Why
My tiny blog was hacked before, and many malicious advertisements were injected into the articles. It took a significant amount of time to clean up and recover my articles. Unfortunately, some of the content was destroyed and couldn’t be recovered.
My storage was targeted by a CC attack, resulting in an excessive number of HTTPS requests and traffic that I had to pay for.
This experience has made me realize the importance of a WAF (Web Application Firewall). Previously, I was using a free WAF provided by Baidu, but now they are charging for it, and the cost is too high for a personal blog.
Therefore, I started looking for a free WAF that I could install on my own server. During my search, I came across SafeLine WAF, which caught my attention due to an attractive comparison. After a month-long trial, I found its performance and effectiveness satisfactory, although there is still room for improvement. I intend to continue using it for the time being until a better option becomes available.
Configure the WAF
For how to install and upgrade the SafeLine WAF, please refer to 雷池简介 | 长亭雷池 WAF 社区版 (chaitin.cn). Here we only talk about the configurations.
Let’s take a look at the dashboard first. It is quite easy to comprehend the statistics and geographical information.
Enable HTTPS/SSL access
We need to upload the SSL certificates through the “Settings > Certifications” section. In order to enable the WAF admin page to use the customized certificates, we should select the correct certificates in the “Waf Backend Cert” section.
Secondly, we should enforce HTTPS by going to “Settings > General > force HTTPS”.
The remaining options are beneficial:
- HTTP2: If the web server supports HTTP/2, enabling it can help improve performance.
- Joining the Intelligence Sharing Plan: It is recommended to choose this option so that we can contribute any malicious IP addresses detected to the community.
Add the sites we want to protect
In the “Protected Sites” section, add configurations to enable SSL on port 443 and non-SSL on port 80. The previous “force HTTPS” setting will redirect HTTP traffic on port 80 to HTTPS on port 443. Select the uploaded certificates and input the upstream server. Here, I connected to an internal web server. Unfortunately, using “localhost” is not allowed in this context.
Ban the malicious IPs
There are two approaches to adding IPs. The first one is to add IPs in “Settings > IP Groups”. In this section, you will find a “Malicious IP Group by Community” contributed by the community, which is linked to the “Joining the Intelligence Sharing Plan” option.
The second approach is to add IPs through the “Events” section.
Regardless of which approach you choose, please remember to configure them in “Protections > Allow/Deny List”. Otherwise, they will not be effective.
Whitelist the search engines
Add “Allowlist” entry to allow the spiders from the search engines
/.*(Googlebot|Google Favicon|Storebot-Google|Google-InspectionTool|GoogleOther|Google-Extended|APIs-Google|AdsBot-Google|Mediapartners-Google|FeedFetcher-Google|GoogleProducer|Google-Read-Aloud|Google-Site-Verification|bingbot|MicrosoftPreview|Yahoo|YandexBot|Baiduspider|Sogou web spider|360Spider|YisouSpider|Bytespider).*/i
Other configurations
Secure SSL Protocol and Ciphers
By default, SafeLine WAF allows TLS 1.0 and TLS 1.1, and it allows some insecure ciphers of TLS 1.2. If we want to make the website more secure, we need to modify the configurations in Nginx.
vi /data/safeline/resources/nginx/nginx.conf
````nginx.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";
```We can use https://www.ssllabs.com/ssltest/ for testing the result.
Memory Limit
To check the memory consumption, please use the following command:
docker stats --no-streamTo control the memory consumption of SafeLine WAF, we can edit the compose.yaml file and mem_limit directive. Below is just an example:
vi /data/safeline/compose.yaml
````compose.yaml
services:
postgres:
container_name: safeline-postgres
restart: always
image: postgres:15.2
mem_limit: 96m
```Unfortunately, those configurations in compose.yaml will be overwritten during an upgrade, and we will need to reconfigure them again. And recreate the images.
docker compose up -d --force-recreateNotes
Issues
I have identified some issues that were raised in the GitHub support. There is still room for improvement, and I hope that SafeLine WAF can continue to enhance its performance while remaining free of charge.
- ECC support: [建议] 申请免费证书可否用ecc算法 · Issue #400 · chaitin/SafeLine (github.com)
- HTTP/3 support: [建议] 443端口支持UDP · Issue #356 · chaitin/SafeLine (github.com)
- Secure SSL support: [建议] 可以添加SSL协议设置,比如禁用TLS 1.2以下的版本吗? · Issue #355 · chaitin/SafeLine (github.com)
- localhost support: [建议] 本机安装WAF是否可以使用localhost作为上游? · Issue #322 · chaitin/SafeLine (github.com)
- Blocking 127.0.0.1: [Bug] 误拦截本机发起的请求 · Issue #320 · chaitin/SafeLine (github.com)