Preparation Steps:
Modify SafeLine Service
1.Follow the SafeLine documentation for installation
2.The community version of SafeLine’s detection engine provides services via Unix socket by default. We need to change this to TCP mode.
Navigate to the SafeLine detector engine configuration directory:
Open the detector.yml file with a text editor. We need to change the bind method from unix socket to tcp:
listen_port: 8000
3.The properties in the detector config will override the default properties in the container. This way, we have the SafeLine engine listening on port 8000.
We just need to map the container’s port 8000 to the host. First, go to the SafeLine installation directory:
Next, open the compose.yaml file in the directory with a text editor. Add the ports field to the detector container to expose port 8000. Like this:
detect:
……
ports:
– 8000:8000
……
Alright, restart SafeLine by running the following commands:
docker compose up -d
Prepare SafeLine Configuration
1.Use a ConfigMap to configure the SafeLine plugin with the necessary detection engine host and port:
apiVersion: v1
kind: ConfigMap
metadata:
name: safeline
namespace: ingress-nginx
data:
host: “detector_host” # Address of the SafeLine detection engine
port: “8000”
EOF
2.Create the SafeLine ConfigMap:
kubectl apply -f safeline.yaml
Install Helm
Follow the instructions on the Helm documentation.
Install Ingress-nginx
1.Install Ingress-nginx using Helm
Use the following ingress-nginx-values.yaml file to replace the image and configure the plugin:
controller:
hostNetwork: true
kind: DaemonSet
image:
registry: registry.cn-shanghai.aliyuncs.com
image: kubesec/chaitin-ingress-nginx-controller
tag: v1.10.1
digest: “”
extraEnvs:
– name: SAFELINE_HOST
valueFrom:
configMapKeyRef:
name: safeline
key: host
– name: SAFELINE_PORT
valueFrom:
configMapKeyRef:
name: safeline
key: port
service:
externalTrafficPolicy: Local # Allows getting the real client IP
config:
plugins: safeline
admissionWebhooks:
patch:
image:
registry: registry.cn-shanghai.aliyuncs.com
image: kubesec/chaitin-ingress-nginx-kube-webhook-certgen
tag: v1.4.1
digest: “”
EOF
Run the Installation Command
2.Test SafeLine Plugin
Deploy the nginx service using the following safeline-test.yaml file:
apiVersion: v1
kind: Namespace
metadata:
name: safeline-test
—
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: safeline-test
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
– name: nginx
image: registry.cn-shanghai.aliyuncs.com/kubesec/nginx:1.14.2
ports:
– containerPort: 80
—
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: safeline-test
spec:
selector:
app: nginx
type: NodePort
ports:
– name: http
protocol: TCP
nodePort: 30080
port: 80
targetPort: 80
—
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
namespace: safeline-test
spec:
ingressClassName: nginx
rules:
– host: www.safeline-test.org
http:
paths:
– backend:
service:
name: nginx
port:
number: 80
path: /
pathType: ImplementationSpecific
Run the Deployment Command
To test if the SafeLine plugin is working, construct a malicious request. (Set up local DNS resolution, then run)
You should see a 403 Forbidden response, indicating that the SafeLine plugin is active.
“code”: 403,
“success”: false,
“message”: “blocked by Chaitin SafeLine Web Application Firewall”,
“event_id”: “009efd8d2bf44a07b5cb7ed4cf18fb84”
}
In the SafeLine console, you can view the detailed attack information recorded by SafeLine.
Automate Testing of Protection Results
Use the blazehttp automation tool for batch testing:
docker run –rm –net=host registry.cn-shanghai.aliyuncs.com/kubesec/chaitin-blazehttp:v0.2.0 /app/blazehttp -t http://www.safeline-test.org/
The following output will be seen:
Total samples: 33677 Success: 33677 Errors: 0
Detection rate: 83.87% (Total malicious samples: 558, Correctly blocked: 468, Missed: 90)
False positive rate: 0.07% (Total benign samples: 33119, Correctly allowed: 33096, False positives: 23)
Accuracy: 99.66% (Correctly blocked + Correctly allowed) / Total samples
Average response time: 8.47 ms
Check the SafeLine console for detailed attack events.
Website: https://waf.chaitin.com
GitHub: https://github.com/chaitin/SafeLine