)" >> ".env"
grep "SUBNET_PREFIX" ".env" > /dev/null || echo "SUBNET_PREFIX=172.22.222" >> ".env"
echo Deleting old containers
docker-compose down
echo Starting new containers
docker-compose up -d
echo Upgrade successfully
Upload the image package, orchestration script, and upgrade script to the server:
chmod +x update.sh && ./update.sh
Upgrade successfully:
More Info please refer to:
Website:https://waf.chaitin.com/
Github:https://github.com/chaitin/SafeLine
Discord:https://discord.gg/wVyX7vDE
Email:c0849672@gmail.com
