This content originally appeared on DEV Community and was authored by Sharon
Introduction
After setting up fail2ban to secure SSH access in my homelab, I quickly realized my web services were still exposed to more advanced threats. That’s when I discovered SafeLine WAF, a self-hosted Web Application Firewall that’s been an absolute game-changer for my setup.
Unlike the usual rule-based firewalls, SafeLine doesn’t just block patterns — it analyzes what’s really happening in traffic. After several months of running it across multiple apps, I can confidently say it’s now a critical part of my security stack.
What is SafeLine WAF?
SafeLine is an open-source, self-hosted Web Application Firewall by Chaitin Tech. Instead of relying only on predefined signatures, it takes a smarter approach by analyzing request semantics.
It’s already gained 17.3K+ GitHub stars and is protecting 1M+ websites worldwide. In your homelab, it works like this:
- Acts as a reverse proxy, routing all traffic through SafeLine
- Inspects each request before it reaches your apps
- Blocks malicious payloads instantly
- Lets safe traffic through
- Continuously learns and improves detection
Attacks SafeLine Helps Prevent:
- SQL injection
- XSS (cross-site scripting)
- Remote code execution (RCE)
- Path traversal
- HTTP flood attacks
- Bot scraping
- Even some zero-days
Why I Picked SafeLine Over Alternatives
I tested Cloudflare’s free WAF and ModSecurity before SafeLine. Here’s why I switched:
| Solution | Detection Rate | False Positives | Accuracy |
|---|---|---|---|
| SafeLine (Balanced) | 71.65% | 0.07% | 99.45% |
| SafeLine (Strict) | 76.17% | 0.22% | 99.38% |
| ModSecurity L1 | 69.74% | 17.58% | 82.20% |
| Cloudflare Free | 10.70% | 0.07% | 98.40% |
Higher accuracy than ModSecurity
Fewer false positives than anything I’ve tried
Full control vs. Cloudflare’s limits
Setting Up SafeLine in a Homelab
Setup is refreshingly simple. Here’s the quick test install:
# One-line install with English interface
bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/manager.sh)" -- --en
But for production, I recommend Docker Compose:
# Create SafeLine directory
sudo mkdir -p /data/safeline && cd /data/safeline
# Download compose file
sudo wget https://waf.chaitin.com/release/latest/compose.yaml
# Create env file
sudo tee .env << 'EOF'
SAFELINE_DIR=/data/safeline
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD={postgres-password}
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=chaitin
ARCH_SUFFIX=
EOF
# Launch SafeLine
sudo docker compose up -d
Once it’s running, log into https://your-ip:9443 to manage it.
First Impressions
What surprised me most:
- Minimal performance hit (requests barely slowed)
- Clean, modern web interface
- Logs that actually make sense
SafeLine has quickly become my go-to defense for everything from my personal blog to my Vaultwarden instance.
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
This content originally appeared on DEV Community and was authored by Sharon