Lädt...


🔧 How to Configure an Open Source WAF, SafeLine


Nachrichtenbereich: 🔧 Programmierung
🔗 Quelle: dev.to

This article is written by a SafeLine user, Tale365

Why

My tiny blog was hacked before, and many malicious advertisements were injected into the articles. It took a significant amount of time to clean up and recover my articles. Unfortunately, some of the content was destroyed and couldn’t be recovered.

My storage was targeted by a CC attack, resulting in an excessive number of HTTPS requests and traffic that I had to pay for.

This experience has made me realize the importance of a WAF (Web Application Firewall). Previously, I was using a free WAF provided by Baidu, but now they are charging for it, and the cost is too high for a personal blog.

Therefore, I started looking for a free WAF that I could install on my own server. During my search, I came across SafeLine WAF, which caught my attention due to an attractive comparison. After a month-long trial, I found its performance and effectiveness satisfactory, although there is still room for improvement. I intend to continue using it for the time being until a better option becomes available.

Image description

Configure the WAF

For how to install and upgrade the SafeLine WAF, please refer to the official doc. Here we only talk about the configurations.

Let’s take a look at the dashboard first. It is quite easy to comprehend the statistics and geographical information.

Image description

Enable HTTPS/SSL access

We need to upload the SSL certificates through the “Settings > Certifications” section. In order to enable the WAF admin page to use the customized certificates, we should select the correct certificates in the “Waf Backend Cert” section.

Image description

Secondly, we should enforce HTTPS by going to “Settings > General > force HTTPS”.

Image description

The remaining options are beneficial:

  • HTTP2: If the web server supports HTTP/2, enabling it can help improve performance.
  • Joining the Intelligence Sharing Plan: It is recommended to choose this option so that we can contribute any malicious IP addresses detected to the community.

Add the sites we want to protect

In the “Protected Sites” section, add configurations to enable SSL on port 443 and non-SSL on port 80. The previous “force HTTPS” setting will redirect HTTP traffic on port 80 to HTTPS on port 443. Select the uploaded certificates and input the upstream server. Here, I connected to an internal web server. Unfortunately, using “localhost” is not allowed in this context.

Image description

Ban the malicious IPs

There are two approaches to adding IPs. The first one is to add IPs in “Settings > IP Groups”. In this section, you will find a “Malicious IP Group by Community” contributed by the community, which is linked to the “Joining the Intelligence Sharing Plan” option.

Image description

The second approach is to add IPs through the “Events” section.

Image description

Regardless of which approach you choose, please remember to configure them in “Protections > Allow/Deny List”. Otherwise, they will not be effective.

Image description

Whitelist the search engines

Add “Allowlist” entry to allow the spiders from the search engines

/.*(Googlebot|Google Favicon|Storebot-Google|Google-InspectionTool|GoogleOther|Google-Extended|APIs-Google|AdsBot-Google|Mediapartners-Google|FeedFetcher-Google|GoogleProducer|Google-Read-Aloud|Google-Site-Verification|bingbot|MicrosoftPreview|Yahoo|YandexBot|Baiduspider|Sogou web spider|360Spider|YisouSpider|Bytespider).*/i

Image description

Other configurations

Secure SSL Protocol and Ciphers

By default, SafeLine WAF allows TLS 1.0 and TLS 1.1, and it allows some insecure ciphers of TLS 1.2. If we want to make the website more secure, we need to modify the configurations in Nginx.

vi /data/safeline/resources/nginx/nginx.conf


nginx.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";

`
We can use https://www.ssllabs.com/ssltest/ for testing the result.

Image description

Memory Limit

To check the memory consumption, please use the following command:

docker stats --no-stream

To control the memory consumption of SafeLine WAF, we can edit the compose.yaml file and mem_limit directive. Below is just an example:

`
vi /data/safeline/compose.yaml

compose.yaml
services:
postgres:
container_name: safeline-postgres
restart: always
image: postgres:15.2
mem_limit: 96m
`
`

Unfortunately, those configurations in compose.yaml will be overwritten during an upgrade, and we will need to reconfigure them again. And recreate the images.

`
docker compose up -d --force-recreate
`

Notes

The priority of the logics: Whitelist > Backlist > reCaptcha > Semantics

Issues

I have identified some issues that were raised in the GitHub support. There is still room for improvement, and I hope that SafeLine WAF can continue to enhance its performance while remaining free of charge.

  • ECC support: [建议] 申请免费证书可否用ecc算法 · Issue #400 · chaitin/SafeLine (github.com)
  • HTTP/3 support: [建议] 443端口支持UDP · Issue #356 · chaitin/SafeLine (github.com)
  • Secure SSL support: [建议] 可以添加SSL协议设置,比如禁用TLS 1.2以下的版本吗? · Issue #355 · chaitin/SafeLine (github.com)
  • localhost support: [建议] 本机安装WAF是否可以使用localhost作为上游? · Issue #322 · chaitin/SafeLine (github.com)
  • Blocking 127.0.0.1: [Bug] 误拦截本机发起的请求 · Issue #320 ·chaitin/SafeLine (github.com)

Reference

SSL Server Test (Powered by Qualys SSL Labs)
Google Crawler (User Agent) Overview | Google Search Central | Documentation | Google for Developers
Which Crawlers Does Bing Use – Bing Webmaster Tools

...

🔧 Differences between SafeLine WAF Free and SafeLine WAF Pro


📈 56.27 Punkte
🔧 Programmierung

🔧 How to Configure an Open Source WAF, SafeLine


📈 49.03 Punkte
🔧 Programmierung

🔧 How to Configure an Open Source WAF, SafeLine


📈 49.03 Punkte
🔧 Programmierung

🔧 How to Configure and Get Source IP in SafeLine WAF


📈 45.02 Punkte
🔧 Programmierung

🔧 How to Configure SafeLine WAF to Correctly Obtain the Source IP


📈 45.02 Punkte
🔧 Programmierung

🔧 Reveal SafeLine WAF's High Traffic Handling Secrets: How SafeLine Leverages Nginx


📈 43.62 Punkte
🔧 Programmierung

🔧 OPEN API Usage Tutorial for Open Source WAF SafeLine


📈 40.92 Punkte
🔧 Programmierung

🔧 Achieving Multi-WAF Protection and Failover Using SafeLine WAF


📈 40.78 Punkte
🔧 Programmierung

🔧 How to Install and Configure SafeLine WAF: A Quick Start Guide


📈 40.26 Punkte
🔧 Programmierung

🔧 How to Configure Custom HTTPS Certificates on SafeLine WAF


📈 40.26 Punkte
🔧 Programmierung

🔧 How to Configure HTTPS and DDoS Protection with SafeLine WAF


📈 40.26 Punkte
🔧 Programmierung

🔧 AWS WAF vs. open-appsec ML-Based open source WAF


📈 38.07 Punkte
🔧 Programmierung

🔧 Highly Recommended Open-Source WAF: SafeLine


📈 36.9 Punkte
🔧 Programmierung

🔧 Boost Your Website Security in 3 Minutes with SafeLine, the Open-Source WAF with 11.8K GitHub Stars


📈 36.9 Punkte
🔧 Programmierung

🔧 Enhance Your Cybersecurity with SafeLine: The Open-Source WAF You Can Trust


📈 36.9 Punkte
🔧 Programmierung

🔧 Protect Your Website from Attacks with SafeLine: A Free, Open-Source WAF


📈 36.9 Punkte
🔧 Programmierung

🔧 Exploring SafeLine: Our Journey with an Open-Source WAF Solution for Enterprise Security


📈 36.9 Punkte
🔧 Programmierung

🔧 First Impressions of SafeLine: The Most Starred Open-Source WAF on GitHub


📈 36.9 Punkte
🔧 Programmierung

🔧 Protect Your Site with SafeLine: A Free, Open-Source WAF


📈 36.9 Punkte
🔧 Programmierung

📰 SafeLine: Open-source web application firewall (WAF)


📈 36.9 Punkte
📰 IT Security Nachrichten

🔧 Protect Your Website Like a Pro: SafeLine, the Open-Source WAF


📈 36.9 Punkte
🔧 Programmierung

🔧 What's New in Open Source WAF, SafeLine V7.2.3?


📈 36.9 Punkte
🔧 Programmierung

🔧 Quickly Deploy and Test SafeLine: A Free Open-Source WAF


📈 36.9 Punkte
🔧 Programmierung

🔧 Kong API Gateway x SafeLine, an Open Source WAF


📈 36.9 Punkte
🔧 Programmierung

🔧 SafeLine: The Open-Source WAF That’s Gaining Traction on GitHub


📈 36.9 Punkte
🔧 Programmierung

🔧 Configuring the SSL protocol for Open Source SafeLine WAF


📈 36.9 Punkte
🔧 Programmierung

🔧 How to Secure Static Resources with Open Source WAF, SafeLine


📈 36.9 Punkte
🔧 Programmierung

🔧 SafeLine: The No.1 Free and Open-Source Next-Gen Intelligent WAF


📈 36.9 Punkte
🔧 Programmierung

🔧 How to Run Open Source WAF SafeLine on K8s


📈 36.9 Punkte
🔧 Programmierung

🔧 SafeLine: The No.1 Free and Open-Source Next-Gen Intelligent WAF


📈 36.9 Punkte
🔧 Programmierung

🔧 Open Source WAF SafeLine: Offline One-Click Installation, Upgrade, and Configuration


📈 36.9 Punkte
🔧 Programmierung

🔧 Secure Your Website for Free with SafeLine: The Leading Open-Source WAF


📈 36.9 Punkte
🔧 Programmierung

🔧 Protect Your Site from Hackers with SafeLine: A Free and Open-Source WAF


📈 36.9 Punkte
🔧 Programmierung

🔧 Boost Your Website Security with This Free, Open-Source WAF: Safeline


📈 36.9 Punkte
🔧 Programmierung

🔧 SafeLine: The Open-Source WAF with Powerful Security and Easy Deployment


📈 36.9 Punkte
🔧 Programmierung

matomo