Essential aaWAF Guide for Blogs/Websites: Setup, Use & Secure Your Site Hands-On- Zeruns's Blog

Essential for Personal Blogs/Business Websites: Step-by-Step Guide to Setting Up the Free Version of aaWAF and Basic Configuration. This tutorial explains how to deploy aaWAF firewall using a Linux server.

In an era of frequent cyberattacks, a Web Application Firewall (WAF) has become an essential shield for website security. aaWAF is a lightweight, open-source, and free protection tool that supports domestic ARM-based systems and offers highly customizable rule configurations. It can effectively defend against common threats like CC attacks and SQL injections while meeting the cost-effective security needs of individuals and small to medium-sized businesses. This article walks you through deploying and configuring your own tailored firewall, step by step.

Webmaster Discussion Group: 767557452

Video Tutorial: https://www.bilibili.com/video/BV1g9j6z4EhF/

Introduction to aaWAF

aaWAF is a truly open-source and commercially usable Web Application Firewall. It's the first WAF to support domestic ARM-based systems, offering extremely flexible and customizable interception rules. It can be configured to restrict various types of access and effectively protects against CC attacks, malicious scraping, API abuse, and penetration testing behaviors — ensuring the security of business websites.

The WAF is easy to deploy — fully functional in under 2 minutes — and requires minimal technical expertise. If you know how to set up a website, you can use this tool. It provides a comprehensive dashboard with real-time attack metrics, including today's request volume and malicious request count, as well as the current protection status. It supports geographic access restrictions, allowing you to block non-target regional access as needed. The detailed logs of intercepted threats help with backtracking and threat analysis.

In terms of protection capabilities, it effectively blocks SQL injections, XSS, webshells, and other common intrusion attacks. It also safeguards against vulnerabilities in frameworks and components like Struts2 and Discuz, helps prevent sensitive data leaks, and supports anti-hotlinking and compliance requirements.

aaWAF offers several editions: Free, Professional, and Enterprise. The Free version is suitable for personal blogs and small-scale websites, while the Professional and Enterprise versions cater to the higher protection needs of businesses. Whether you are an individual or an enterprise user, aaWAF can enhance your website's security.

aaPanel Official Website:https://www.bt.cn/u/tbUafD

Preparation

First, you need a website to protect. If you don't have one, there's no need to continue with this guide — but you can check out the following tutorials to set up your own website:

How to Set Up a Typecho Blog on a Cloud Server: https://blog.zeruns.com/archives/749.html
Set Up a Blog Using Cloud Server + BT Panel + Gridea: https://blog.zeruns.com/archives/783.html
How to Set Up Your Own Mail Server Using Poste.io: https://blog.zeruns.com/archives/822.html
Deploy Cloudreve Cloud Drive Using Rainyun and Mount Object Storage: https://blog.zeruns.com/archives/743.html
Set Up a Discuz Forum on Linux: https://blog.zeruns.com/archives/681.html
One-Click Halo Blog Deployment Using 1Panel: https://blog.zeruns.com/archives/858.html
Beginner’s Guide to Building a Flarum Forum Community Site: https://blog.zeruns.com/archives/866.html
Rainyun RCA Cloud App (K8s-based) Serverless PHP Site Setup: https://blog.zeruns.com/archives/869.html

Next, you’ll need a cloud server to deploy aaWAF. For small websites, a 2-core CPU and 2GB RAM configuration is recommended, and it must have a dedicated public IP address. If your website mainly targets users in mainland China, consider a server located in mainland China (note: domain registration is required). If you don’t have a registered domain, you can choose a server in Hong Kong, Macau, Taiwan, or overseas (which do not require registration). Debian 12 is the recommended operating system.

Recommended cloud server providers: Rainyun or Haoliang Cloud Engine:

Haoliang Cloud Registration Link:https://www.haoliangyun.com/?source=blog-en&aff=zeruns
Haoliang Cloud Invitation Code: zeruns (use the link or code to get 50% and 20% discount coupons)
Rainyun Registration Link:https://www.rainyun.com/zeruns_?s=blog-en
Rainyun Discount Code: zeruns (bind your WeChat after registering to get a 50% discount coupon)

More cost-effective server recommendations: https://blog.vpszj.cn/archives/41.html

For this demo, I used Rainyun's RCA service to set up an Answer website as the origin server.

For the demonstration, I'm using a Lightweight Application Server from Haoliang Cloud. After registering an account, go to the console and click Lightweight Application Server → Buy Now.

Choose the region according to your needs. Since my domain is registered, I chose Ningbo. I picked an 8-core, 16GB RAM server with 80 Mbps bandwidth — only 60 RMB/month. For the OS, choose Debian 12. Click Buy Now after selection. (Haoliang Cloud's Ningbo lightweight servers come with 50Gbps DDoS protection.)

Once the server is created, click Manage to enter the console, where you can view server info, reinstall/change the OS, and more.

Connect to the Server

Download and install an SSH client, then launch it. Recommended SSH clients include PuTTY and MobaXterm.

SSH client download link: https://www.123pan.com/ps/2Y9Djv-UAtvH.html

In this tutorial, we'll use MobaXterm. In the SSH client, enter your server's IP address (available from your server's control panel) and the SSH port (default is 22), then click "OK" or "Open."

Next, input your username and press Enter. The default username is usually root. Then enter your password (also found in the server console) and press Enter. Note: the password will not be displayed as you type.

Tip: To copy text in the SSH terminal, left-click and drag to select, then release the mouse button and click once on any blank area to copy. To paste, simply right-click inside the terminal.

Change APT Source (Skip if using an overseas server)

By default, APT uses foreign mirrors, which may be slow. To switch to faster domestic mirrors, use chsrc.

In the SSH terminal, run the following commands (lines starting with # are comments and do not need to be entered):

# Install chsrc
curl https://chsrc.run/posix | bash

# Automatically find the fastest mirror and switch
chsrc set debian

Open Ports

In your server provider's control panel, go to Security Groups or Firewall settings, and open all ports, as shown below:

Install aaWAF

In the SSH terminal, run the following installation script. For most use cases, the standalone version is sufficient.

Standalone version script:

URL=https://download.bt.cn/cloudwaf/scripts/install_cloudwaf.sh && if [ -f /usr/bin/curl ];then curl -sSO "$URL" ;else wget -O install_cloudwaf.sh "$URL";fi;bash install_cloudwaf.sh

Cluster version script:

URL=https://download.bt.cn/cloudwaf/scripts/install_waf_master.sh && if [ -f /usr/bin/curl ];then curl -sSO "$URL" ;else wget -O install_waf_master.sh "$URL";fi;bash install_waf_master.sh

Note: If your server already has the aaPanel installed, do not install aaWAF separately — use the built-in Nginx firewall via aaPanel instead.

aaWAF must be installed on a dedicated server.

When prompted with the screen below, type Y and press Enter to continue installation:

After installation, copy the public access address shown at the end of the script, open it in your browser, and log in using the provided credentials. Be sure to save this information.

Configure aaWAF

After logging into the aaWAF control panel, click Add Protection Site.

Enter your domain name under Protection Domain, and input your origin server's IP under Source Address. Keep the port as 80 unless your origin uses a different one. If so, choose "Custom" and ensure HTTP-to-HTTPS redirection is disabled on the origin server. Set SSL Certificate to "Off", then click Confirm.

Now change your domain's DNS records to point to the WAF server's IP address. Wait for the changes to propagate, then try visiting your site to ensure it's working.

To enable HTTPS (SSL encryption), go to Site List → SSL Certificate → Not Deployed → Apply, or upload your own SSL certificate.

Once the SSL certificate is successfully installed, enable Force HTTPS.

Now when you access the site, it will use HTTPS.

Click Site Configuration to fine-tune protection options, including CC Protection, SQL Injection Protection, XSS Protection, SSRF Protection, Cookie Protection, Command Injection Protection, and Malicious Bot Defense.