简介

雷池是长亭科技的一款开源 WAF (并没有完全开源),在性能和检测能力上比一般的开源 WAF 靠谱,另外它还能提供 GUI 的管理界面,应对普通的中小企业应该是够用了。

名称

定义

详情

safeline-mgt-api

管理容器

接收管理后台行为,向其他服务或容器推送消息

safeline-detector

检测容器

执行检测的容器,从 Tengine 进入的流量会转发到该节点检测

safeline-mario

日志容器

记录与统计恶意行为的节点

safeline-tengine

网关

转发网关,有简单的过滤功能

safeline-postgres

关系型数据库

存储攻击日志、保护站点、黑白名单配置的数据库

safeline-redis

缓存数据库

-

容器环境配置

容器环境配置请参考https://wiki.waringid.me/x/GQAx

docker-compose 部署

如果你还没有安装 Docker 和 Docker-Compose,可以先参考 官方文档 或 其他博客。这里提醒一句如果你已经装好了的 Docker 版本过低的话,是需要考虑版本对应关系的: 版本对应关系

.env

环境文件用来配置容器启动的环境变量,容器配置文件可以直接引用环境变量的内容,通过设置统一的环境变量能够实现变量的快速调整(只需要调整环境文件而无需调整容器配置文件),在需要版本更新升级等需要修改变量的情况下环境文件更具效率。

SAFELINE_DIR=/data/waf
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=3MFDCCIa5PnD9dddddpVvfXK
REDIS_PASSWORD=AvWQQF5KJM22222lPQZxjCLVnH
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline

compose.yml

容器配置文件用来保存运行容器的配置内容,包括多个不同的容器和对应的容器配置(例如容器镜像、版本、存储、网络和 IP 地址等)

networks:
  safeline-ce:
    name: safeline-ce
    driver: bridge
    ipam:
      driver: default
      config:
        - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
          subnet: ${SUBNET_PREFIX}.0/24
    driver_opts:
      com.docker.network.bridge.name: safeline-ce

services:
  postgres:
    container_name: safeline-pg
    restart: always
    image: swr.cn-east-3.myhuaweicloud.com/chaitin-safeline/postgres:15.2
    volumes:
      - ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data
      - /etc/localtime:/etc/localtime:ro
    environment:
      - POSTGRES_USER=safeline-ce
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.2
    command: [postgres, -c, max_connections=200]
  mgt:
    container_name: safeline-mgt
    restart: always
    image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${SAFELINE_DIR}/resources/mgt:/app/data
    ports:
      - ${MGT_PORT:-9443}:1443
    healthcheck:
      test: curl -k -f https://localhost:1443/api/open/health
    environment:
      - MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
    depends_on:
      - postgres
      - fvm
    dns:
      - 119.29.29.29
      - 223.5.5.5
      - 180.76.76.76
      - 1.2.4.8
      - 114.114.114.114
      - 8.8.8.8
    logging:
      options:
        max-size: "100m"
        max-file: "10"
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.4
  detect:
    container_name: safeline-detector
    restart: always
    image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG}
    volumes:
      - ${SAFELINE_DIR}/resources/detector:/resources/detector
      - ${SAFELINE_DIR}/logs/detector:/logs/detector
      - /etc/localtime:/etc/localtime:ro
    environment:
      - LOG_DIR=/logs/detector
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.5
  mario:
    container_name: safeline-mario
    restart: always
    image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG}
    volumes:
      - ${SAFELINE_DIR}/resources/mario:/resources/mario
      - ${SAFELINE_DIR}/logs/mario:/logs/mario
      - /etc/localtime:/etc/localtime:ro
    environment:
      - LOG_DIR=/logs/mario
      - GOGC=100
      - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.6
  tengine:
    container_name: safeline-tengine
    restart: always
    image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/resolv.conf:/etc/resolv.conf:ro
      - ${SAFELINE_DIR}/resources/nginx:/etc/nginx
      - ${SAFELINE_DIR}/resources/detector:/resources/detector
      - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx
      - ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
    environment:
      - TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server
      - TCD_SNSERVER=${SUBNET_PREFIX}.5:8000
      # deprecated
      - SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000
    ulimits:
      nofile: 131072
    network_mode: host
  luigi:
    container_name: safeline-luigi
    restart: always
    image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG}
    environment:
      - MGT_IP=${SUBNET_PREFIX}.4
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${SAFELINE_DIR}/resources/luigi:/app/data
    depends_on:
      - detect
      - mgt
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.7
  fvm:
    container_name: safeline-fvm
    restart: always
    image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}
    volumes:
      - /etc/localtime:/etc/localtime:ro
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.8
  bridge:
    container_name: safeline-bridge
    restart: always
    image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG}
    command:
      - /app/bridge
      - serve
      - -n
      - unix
      - -a
      - /app/run/safeline.sock
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run:/app/run
    logging:
      options:
        max-size: "100m"
        max-file: "10"
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.9
    depends_on:
      - mgt

容器方式运行

docker-compose -f compose.yml up -d

日常维护

测试运行情况

curl --insecure -vvI https://192.168.XX.XX:9443 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

自定义站点项

vim /data/waf/resources/nginx/custom_params/backend_2  
access_log  /var/log/nginx/wiki_access.log  main;
    location /synchrony {
        proxy_pass http://192.168.77.12:8091;
        proxy_set_header   Host    $host;
        proxy_set_header   X-Real-IP   $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location ~ ^/techref(.*)$ {
        proxy_pass http://192.168.77.12:8092/$1;
        proxy_set_header   Host    $host;
        proxy_set_header   X-Real-IP   $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    
  location ~ /backend/ {
      rewrite ^/backend(/.*)$ $1 break;
      proxy_pass http://192.168.192.85:9080;
      proxy_set_header   Host    $host;
      proxy_set_header   X-Real-IP   $remote_addr;
      proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
  }
 
location  /erp {
      proxy_pass http://192.168.113.101:32221;
      proxy_set_header   Host    $host;
      proxy_set_header   X-Real-IP   $remote_addr;
      proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
  }

版本更新

docker-compose -f compose.yml pull
docker-compose -f compose.yml down
docker-compose -f compose.yml up -d --remove-orphans
docker image prune

bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/upgrade.sh)"
docker rmi $(docker images | grep "safeline" | grep "none" | awk '{print $3}')

添加防护站点

添加防护白名单

  • 无标签

0 评论

你还没有登录。你所做的任何更改会将作者标记为匿名用户。 如果你已经拥有帐户,请登录
验证码图片