SafeLine WAF — Self-Hosted Web Application Firewall for Your Homelab

Introduction

After implementing fail2ban to protect SSH access in my homelab, I started thinking about web application security. While fail2ban handles basic intrusion attempts beautifully, my web services needed more sophisticated protection against modern web attacks.

That’s when I discovered SafeLine WAF, and honestly, it’s been a game-changer for protecting my self-hosted web applications. What impressed me most wasn’t just its effectiveness, but how it uses AI to understand attack intent rather than relying on traditional signature-based detection.

After running it for several months protecting multiple services in my homelab, I can confidently say it’s become an essential part of my security stack.

What is SafeLine WAF?

SafeLine ↗️ is a self-hosted Web Application Firewall developed by Chaitin Tech. Unlike traditional WAFs that rely on predefined rules, SafeLine uses semantic analysis powered by machine learning to understand the actual intent behind web requests.

The project has gained significant traction in the self-hosting community with over 17.3K GitHub stars ↗️ and is currently protecting over 1 million websites ↗️ worldwide.

Here’s how SafeLine works in your homelab:

1. Acts as a reverse proxy - Routes all traffic through SafeLine first
2. Analyzes every request using AI-powered semantic analysis
3. Blocks malicious traffic in real-time (sub-millisecond detection)
4. Forwards clean traffic to your actual web services
5. Learns and adapts to improve protection over time

What SafeLine Protects Against:

• SQL injection attempts
• Cross-site scripting (XSS)
• Remote code execution (RCE)
• Path traversal attacks
• HTTP flood attacks
• Bot abuse and scraping
• Zero-day vulnerabilities

Why I Chose SafeLine Over Alternatives

I evaluated several WAF solutions before settling on SafeLine. Here’s what convinced me:

Performance Comparison: Based on community benchmark testing ↗️, SafeLine consistently outperforms traditional solutions:

The numbers spoke for themselves - SafeLine offered the best balance of high detection with minimal false positives.

Compared to Cloudflare:

• Complete control over security policies
• No traffic limits or ongoing costs
• Privacy (all data stays in your homelab)
• Better detection rates for sophisticated attacks

Compared to ModSecurity:

• Much easier to configure and manage
• Dramatically lower false positive rates (0.07% vs 17.58%)
• Web-based management interface
• Better performance with modern architectures

Setting Up SafeLine in My Homelab

The installation process is surprisingly straightforward. I had SafeLine protecting my first service in under 10 minutes.

Prerequisites

Before starting, make sure your system has:

• Linux OS (I’m using Ubuntu 24.04)
• Docker & Docker Compose
• At least 1GB RAM and 5GB storage

Quick Installation

For testing purposes, you can use SafeLine’s automated installer:

# Install with English interface
bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/manager.sh)" -- --en

Production Installation (My Preferred Method)

For my production homelab setup, I prefer the manual approach for better control:

# Create SafeLine directory
sudo mkdir -p /data/safeline
cd /data/safeline

# Download Docker Compose configuration
sudo wget https://waf.chaitin.com/release/latest/compose.yaml

# Create environment configuration
sudo tee .env << 'EOF'
SAFELINE_DIR=/data/safeline
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD={postgres-password}
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=chaitin
ARCH_SUFFIX= # use -arm for arm64 devices
RELEASE= # use -lts for latest stable release
REGION=-g
EOF

# Start SafeLine services
sudo docker compose up -d

Verify Installation

Check that all containers are healthy:

# View container status
sudo docker compose ps

# Check logs for any issues
sudo docker compose logs --tail=50

You should see several containers running:

• safeline-mgt: Web management interface
• safeline-detector: AI detection engine
• safeline-tengine: Reverse proxy component (based on Tengine/Nginx)
• safeline-pg: PostgreSQL database for logs and config
• safeline-luigi, safeline-fvm & safeline-chaos: Services for data processing and analytics

Access the management interface at https://your-server-ip:9443

Eternal Vault is Now Live! 🎉

Secure your digital legacy with Eternal Vault! Store your passwords, documents, and critical info in a zero-knowledge encrypted vault. If you ever stop checking in, your chosen loved ones are notified and given access, ensuring your legacy is protected and responsibly passed on.

🚀 Built & launched by me 🎁 Reveal Discount Code

🔒 Secure Your Digital Legacy Now

Configuring Your First Protected Service

Setting up protection for a web service is intuitive through SafeLine’s web interface.

Initial Setup

1. Navigate to https://your-server-ip:9443
2. Create your admin account during first login (or use docker exec safeline-mgt resetadmin to reset the admin password)
3. Complete the setup wizard

Protecting a Web Service

Here’s how I configured SafeLine to protect my personal blog through the web interface:

Basic Configuration:

• Website Name: “Personal Blog”
• Domain: “blog.yourdomain.com”
• Upstream Server: “192.168.1.100:3000”
• Protection Mode: “Balanced”
• SSL Certificate: “Let’s Encrypt Auto”

Protection Modes:

• Monitor: Logs attacks without blocking (great for testing)
• Balanced: Optimal protection with minimal false positives (recommended)
• Strict: Maximum security with potential for more false positives

SSL/TLS Configuration

SafeLine handles SSL termination, which simplifies your backend services:

• Automatic Let’s Encrypt: SafeLine can manage certificates automatically
• Custom Certificates: Upload your own certificates through the web interface
• Wildcard Support: Perfect for protecting multiple subdomains

Self-Hosted vs Commercial Features

The free self-hosted version of SafeLine is surprisingly feature-complete for homelab users. Here’s what you get without paying anything:

Free Self-Hosted Features:

• Intelligent semantic analysis detection
• Rule-based cyber threat protection
• Website identity authentication
• Rate limiting and HTTP flood DDoS protection
• Malicious IP detection
• Web ACLs support
• Protection for up to 10 applications

For companies needing additional enterprise features like geo-blocking, advanced analytics, or protecting unlimited applications, SafeLine offers commercial plans ↗️ starting at $10/month with enhanced capabilities.

For most homelab users, the free version provides more than enough protection and features.

Real-World Testing and Results

Testing SafeLine’s Protection

I tested SafeLine’s effectiveness using common attack vectors:

# SQL injection test
curl "http://blog.yourdomain.com/?id=1' OR '1'='1"

# XSS test
curl "http://blog.yourdomain.com/?search=<script>alert('xss')</script>"

# Path traversal test
curl "http://blog.yourdomain.com/../../etc/passwd"

Results: All malicious requests were blocked with detailed logging, while legitimate traffic flowed through without issues.

Protected Services in My Setup

Currently, SafeLine protects these services in my homelab:

• Personal blog and portfolio site
• Vaultwarden password manager
• Jellyfin media server
• Immich photo management
• API services and development applications

Advanced Configuration Tips

Multiple Service Protection

One of SafeLine’s strengths is protecting multiple services from a single instance. I’ve configured these through the web interface:

Service 1: Blog

• Domain: “blog.yourdomain.com”
• Upstream: “192.168.1.100:3000”
• Protection: “Balanced”

Service 2: API

• Domain: “api.yourdomain.com”
• Upstream: “192.168.1.101:8080”
• Protection: “Strict”

Service 3: Media Server

• Domain: “jellyfin.yourdomain.com”
• Upstream: “192.168.1.102:8096”
• Protection: “Balanced”

Custom Security Rules

While SafeLine’s AI handles most threats automatically, you can add custom rules through the web interface:

Block specific user agents:

• Rule Name: “Block Automated Tools”
• Pattern: “User-Agent contains ‘sqlmap|nikto|nmap’”
• Action: “Block”

Geographic restrictions (available in paid plans):

• Rule Name: “Restrict Countries”
• Condition: “Country in [‘CN’, ‘RU’]”
• Action: “CAPTCHA Challenge”

Rate Limiting Configuration

Configure intelligent rate limiting through the web interface to prevent abuse:

• Rate Limit: “100 requests per minute per IP”
• Burst Allowance: “150 requests”
• Block Duration: “300 seconds”
• Whitelist: “192.168.1.0/24, your-admin-ip”

Monitoring and Maintenance

Built-in Analytics

SafeLine provides comprehensive monitoring through its web interface:

• Real-time attack detection and blocking
• Geographic source mapping of attacks
• Attack type classification and trends
• Performance metrics and health status

Log Analysis

Access detailed security logs:

# View real-time detection logs
sudo docker compose logs -f safeline-detector

# View web server logs
sudo docker compose logs -f safeline-tengine

# Export logs for external analysis
sudo docker exec safeline-pg pg_dump -U safeline-ce -d safeline-ce > safeline_logs.sql

Regular Maintenance

# Update SafeLine to latest version
cd /data/safeline
sudo docker compose pull
sudo docker compose up -d

# Backup configuration
sudo cp -r /data/safeline /backup/safeline-$(date +%Y%m%d)

# Monitor disk usage (logs can grow)
sudo du -sh /data/safeline/

Network Architecture in My Homelab

Here’s how SafeLine fits into my network setup:

Internet → Cloudflare Tunnel → SafeLine WAF → Internal Services
                              (Port 80/443)   (Local Network)

Key Benefits of This Setup:

• All web traffic filtered through SafeLine first
• Backend services completely isolated from direct internet access
• Centralized security policy management
• Easy SSL certificate management

Best Practices I’ve Learned

Security Recommendations

1. Start with Monitor Mode: Test new services in monitor mode before enabling blocking
2. Regular Rule Reviews: Check blocked requests weekly to fine-tune rules
3. Keep Updated: SafeLine releases updates frequently with improved detection
4. Backup Configurations: Export settings before major changes
5. Test Protection: Use tools like OWASP ZAP to verify blocking effectiveness

Integration with Existing Security

SafeLine works excellently alongside my other security measures:

• fail2ban handles SSH and basic intrusion attempts
• SafeLine WAF protects web applications specifically
• UFW firewall provides network-level access control
• Tailscale VPN for secure remote access

Common Gotchas to Avoid

• Test configuration changes in monitor mode first
• Monitor resource usage - ML processing can be CPU-intensive
• Keep logs manageable - Set up log rotation to prevent disk space issues

Comparing Costs: Self-hosted vs Cloud

SafeLine (Self-hosted):

• One-time setup cost
• Your existing hardware resources
• Complete control and privacy
• No traffic limitations
• Up to 10 applications free

Commercial WAF Services:

• $10-100+ per month for equivalent protection
• Per-site or traffic-based pricing
• Limited customization options
• Vendor lock-in concerns

For my homelab protecting 6+ web services, SafeLine saves me hundreds of dollars annually while providing better control and privacy.

Conclusion

SafeLine WAF has become an indispensable part of my homelab security setup. The combination of AI-powered detection, easy management, and self-hosted control makes it perfect for protecting personal web services.

What I Love About SafeLine:

• Intelligent threat detection that actually works
• Minimal false positives compared to traditional WAFs
• Easy setup and management through web interface
• Self-hosted control with no ongoing costs
• Active development and growing community

The setup process is straightforward, the performance impact is negligible, and the protection effectiveness is impressive. If you’re running web services in your homelab, SafeLine provides enterprise-grade security that’s both accessible and powerful.

Have you tried SafeLine WAF in your homelab? What’s been your experience with self-hosted security solutions? I’m always curious to hear how others are protecting their web services. Share your thoughts in the comments below or reach out on Twitter ↗️ / Reddit ↗️.

Stay secure, and happy homelabbing! 🛡️