Your WordPress site got probed for wp-admin at 3am. Nothing broke — this time. Your client app has a SQL injection bug in staging that you keep meaning to fix. Cloudflare's free tier blocks some noise but you're routing Canadian client traffic through US infrastructure and the WAF rules are a black box. You want a shield you control.
SafeLine (雷池) from Chaitin Tech is that shield. ~22k GitHub stars, self-hosted WAF and reverse proxy — traffic hits SafeLine first, malicious requests get dropped, legitimate traffic reaches your app. SQL injection, XSS, RCE, SSRF, path traversal, brute force, HTTP floods, and bot abuse — without handing your HTTP logs to a US CDN by default.
What it actually does
SafeLine sits in front of your web apps as a reverse proxy WAF. Clients connect to SafeLine; SafeLine inspects HTTP/HTTPS and forwards clean requests to your upstream — WordPress, n8n, a custom API, whatever runs behind it.
Attack blocking. Semantic detection engine (not just regex signatures) for injection attacks, XXE, CRLF, LDAP injection, command injection, and related OWASP-style payloads. Published benchmarks claim higher accuracy and far lower false positives than ModSecurity level 1 and Cloudflare's free tier — verify in your own staging environment before trusting production traffic to it.
Rate limiting. IP-based throttling for DoS, brute force, and traffic spikes — slow the scanner before it reaches your PHP-FPM workers.
Anti-bot challenge. Distinguish humans from crawlers — real users pass, abusive bots get blocked.
Auth challenge. Optional site-wide password gate — useful for staging environments you don't want indexed or scanned.
Dynamic protection. Encrypt HTML and JavaScript on each visit — raises the bar for automated scraping and some client-side attacks.
Dashboard. Add applications (domain, upstream address, port), tune policies, review blocked requests. Live demo at demo.waf.chaitin.com.
SafeLine vs Cloudflare vs your existing stack
We've covered deploy platforms with built-in reverse proxies:
- Coolify / Dokploy — Traefik for TLS and routing, not deep WAF inspection
- Uptime Kuma — tells you the site is down after the fact; doesn't block attacks
SafeLine is a dedicated security layer. Typical placement: Internet → SafeLine → nginx/Traefik → app. Cloudflare WAF is excellent but routes traffic through their network; SafeLine runs on your Canadian VPS — relevant when clients ask where HTTP inspection happens.
Why self-host a WAF?
Inspect before the app. A WAF catches exploit attempts at the edge — SQL injection probes never hit your ORM bug. Defense in depth, not a substitute for secure code.
Data stays on your metal. Request logs, blocked payloads, and policy config on infrastructure you control — not a third-party security vendor's retention policy.
Flat cost. No per-request WAF billing tier. You pay for the VPS and run SafeLine in Docker alongside your apps.
Homelab and agency staging. Put auth challenge on internal demos. Rate-limit the WordPress install your client forgot to update.
What running it takes
Official installer (Docker-based):
bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"For English UI, use the English manager script per their docs. Management console typically on port 9443 (HTTPS). Plan at least 1 GB RAM and 5 GB disk per their homelab guides — more under heavy traffic.
Add each web app in the dashboard: public domain, upstream IP/hostname, port. SafeLine terminates TLS or works behind your existing cert setup depending on configuration — read the install guide for your topology.
Test in monitor/log-only mode before blocking production if available. False positives block real users — tune policies on staging first. Mainland China users: Chaitin documents a separate Chinese edition if international cloud connectivity is an issue.
Who it's for (and who should skip it)
Good fit: self-hosters exposing WordPress, PHP apps, or APIs to the internet; Canadian agencies wanting WAF without US CDN dependency; homelabbers hardening public services; teams who outgrew "hope nginx is enough."
Maybe skip it: everything is VPN-only with no public HTTP — less to protect. You already pay for enterprise Cloudflare with a team managing rules — duplication may not help. You won't maintain another reverse-proxy layer — misconfigured WAF breaks legitimate traffic.
Hosting it in Canada
SafeLine belongs at the edge of your stack. We deploy it on Canadian VPS and dedicated servers — in front of client apps, with TLS, logging retention you control, and upstream pointing at your existing containers.
Tell us what you're protecting — we'll help place SafeLine in the path without the double-proxy confusion that makes everyone's head hurt.
