Is there any way to integrate Safeline WAF into ISPConfig3 hosted websites? Has anyone had any success?
Creating a website with whatever web site softwares in ISPConfig has never been much problems, at least to me so far, though I agree that each and every people normally have different experiences, but I'd say they are mostly resovable, so what are the issues you were actually facing in installing this software, because if you provide the facts, if not me, others may also be able to help?
As far as I can see you can't. At least straight forward, not without changing your webserver config and with that ispconfig in general. According to the Safeline website it is a docker driven application. I don't know the application but in order to filter internettraffic (to the webserver) it seems to me that Safeline will need to be bound to port 80 and 443. At least on the nic/ip connected to the internet. You can't do that as your webserver by default is bound to those ports on all nic's/ip's. So you will need to change the ports your webserver is bound to (and configure Safeline to forward filtered traffic to those ports) or configure both your webserver and Safeline to be bound to different nic's/ip's (and configure Safeline to forward filtered traffic to the webserver's ip).
Docker usages have been discussed in other threads and they are possible, so even if this software wants to use the default web server port 80 and 443, like Nginx Proxy Manager (NPM), it should not be a problem to run it in ISPConfig web servers, as an admin can always use its conf-custom or even port setting for web sites (which feature is now available) to customize / change the default ports to others.
Surely you can. But most of those threads are about running a docker app behind the webserver, using the webserver as a proxy. In this case the docker app needs to be in front of the webserver, otherwise it's useless. That's what I said, though not explained as you did. Indeed can website config in ispconfig or conf-custom be part of the solution, but not solely. Changing ports in website configs in ispconfig or customized vhost config in conf-custom doesn't change the webserver's default listening behavior, just those websites.
Hurmmm… I guess you were overthinking and assumed too much, maybe simply because I did not provide very detailed steps, but in reality, changing all listeners in ISPConfig website vhost configs away from the default ports 80 and 443 should achieve exactly that; the lack of such step-by-step instructions should not affect the validity of the suggested solution.
I don't see what I might be overthinking. Fact: You can't bind 2 things to the same port. By default both Apache and Nginx bind to all available nic's/ip's. So there will be no room for Safeline to bind to the same ports by default. Fact: Changing website ports, whether in ispconfig (I'm only aware of websites on a Nginx webserver being able to and not Apache) or customized vhost in conf-custom, doesn't change the webserver's default website/listening config. So it won't be enough to change just the websites. You also need to change the webserver's default config.
It is true that there is one additional step for Apache, namely changing the default ports in ports.conf, but that is all there is to it. For Nginx, no such step is needed because the listeners are defined in the server (vhost) configs. The key point is simply to move the web server off the default ports 80 and 443 so Safeline can bind to them. This really doesn’t need to be more complicated than that.
Incorrect, there is. The default website in /etc/nginx/sites-available/default Also for Apache. Besides ports.conf you mentioned there's also 000-default.conf and default-ssl.conf in /etc/apache2/sites-available/ Though I would opt for adding a 2nd ip to the server. Than change default website to bind to one of the ip's and bind Safeline to the other ip. All other websites can easily be bound to the same ip as set in the default website within ispconfig.
Thankyou for these hints. My issue is my websites are under attack by a very persistent and large botnet, I do not wish to implement a cloud-flare solution and prefer to handle the issue internally. I have tried the demo of isp-protect, but without good results. I'm guessing that I aslo would have all kinds of issues with the SSL certificate renewal, and 'too many redirects' A little more information about the set-up: I am using Proxmox-VE as the environment, this makes it possible to have many machines in the virtual network and create virtual bridges for each of the Ethernet ports. Each machine has 4 ports. Safeline installs without issue in one VM machine and is browse-able, however [add]ing the website is the issue. I am not as tech savvy as I would like to be. I do note that a future ISPconfig will add a reverse proxy NGinx which might make this easier. There is no need to respond further to this thread, but might it make a good tutorial if somebody solves it. Thankyou Mark
