SafeLine WAF Optimization Tips: A Practical Guide for System Operators
Lulu
Posted on August 20, 2024
After installing the SafeLine WAF, some users may want to tweak a few settings but aren’t sure where to start. Here’s a guide based on my own experience.
Before making any changes to SafeLine configuration files, remember to back up the original content. Also, be aware that updates to SafeLine might overwrite your changes, so be sure to reapply them after an upgrade!
Adjusting HSTS Header (Standard Duration, Preload, etc.)
First, uncheck the "Force HTTPS" option.
Then, add the following lines to /data/safeline/resources/nginx/proxy_params
:
if ($is_https = https) {
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
}
if ($is_https = http) {
rewrite ^ https://$host$request_uri permanent;
}
Next, add the following to the end of /data/safeline/resources/nginx/nginx.conf
, just above the include
statement:
map $scheme $is_https {
default https;
http http;
}
Finally, reload Nginx via SSH:
docker exec safeline-tengine nginx -s reload
This method has been tested and verified on my site.
Adjusting TLS Versions
In /data/safeline/resources/nginx/nginx.conf
, locate the following section:
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
Modify it to:
# Intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
Then, reload Nginx via SSH:
docker exec safeline-tengine nginx -s reload
This method has also been tested and verified on my site.
Note: This configuration may prevent very old devices from connecting. Use with caution if you need perfect compatibility.
Connecting to the SafeLine PG Database
First, install the PostgreSQL client on your Linux machine:
sudo apt install postgresql-client
Next, find the SafeLine database password in /data/safeline/.env
:
Then, locate the IP address of the safeline-pg
container:
docker inspect safeline-pg | grep "IPAddress"
Now, connect to the database with the following command:
psql -h 172.22.222.2 -p 5432 -U safeline-ce
Success! You are now connected.
Posted on August 20, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
August 20, 2024