Turning Your Server into a High-Security Server with a Free WAF

Carrie - Oct 23 - - Dev Community

Background

SafeLine WAF is, in my opinion, an incredibly powerful tool. Its dynamic defense capabilities are impressive, allowing you to encrypt the pages you want, turning them into unreadable gibberish. The community edition is free to use.

SafeLine Website: https://waf.chaitin.com/

As we all know, websites that we painstakingly manage are often vulnerable to hacker attacks, and ensuring the security of website data is a significant challenge for site administrators.

Today, I’m introducing a program that can instantly turn your server into a high-security server with SafeLine WAF.

SafeLine WAF Introduction

SafeLine WAF is a web application firewall that can protect against various types of attacks. It’s an essential tool for ensuring web application security.

Defense Capabilities of SafeLine WAF

SafeLine WAF supports dynamic protection. Unlike other types of WAF, it pioneers a semantic analysis algorithm that surpasses the limits of traditional rule-based algorithms.

It offers precise detection, low false positives, and is difficult to bypass.

More importantly, it can be installed with one click and is ready to use out of the box.

It also defends against 0day attacks and is free to use!

Here are some screenshots showcasing its defense capabilities. The entire panel is clear and easy to understand.

How to Install SafeLine WAF

To install SafeLine WAF, it is recommended to use a dedicated server with nothing else on it. The advantage of using a separate server for SafeLine WAF is that all attacks and traffic will be filtered through SafeLine WAF before reaching your website server.

Original Architecture

New Architecture with SafeLine

Online Installation (Recommended)

If your server has internet access, this method is recommended.

Copy the following command to execute and complete the installation:

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"
Enter fullscreen mode Exit fullscreen mode

To install the latest version in streaming detection mode, use:

STREAM=1 bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"
Enter fullscreen mode Exit fullscreen mode

Copy any of these commands to install with one click, and it’s ready to use out of the box.

Configuration for SafeLine WAF

I currently use a dedicated server for SafeLine WAF and several business servers. The configuration is as follows:

  • 2 cores, 2GB RAM, 20M bandwidth
  • Operating System: Linux

1. Initial Installation and Configuration

After installing SafeLine WAF, log in and go to system settings. Enable TOTP authentication, scan the QR code and bind it to SafeLine WAF for secure login.

2. Apply for an SSL certificate from aa panel

Do not delete the business domain in the aa panel. Default to port 80 and apply for an SSL certificate, then upload the SSL certificate to Safeline WAF.

Download the SSL certificate, choose Apache, find the .crt and .key files, and upload them to SafeLinel WAF’s certificate section.

Note: Some site programs only support access from the main domain during installation. Subdomain access may not load JS, images, etc., so please check carefully. If this happens, use a 301 redirect in the aa panel.

3. Adding Web Services Need to Be Protected

If SafeLine WAF and other panels are installed on the same server, this method is not suitable as it may cause port conflicts.

If your website server IP is 192.168.0.1 and Safeline server IP is 192.168.0.2:

Change your domain binding from 192.168.0.1 to 192.168.0.2and remove the A record for 192.168.0.1.

4. After pointing the business domain to SafeLine WAF server IP, configure and fill in the settings in the aa panel (default port 80).

If you use cloud server and aa panel, the upstream server don't need to enter port. If you deployed locally, enter the port.

5. aa Panel Operations

Add the website’s domain in aa panel, turn off forced SSL, and enable SSL certificates on both SafeLine WAF and aa panel to avoid 502 gateway errors.

6. Safeline WAF Proxy Settings

Configure the same settings on SafeLine WAF.

7. SafeLine WAF Dynamic Protection

SafeLine’s dynamic protection feature is powerful. It can encrypt your website pages in real-time, preventing malicious users from viewing the actual code.

Typically, I configure dynamic protection on login and registration pages, which need the most protection. SafeLine WAF effectively addresses this issue.

When accessing encrypted files, it will show that the page is protected by dynamic encryption and is being decrypted. The code will remain encrypted.

6. Using CDN with SafeLine

  • Point the website domain to the CDN.
  • Set the origin IP in the CDN to RayPool WAF server IP.
  • Add the site to SafeLine WAF, set the protected domain to the website domain, and fill in the upstream server IP as the website server IP.

Conclusion

With these configurations, your server will now function as a high-security server.

Hacker attacks will not directly reach your website server, as all incoming traffic is first filtered through SafeLine WAF. As long as the SafeLine WAF server has sufficient CPU and bandwidth, it essentially acts as a high-bandwidth high-security CDN node.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player