This content originally appeared on DEV Community and was authored by Maxim Cravtov
SafeLine is a powerful, self-hosted Web Application Firewall (WAF) that operates independently of specific control panels like Hestia Control Panel. This guide walks you through deploying SafeLine on a VPS that already runs Hestia Control Panel.
⚠️ Disclaimer: SafeLine is not a native plugin for Hestia Control Panel. It must be deployed independently and configured to proxy traffic to your Hestia Control Panel-hosted sites. This guide assumes you are familiar with Linux server administration and Docker.
Prerequisites
A VPS
Hestia Control Panel already installed on the VPS and functional.
Root or sudo access to the VPS.
CPU with SSSE3 instruction support (required by SafeLine).
Public IP address or proper DNS pointing to the VPS.
Docker and Docker Compose installed.
Step-by-Step Deployment
- Install Hestia Control Panel We will use Ubuntu 24.04 To generate installation instruction you can visit official page - Official Web Site But I will use next commands
wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh
and bash hst-install.sh --multiphp '7.4,8.0,8.1,8.2,8.3,8.4' --named no --fail2ban no
(in my case i dont need DNS server and fail2ban service running also i would like to have diffirent version of php 7.4-8.3)
During install you will be asked for a few questions like
- Please enter administrator username: (valid username)
- Please enter administrator password: (valid password)
- Please enter admin email address: (valid email where you will get CP notifications)
- Please enter FQDN hostname (and a hostname of your server)
Installation will take up to 10-15 minutes at the end VM will be rebooted
After reboot login to your server via ssh and we need to edit a few settings before starting to install SafeLine WAF
Open nginx folder embed /etc/nginx/conf.d/ here you will see config file with called ip_of_your_server.conf open it and change ports 80 and 443 to 7080 and 7443 restart nginx - service nginx restart
And finaly open - /usr/local/hestia/conf/hestia.conf and change
PROXY_PORT='80'
PROXY_SSL_PORT='443'
to
PROXY_PORT='7080'
PROXY_SSL_PORT='7443'
This changes will allow to install unlimited number of Applications under Hestia Control Panel ready to be added to SafeLine WAF
Now we are ready to install SafeLine WAF
- Install Docker in your system
Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
and start docker
service docker start
And now lets install SafeLine
mkdir -p "/data/safeline"
cd "/data/safeline"
cd "/data/safeline"
touch ".env"
Write the following content in the ".env" file
SAFELINE_DIR=/data/safeline
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD={postgres-password}
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=chaitin
ARCH_SUFFIX=
RELEASE=lts
REGION=-g
More detailed Guide - Official Web Site
Now open Safeline webUI https://serverIP:9443
You will see a Software License agreement just - AGREE,START USING
To get login credentials execute next command from server shell
docker exec safeline-mgt resetadmin
you will get output example
[INFO] Initial username:admin
[INFO] Initial password:YourPassword
[INFO] Done
Open Application section and click Add Aplication
In Domain section put your domain name
Under SSL Cert press Add New cert (new tab will be opened)
Press ADD CERT and upload your existing SSL cert or reques a free one by selecting get free cert
After adding you cert you can go back to previos screen with application under SSL cert section select your added ssl under upstren add http://$server_IP:7080
And now open your domain in browser and check how it works.
You also can test WAF working state by sending a few test requests
for ex.
Code Injection: https://$domain/?id=phpinfo();system('id')
SQL Injection: https://$domain/?id=1+and+1=2+union+select+1
On this request you will get an Access Forbidden Page
Also this Attack test will be loged in SafeLine dashboard under Attack section
Also under main Statistic section you can track all activiy stats in real time
Thats all.
⸻
Considerations
- SSL: SafeLine supports automatic HTTPS with Let’s Encrypt or uploading your own certificates.
- Rate Limiting, Bot Management, and Rules: All configurable in the SafeLine panel per application.
- Multiple Sites: You can create multiple “Applications” in SafeLine for each Hestia Control Panel-hosted website. ⸻
Known Limitations
Resource usage: Running both SafeLine and Hestia Control Panel on the same VPS requires sufficient CPU and memory.
⸻
Final Tips
Backup your server before introducing new reverse proxy rules.
You can test SafeLine with one non-critical domain before deploying site-wide.
Monitor application logs via SafeLine UI to ensure normal access and protection are in place.
⸻
Documentation & Support
SafeLine Website: https://ly.safepoint.cloud/ShZAy9x
Official Docs: https://docs.waf.chaitin.com/en/home
SafeLine Demo: https://demo.waf.chaitin.com:9443
Community Discord: https://discord.gg/dy3JT7dkmY
⸻
SafeLine is an excellent option for homelab users and developers who prefer full control and visibility over web application protection. While not tailor-made for Hestia Control Panel, it can be effectively deployed on the same VPS with careful configuration.
This content originally appeared on DEV Community and was authored by Maxim Cravtov
Maxim Cravtov | Sciencx (2025-08-22T06:38:31+00:00) How to Deploy SafeLine WAF on a Hestia Control Panel VPS. Retrieved from https://www.scien.cx/2025/08/22/how-to-deploy-safeline-waf-on-a-hestia-control-panel-vps-2/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.