Apache APISIX is a dynamic, real-time, high-performance cloud-native API gateway that offers a wide range of traffic management features such as load balancing, dynamic upstream, canary release, service circuit breaking, authentication, and observability.
SafeLine, developed by Chaitin Tech, is a WAF system that provides secure HTTP request handling and comprehensive API management and protection capabilities.
Starting from version 3.5.0, APISIX has an integrated Chaitin SafeLine WAF plugin. When the chaitin-waf plugin is enabled, traffic will be forwarded to the Chaitin SafeLine WAF service for detection and prevention of various web application attacks, ensuring the security of applications and user data.
Open-source repository
APISIX:https://github.com/apache/apisix
Usage
Preparation
The detection engine of the community version of SafeLine provides services by default via Unix socket. We need to modify it to use TCP, so it can be called by the t1k plugin.
- Usage Instructions
1.Navigate to the configuration directory of the SafeLine detection engine:
cd /data/safeline/resources/detector/
2.Open the detector.yml
file in a text editor. Modify the bind
configuration from Unix socket to TCP by adding the following settings:
bind_addr: 0.0.0.0
listen_port: 8000
These configuration values will override the default settings in the container, making the SafeLine engine listen on port 8000.
3.Next, map the container’s port 8000 to the host machine. First, navigate to the SafeLine installation directory:
cd /data/safeline/
4.Open the compose.yaml
file in a text editor and add the ports
field to the detector
container to expose port 8000:
...
detect:
...
ports:
- 8000:8000
...
5.Save the changes and restart SafeLine with the following commands:
docker compose down
docker compose up -d
This will apply the changes and activate the new configuration.
- Modify SafeLine's Default Port
SafeLine and APISIX both default to listening on port 9443. If installed on the same machine, you will need to change SafeLine's default port.
- Navigate to SafeLine's installation directory.
- Locate the hidden file named
.env
. - Open the
.env
file in a text editor and modify theMGT_PORT
field to a different port number. - After making the change, restart SafeLine using the method described previously:
docker compose down
docker compose up -d
This will apply the new port configuration.
- Install APISIX
Note: Use APISIX version 3.5.0 or higher.
This guide demonstrates using the Docker version of APISIX. Follow these steps to install it:
git clone <https://github.com/apache/apisix-docker>
cd apisix-docker/compose
echo 'APISIX_DOCKER_TAG=3.5.0-debian' >> .env
docker compose -f docker-compose-release.yaml up -d
Business API: http://127.0.0.1:9080/
Admin API: http://127.0.0.1:9180/
- Bind SafeLine with APISIX
1.Set SafeLine Detection Engine Address
Use the APISIX API to set the address of the SafeLine detection engine for APISIX to call. Replace 192.168.99.11
with your SafeLine IP address:
curl <http://127.0.0.1:9180/apisix/admin/plugin_metadata/chaitin-waf> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"nodes":[
{
"host": "192.168.99.11",
"port": 8000
}
]
}'
2.Set Up a Route
Use the APISIX API to set up a route. Replace 192.168.99.12:80
with your upstream server address. APISIX will reverse proxy requests to this address:
curl <http://127.0.0.1:9180/apisix/admin/routes/1> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/*",
"plugins": {
"chaitin-waf": {}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"192.168.99.12:80": 1
}
}
}'
These requests will configure APISIX to use SafeLine for web application firewall protection and set up routing to your upstream server.
- Test the Protection Effectiveness
After completing the above steps, your SafeLine and APISIX configuration should be set up. You can now test the protection:
1. Verify Proxy Functionality
Check if APISIX is successfully proxying requests to your upstream server by running:
curl '<http://127.0.0.1:9080/>'
2. Simulate an SQL Injection Attack
Add a parameter to the request to simulate an SQL injection attack:
curl http://127.0.0.1:9080/ -d 'a=1 and 1=1'
This should return an HTTP 403 error. The error message will indicate that SafeLine successfully blocked the attack:
{
"code": 403,
"success": false,
"message": "blocked by Chaitin SafeLine Web Application Firewall",
"event_id": "18e0f220f7a94127acb21ad3c1b4ac47"
}
3. Check SafeLine's Console
Open the SafeLine console to review the complete attack information.
This process confirms that SafeLine is effectively protecting your application from SQL injection attacks and other threats.
- Configure WAF Site Interception
Since you changed the detection engine’s listening mode, the SafeLine sites configured via the console may not intercept malicious requests correctly. You need to update the NGINX configuration to use HTTP for the detection engine.
1.Create a copy of the NGINX configuration file:
cp /data/safeline/resources/nginx/safeline_unix.conf /data/safeline/resources/nginx/safeline_http.conf
2.Edit the nginx.conf
file. Comment out the line that includes the Unix socket configuration and add the new line for HTTP:
# nginx.conf
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/generated;
# include /etc/nginx/safeline_unix.conf;
include /etc/nginx/safeline_http.conf;
3.Use docker inspect
to get the IP address of the detector container:
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' safeline-detector
4.Edit the safeline_http.conf
file and modify the upstream configuration to use HTTP:
# safeline_http.conf
upstream detector_server {
keepalive 256;
# server unix:/resources/detector/snserver.sock;
server detector_ip:8000; # Replace with the IP address obtained from the previous step
}
By following these steps, you will ensure that the SafeLine WAF can intercept malicious requests correctly through NGINX while using HTTP for the detection engine.
Troubleshooting
APISIX official documentation address
SafeLine official website
If you encounter any issues during use, you can contact us through GitHub or Discord.