This content originally appeared on DEV Community and was authored by Sharon
Introduction
In my last post, I introduced SafeLine WAF and why I picked it over Cloudflare and ModSecurity. In this guide, I’ll walk you through how I actually run it in production — including config tips, real-world testing, and how I keep it updated.
Configuring Your First Protected Service
Through the web UI (https://your-ip:9443), I added my blog as the first protected app:
- Website Name: Personal Blog
- Domain: blog.mydomain.com
- Upstream: 192.168.1.100:3000
- Mode: Balanced
- SSL: Let’s Encrypt auto
SafeLine offers 3 protection modes:
- Monitor → logs attacks only (great for testing)
- Balanced → best mix of protection & low false positives
- Strict → maximum security, but more chance of blocking legit requests
SSL/TLS
No more SSL headaches. SafeLine terminates SSL itself:
- Auto handles Let’s Encrypt
- Supports custom certs
- Works with wildcard domains
Advanced Configs That Helped Me
- Protecting multiple apps: blog, API, Jellyfin
- Rate limiting to stop bots
- Custom rules (e.g., block sqlmap/nmap user agents)
- Whitelisting my admin IPs so I don’t lock myself out
Testing SafeLine’s Protection
I ran some basic attack payloads:
# SQL injection
curl "http://blog.mydomain.com/?id=1' OR '1'='1"
# XSS
curl "http://blog.mydomain.com/?q=<script>alert('xss')</script>"
# Path traversal
curl "http://blog.mydomain.com/../../etc/passwd"
✅ All were blocked instantly
✅ Legit traffic went through fine
Monitoring & Logs
- Real-time attack dashboard
- Geo maps of where traffic comes from
- Export logs for deeper analysis
For CLI folks:
# Detector logs
docker compose logs -f safeline-detector
# Web proxy logs
docker compose logs -f safeline-tengine
Updating & Backups
# Update SafeLine
cd /data/safeline
docker compose pull
docker compose up -d
# Backup configs
cp -r /data/safeline /backup/safeline-$(date +%Y%m%d)
Why It’s Worth It
SafeLine gives me:
- Enterprise-grade protection for free
- No vendor lock-in
- Full control of my data
- Coverage for 10 apps in my homelab
If I had to rely on commercial WAFs, I’d easily be spending \$50+/month for worse protection.
Conclusion
Running SafeLine has been one of the easiest wins in my homelab. It’s lightweight, powerful, and keeps my web apps locked down without breaking stuff.
If you run any self-hosted apps, give it a shot — it’s honestly one of the best security tools you can add.
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
This content originally appeared on DEV Community and was authored by Sharon
Sharon | Sciencx (2025-08-19T06:32:26+00:00) SafeLine WAF Setup Guide — Protecting Your Homelab Apps Like a Pro. Retrieved from https://www.scien.cx/2025/08/19/safeline-waf-setup-guide-protecting-your-homelab-apps-like-a-pro/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.