- 由 虚拟的现实创建于10月 24, 2024 需要 2 分钟阅读时间
简介
雷池是长亭科技的一款开源 WAF (并没有完全开源),在性能和检测能力上比一般的开源 WAF 靠谱,另外它还能提供 GUI 的管理界面,应对普通的中小企业应该是够用了。
(image)名称
定义
详情
safeline-mgt-api
管理容器
接收管理后台行为,向其他服务或容器推送消息
safeline-detector
检测容器
执行检测的容器,从 Tengine 进入的流量会转发到该节点检测
safeline-mario
日志容器
记录与统计恶意行为的节点
safeline-tengine
网关
转发网关,有简单的过滤功能
safeline-postgres
关系型数据库
存储攻击日志、保护站点、黑白名单配置的数据库
safeline-redis
缓存数据库
-
容器环境配置
容器环境配置请参考
docker-compose 部署
如果你还没有安装 Docker 和 Docker-Compose,可以先参考 官方文档 或 其他博客。这里提醒一句如果你已经装好了的 Docker 版本过低的话,是需要考虑版本对应关系的: 版本对应关系。
.env
环境文件用来配置容器启动的环境变量,容器配置文件可以直接引用环境变量的内容,通过设置统一的环境变量能够实现变量的快速调整(只需要调整环境文件而无需调整容器配置文件),在需要版本更新升级等需要修改变量的情况下环境文件更具效率。
SAFELINE_DIR=/data/waf
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=3MFDCCIa5PnD9dddddpVvfXK
REDIS_PASSWORD=AvWQQF5KJM22222lPQZxjCLVnH
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline
compose.yml
容器配置文件用来保存运行容器的配置内容,包括多个不同的容器和对应的容器配置(例如容器镜像、版本、存储、网络和 IP 地址等)
networks:
safeline-ce:
name: safeline-ce
driver: bridge
ipam:
driver: default
config:
- gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
subnet: ${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: safeline-ce
services:
postgres:
container_name: safeline-pg
restart: always
image: swr.cn-east-3.myhuaweicloud.com/chaitin-safeline/postgres:15.2
volumes:
- ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
environment:
- POSTGRES_USER=safeline-ce
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.2
command: postgres, -c, max_connections=200
mgt:
container_name: safeline-mgt
restart: always
image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/mgt:/app/data
ports:
- ${MGT_PORT:-9443}:1443
healthcheck:
test: curl -k -f https://localhost:1443/api/open/health
environment:
- MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
depends_on:
- postgres
- fvm
dns:
- 119.29.29.29
- 223.5.5.5
- 180.76.76.76
- 1.2.4.8
- 114.114.114.114
- 8.8.8.8
logging:
options:
max-size: “100m”
max-file: “10”
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.4
detect:
container_name: safeline-detector
restart: always
image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG}
volumes:
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/logs/detector:/logs/detector
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_DIR=/logs/detector
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.5
mario:
container_name: safeline-mario
restart: always
image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG}
volumes:
- ${SAFELINE_DIR}/resources/mario:/resources/mario
- ${SAFELINE_DIR}/logs/mario:/logs/mario
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_DIR=/logs/mario
- GOGC=100
- DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.6
tengine:
container_name: safeline-tengine
restart: always
image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/resolv.conf:/etc/resolv.conf:ro
- ${SAFELINE_DIR}/resources/nginx:/etc/nginx
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/logs/nginx:/var/log/nginx
- ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
environment:
- TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server
- TCD_SNSERVER=${SUBNET_PREFIX}.5:8000
# deprecated
- SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000
ulimits:
nofile: 131072
network_mode: host
luigi:
container_name: safeline-luigi
restart: always
image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG}
environment:
- MGT_IP=${SUBNET_PREFIX}.4
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/luigi:/app/data
depends_on:
- detect
- mgt
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.7
fvm:
container_name: safeline-fvm
restart: always
image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.8
bridge:
container_name: safeline-bridge
restart: always
image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG}
command:
- /app/bridge
- serve
- -n
- unix
- -a
- /app/run/safeline.sock
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run:/app/run
logging:
options:
max-size: “100m”
max-file: “10”
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.9
depends_on:
- mgt
容器方式运行
docker-compose -f compose.yml up -d
(image)(image)日常维护
测试运行情况
curl –insecure -vvI https://192.168.XX.XX:9443 2>&1 | awk ‘BEGIN { cert=0 } /^* SSL connection/ { cert=1 } /^*/ { if (cert) print }’
(image)自定义站点项
vim /data/waf/resources/nginx/custom_params/backend_2
access_log /var/log/nginx/wiki_access.log main;
location /synchrony {
proxy_pass http://192.168.77.12:8091;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}
location ~ ^/techref(.*)$ {
proxy_pass http://192.168.77.12:8092/$1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ /backend/ {
rewrite ^/backend(/.*)$ $1 break;
proxy_pass http://192.168.192.85:9080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /erp {
proxy_pass http://192.168.113.101:32221;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
版本更新
docker-compose -f compose.yml pull
docker-compose -f compose.yml down
docker-compose -f compose.yml up -d –remove-orphans
docker image prune
bash -c “$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/upgrade.sh)”
docker rmi $(docker images | grep “safeline” | grep “none” | awk ‘{print $3}’)
添加防护站点
(image)添加防护白名单
(image)
- 无标签