Configuring Protected Sites

SafeLine WAF functions by acting as a reverse proxy through Nginx, positioning itself as a front-end proxy server for your protected sites. It inspects and filters incoming traffic to detect and block malicious activities before forwarding the clean traffic to your web server. The web server then responds to SafeLine, which in turn sends the final response back to the user, completing the request cycle.

Traffic Forwarding Overview

• Without WAF: Requests are sent directly to your web server.

• With SafeLine WAF: Requests are routed through SafeLine, where they are filtered and then forwarded to your web server.

Adding a Protected Site (For HTTP Applications)

Common Deployment Scenarios:

1. Web Application and SafeLine WAF on the Same Server

For example, if your web application is accessible at http://www.waf.com:80, there are two main ways to configure your protection site.

Important: Since the WAF and the application are on the same server, ensure that the ports do not conflict. No two services can listen on the same TCP port on the same server.

Option 1: Keep the Application Port Unchanged
The application remains on its original port, and you change the access port.

• Example: www.waf.com:8000 forwards to 127.0.0.1:80
• Domain: Set your actual domain.
• Port: Use any port that doesn’t conflict with the existing ones.
• Upstream Server: Set to http://127.0.0.1:80, replacing it with your actual application server port.

Option 2: Keep the Access Port Unchanged
The access port remains the same, and you change the application's port.

• Example: www.waf.com:80 forwards to 127.0.0.1:8000 (formerly port 80)
• Domain: Set your actual domain.
• Port: Use the already published access port of the web application.
• Upstream Server: Set to http://127.0.0.1:8000, replacing it with your updated application server port.

2. Web Application and SafeLine on Different Servers

This method is also common and recommended as it avoids port conflicts.

• Example: Your web application is at http://www.waf.com:80.

Option 1: No Nginx Reverse Proxy in Front of the Application Server
In this case, you’ll need to modify the DNS settings to point the domain to the WAF server’s IP.

• Example: www.waf.com:80 → WAF_nginx:80 → Application:80
• Add a protected site:
  • Domain: www.waf.com (replace with your actual domain)
  • Port: 80 (replace with your actual port)
  • Upstream Server: Set to the IP of your application server.
• Modify DNS settings.

Option 2: Nginx Reverse Proxy Already in Front of the Application Server
Here, you’ll need to modify the Nginx configuration to forward requests to the WAF.

• Example: www.waf.com:80 → Application Nginx Proxy:80 → WAF_nginx:80 → Application:80
• Add a protected site:
  • Domain: www.waf.com (replace with your actual domain)
  • Port: 80 (replace with your actual port)
  • Upstream Server: Set to the actual IP of your application.

3. Web Application Behind an SLB Load Balancer

In this case, it's advisable to place the WAF in front of the SLB and modify DNS settings to point to the WAF.

• Example: www.waf.com:80 → WAF_nginx:80 → SLB:80
  1. Add a protected site:
     • Domain: www.waf.com (replace with your actual domain)
     • Port: 80 (replace with your actual port)
     • Upstream Server: Set to the virtual IP of the SLB.
  2. Modify DNS settings to point from the SLB to the WAF.

Adding a Protected Site (For HTTPS Applications)

Before you begin, make sure you have the SSL certificate and key file for your domain ready.

1. Add a protected site.

2. Select SSL.
   

3. Upload your certificate and key.

4. If the web application itself is HTTPS, adjust the corresponding port and protocol. Example: https://www.waf.com:443

5. Submit. Follow the HTTPS configuration steps and ensure the appropriate settings for HTTPS and port 443 are applied.

Give it a try now!
Website: https://waf.chaitin.com
Demo：https://demo.waf.chaitin.com:9443