Mastering Web Security: How to Set Up and Test SafeLine with APISIX

Lulu - Jul 30 - - Dev Community

Apache APISIX is a dynamic, real-time, high-performance cloud-native API gateway that offers a wide range of traffic management features such as load balancing, dynamic upstream, canary release, service circuit breaking, authentication, and observability.

SafeLine, developed by Chaitin Tech, is a WAF system that provides secure HTTP request handling and comprehensive API management and protection capabilities.

Starting from version 3.5.0, APISIX has an integrated Chaitin SafeLine WAF plugin. When the chaitin-waf plugin is enabled, traffic will be forwarded to the Chaitin SafeLine WAF service for detection and prevention of various web application attacks, ensuring the security of applications and user data.

Open-source repository

APISIX:https://github.com/apache/apisix

Usage

Preparation
The detection engine of the community version of SafeLine provides services by default via Unix socket. We need to modify it to use TCP, so it can be called by the t1k plugin.

  • Usage Instructions

1.Navigate to the configuration directory of the SafeLine detection engine:

cd /data/safeline/resources/detector/
Enter fullscreen mode Exit fullscreen mode

2.Open the detector.yml file in a text editor. Modify the bind configuration from Unix socket to TCP by adding the following settings:

bind_addr: 0.0.0.0
listen_port: 8000
Enter fullscreen mode Exit fullscreen mode

These configuration values will override the default settings in the container, making the SafeLine engine listen on port 8000.

3.Next, map the container’s port 8000 to the host machine. First, navigate to the SafeLine installation directory:

cd /data/safeline/
Enter fullscreen mode Exit fullscreen mode

4.Open the compose.yaml file in a text editor and add the ports field to the detector container to expose port 8000:

...

detect:
    ...
    ports:
    - 8000:8000

...
Enter fullscreen mode Exit fullscreen mode

5.Save the changes and restart SafeLine with the following commands:

   docker compose down
   docker compose up -d
Enter fullscreen mode Exit fullscreen mode

This will apply the changes and activate the new configuration.

  • Modify SafeLine's Default Port

SafeLine and APISIX both default to listening on port 9443. If installed on the same machine, you will need to change SafeLine's default port.

  1. Navigate to SafeLine's installation directory.
  2. Locate the hidden file named .env.
  3. Open the .env file in a text editor and modify the MGT_PORT field to a different port number.
  4. After making the change, restart SafeLine using the method described previously:
   docker compose down
   docker compose up -d
Enter fullscreen mode Exit fullscreen mode

This will apply the new port configuration.

  • Install APISIX

Note: Use APISIX version 3.5.0 or higher.

This guide demonstrates using the Docker version of APISIX. Follow these steps to install it:

git clone <https://github.com/apache/apisix-docker>
cd apisix-docker/compose
echo 'APISIX_DOCKER_TAG=3.5.0-debian' >> .env
docker compose -f docker-compose-release.yaml up -d
Enter fullscreen mode Exit fullscreen mode

Business API: http://127.0.0.1:9080/

Admin API: http://127.0.0.1:9180/

  • Bind SafeLine with APISIX

1.Set SafeLine Detection Engine Address
Use the APISIX API to set the address of the SafeLine detection engine for APISIX to call. Replace 192.168.99.11 with your SafeLine IP address:

curl <http://127.0.0.1:9180/apisix/admin/plugin_metadata/chaitin-waf> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
  "nodes":[
     {
       "host": "192.168.99.11",
       "port": 8000
     }
  ]
}'
Enter fullscreen mode Exit fullscreen mode

2.Set Up a Route
Use the APISIX API to set up a route. Replace 192.168.99.12:80 with your upstream server address. APISIX will reverse proxy requests to this address:

curl <http://127.0.0.1:9180/apisix/admin/routes/1> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
   "uri": "/*",
   "plugins": {
       "chaitin-waf": {}
    },
   "upstream": {
       "type": "roundrobin",
       "nodes": {
           "192.168.99.12:80": 1
       }
   }
}'
Enter fullscreen mode Exit fullscreen mode

These requests will configure APISIX to use SafeLine for web application firewall protection and set up routing to your upstream server.

  • Test the Protection Effectiveness

After completing the above steps, your SafeLine and APISIX configuration should be set up. You can now test the protection:

1. Verify Proxy Functionality

Check if APISIX is successfully proxying requests to your upstream server by running:

curl '<http://127.0.0.1:9080/>'
Enter fullscreen mode Exit fullscreen mode

2. Simulate an SQL Injection Attack
Add a parameter to the request to simulate an SQL injection attack:

curl http://127.0.0.1:9080/ -d 'a=1 and 1=1'
Enter fullscreen mode Exit fullscreen mode

This should return an HTTP 403 error. The error message will indicate that SafeLine successfully blocked the attack:

{
  "code": 403,
  "success": false,
  "message": "blocked by Chaitin SafeLine Web Application Firewall",
  "event_id": "18e0f220f7a94127acb21ad3c1b4ac47"
}
Enter fullscreen mode Exit fullscreen mode

3. Check SafeLine's Console
Open the SafeLine console to review the complete attack information.
This process confirms that SafeLine is effectively protecting your application from SQL injection attacks and other threats.

  • Configure WAF Site Interception

Since you changed the detection engine’s listening mode, the SafeLine sites configured via the console may not intercept malicious requests correctly. You need to update the NGINX configuration to use HTTP for the detection engine.

1.Create a copy of the NGINX configuration file:

cp /data/safeline/resources/nginx/safeline_unix.conf /data/safeline/resources/nginx/safeline_http.conf
Enter fullscreen mode Exit fullscreen mode

2.Edit the nginx.conf file. Comment out the line that includes the Unix socket configuration and add the new line for HTTP:

# nginx.conf
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/generated;
# include /etc/nginx/safeline_unix.conf;
include /etc/nginx/safeline_http.conf;
Enter fullscreen mode Exit fullscreen mode

3.Use docker inspect to get the IP address of the detector container:

docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' safeline-detector
Enter fullscreen mode Exit fullscreen mode

4.Edit the safeline_http.conf file and modify the upstream configuration to use HTTP:

# safeline_http.conf
upstream detector_server {
  keepalive 256;
  # server unix:/resources/detector/snserver.sock;
  server detector_ip:8000; # Replace with the IP address obtained from the previous step
}
Enter fullscreen mode Exit fullscreen mode

By following these steps, you will ensure that the SafeLine WAF can intercept malicious requests correctly through NGINX while using HTTP for the detection engine.

Troubleshooting
APISIX official documentation address
SafeLine official website
If you encounter any issues during use, you can contact us through GitHub or Discord.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .