Open source Waf security protection solution

After adding CDN to the website recently, there are always a lot of junk requests inexplicably in the early morning, some of which are scans, some are large model UserAgents, and some are black spiders.

In order to save CDN costs and prevent various injection attacks, I started to investigate open source Waf solutions (my own small broken site is enough). If it is used by an enterprise, it is recommended to use a commercial version, such as Alibaba Cloud’s DCDN, Tencent’s EdgeOne or overseas Cloudflare (the first choice for overseas business).

1. Function introduction

SafeLine is an open source Waf solution of Changting Technology. The core detection capability is driven by intelligent semantic analysis algorithms.

The main function is a network security gateway, focusing on Waf, which can defend against all Web attacks, such as sql injection, code injection, os command injection, CRLF injection, ldap injection, xpath injection, rce, xss, xxe, ssrf, path traversal, backdoor, brute force cracking, http flood, robot abuse, etc.

I took a look at the project source code. The API uses golang, and the core waf function uses tengine+Lua, which is similar to openresty.

Project address: https://github.com/chaitin/safeline

Official website address: https://waf-ce.chaitin.cn/

https://waf.chaitin.com/

Note: Other popular gateways, such as Apisix, Kong, Openresty, etc.

2. Installation

Download offline image

Because many domestic dockerhub image accelerations are no longer available a few days ago, this can only be done offline.

1
2
3

swr.cn-east-3.myhuaweicloud.com/chaitin-safeline/safeline-chaos latest 71b05b47e3fd 3 days ago 118MB
chaitin/safeline-postgres 15.2 bf700010ce28 13 months ago 379MB
swr.cn-east-3.myhuaweicloud.com/chaitin-safeline/safeline-postgres 15.2 bf700010ce28 13 months ago 379MB

Configuring the environment

# cd /opt/safeline
# vim .env SAFELINE_DIR=/opt/safeline IMAGE_TAG=latest MGT_PORT=9443 POSTGRES_PASSWORD=Pgssf201Waf SUBNET_PREFIX=172.22.222 IMAGE_PREFIX=chaitin ````


* SAFELINE_DIR: Lei Chi installation directory, here configure /opt/safeline
* IMAGE_TAG: Lei Chi version to be installed, keep the default latest
* MGT_PORT: Lei Chi console port, keep the default 9443
* POSTGRES_PASSWORD: Lei Chi required database initialization password, please randomly generate one
* SUBNET_PREFIX: Lei Chi internal network segment, keep the default 172.22.222
* IMAGE_PREFIX: Lei Chi image source prefix, keep the default chaitin

### docker-compose management container:

```shell
# cd "/opt/safeline"
# wget "https://waf-ce.chaitin.cn/release/latest/compose.yaml" -O docker-compose.yaml
# docker-compose up -d
# docker-compose ps
Name Command State Ports -------------------------------------------------------------------------------------------------------------------- safeline-bridge /app/bridge serve -n unix ... Up safeline-chaos ./entrypoint.sh Up 9000/tcp safeline-detector /detector/entrypoint.sh Up (healthy) 8000/tcp safeline-fvm ./fvm /app/config.yml Up safeline-luigi /bin/luigi /app/luigi Up 80/tcp safeline-mario /mario/entrypoint.sh Up (healthy) safeline-mgt /docker-entrypoint.sh /bin ... Up (healthy) 0.0.0.0:9443->1443/tcp,:::9443->1443/tcp, 80/tcp safeline-pg docker-entrypoint.sh postg ... Up (healthy) 5432/tcp
safeline-tengine entrypoint.sh nginx -g dae ... Up

You need to initialize the administrator account when you log in to Leichi for the first time. Just execute the following command

`1`	`docker exec safeline-mgt resetadmin`

After the command is executed, the password of the admin account will be randomly reset. The output result is as follows

1
2
3

[SafeLine] Initial username: admin
[SafeLine] Initial password: *********
[SafeLine] Done

The basic installation is completed here. You only need to open the 9443 port access through the cloud ACL

You can open a browser to visit https://:9443/ to use the Leichi console

3. Website configuration

SSL certificate configuration:

Supports custom uploaded certificates and application for free certificates.

Add certificate

Add site:

Add site. In addition, human-machine verification, identity verification, and dynamic protection are enabled by default. It should be noted that when adding upstream servers here, the back-to-source is vague, such as the back-to-source port configuration, protocol, etc.

Add site

Proxy configuration:

Proxy configuration

Security protection settings:

Here mainly configure frequency limit (similar to nginx limit), custom rules (set rules according to http header information), semantic analysis (injection related), etc.

Limit access frequency: underlying logic and limit_req, limit_conn, limit_rate under nginx Almost

Frequency Limit

Custom rules: mainly make some strategies based on http header information, similar to the access control of common CDN, but this function is more flexible.

Custom rule 1

Custom rule 2

Semantic analysis: mainly identifies various injections, robot detection, etc.

Semantic analysis

4. Summary

After two days of testing, Leichi basically meets the needs of my small broken site, but it also has many places that cannot be met.

For example: applying for a free certificate does not support wildcard domain names, upstream server source protocol is ambiguous, etc.

Finally, here is a rendering.

Lei Chi Backstage Homepage

Reference: https://docs.waf-ce.chaitin.cn/zh/home