1、雷池waf是干什么的?
防止网络攻击:
雷池WAF能够检测和阻止多种常见的网络攻击,如SQL注入、跨站脚本攻击(XSS)、文件包含漏洞等,从而保护Web应用程序的安全。
流量监控与分析:
WAF可以实时监控流量,分析用户请求,识别潜在的安全威胁,并生成相关报告,帮助管理员了解应用程序的使用情况和安全态势。
访问控制:
通过配置WAF,可以设置访问权限,限制某些IP地址或用户组访问Web应用,从而增强安全性。
恶意请求过来:
雷池WAF可以根据设定的规则,自动过滤掉一些恶意的请求,比如爬虫请求、DDoS攻击等,从而减轻服务器负担和潜在风险。
符合合规要求:
许多行业对数据保护和隐私有着严格的合规要求,使用WAF可以帮助企业满足这些合规性标准。
2、创建SafeLine目录:
mkdir SafeLine
3、进入SafeLine目录:
cd /root/SafeLine
4、下载docker-compose.yml 文件:
下载文件:wget "https://waf-ce.chaitin.cn/release/latest/compose.yaml"
networks:
safeline-ce:
name: safeline-ce
driver: bridge
ipam:
driver: default
config:
- gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
subnet: ${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: safeline-ce
services:
postgres:
container_name: safeline-pg
restart: always
image: ${IMAGE_PREFIX}/safeline-postgres:15.2
volumes:
- ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
environment:
- POSTGRES_USER=safeline-ce
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.2
command: [postgres, -c, max_connections=600]
healthcheck:
test: pg_isready -U safeline-ce -d safeline-ce
mgt:
container_name: safeline-mgt
restart: always
image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/mgt:/app/data
- ${SAFELINE_DIR}/logs/nginx:/app/log/nginx:z
ports:
- ${MGT_PORT:-9443}:1443
healthcheck:
test: curl -k -f https://localhost:1443/api/open/health
environment:
- MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
depends_on:
- postgres
- fvm
logging:
options:
max-size: "100m"
max-file: "5"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.4
detect:
container_name: safeline-detector
restart: always
image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG}
volumes:
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/logs/detector:/logs/detector
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_DIR=/logs/detector
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.5
mario:
container_name: safeline-mario
restart: always
image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG}
volumes:
- ${SAFELINE_DIR}/resources/mario:/resources/mario
- ${SAFELINE_DIR}/logs/mario:/logs/mario
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_DIR=/logs/mario
- GOGC=100
- DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce
logging:
options:
max-size: "100m"
max-file: "5"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.6
tengine:
container_name: safeline-tengine
restart: always
image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/resolv.conf:/etc/resolv.conf:ro
- ${SAFELINE_DIR}/resources/nginx:/etc/nginx
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/resources/chaos:/resources/chaos
- ${SAFELINE_DIR}/logs/nginx:/var/log/nginx:z
- ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
environment:
- TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server
- TCD_SNSERVER=${SUBNET_PREFIX}.5:8000
# deprecated
- SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000
ulimits:
nofile: 131072
network_mode: host
luigi:
container_name: safeline-luigi
restart: always
image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG}
environment:
- MGT_IP=${SUBNET_PREFIX}.4
- LUIGI_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/luigi:/app/data
logging:
options:
max-size: "100m"
max-file: "5"
depends_on:
- detect
- mgt
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.7
fvm:
container_name: safeline-fvm
restart: always
image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
logging:
options:
max-size: "100m"
max-file: "5"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.8
bridge:
container_name: safeline-bridge
restart: always
image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG}
command:
- /app/bridge
- serve
- -n
- unix
- -a
- /app/run/safeline.sock
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run:/app/run
logging:
options:
max-size: "100m"
max-file: "5"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.9
depends_on:
- mgt
chaos:
container_name: safeline-chaos
restart: always
image: ${IMAGE_PREFIX}/safeline-chaos:${IMAGE_TAG}
logging:
options:
max-size: "100m"
max-file: "10"
volumes:
- ${SAFELINE_DIR}/resources/chaos:/app/chaos
networks:
safeline-ce:5、创建.evn文件:
cat >> .env <<EOF
SAFELINE_DIR=$(pwd)
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=chaitin
EOF6、部署服务:
docker compose up -d
7、查看服务是否正常启动:
docker compose ps
8、获取雷池waf的用户名+密码:
docker exec safeline-mgt resetadmin
9、web界面登录:
https://<你服务器的IP>:9443/
10、配置雷池waf,防护网站
11、服务报错,无法正常启动怎么解决?
报错信息如下:
✘ Network safeline-ce Error 0.0s
failed to create network safeline-ce: Error response from daemon: invalid pool request: Pool overlaps with other one on this address space
修改.evn文件:
SUBNET_PREFIX=172.22.222 ---> 替换为 SUBNET_PREFIX=172.222.22
重启服务:
docker compose restart
注意:
80端口被占用,服务会不正常
本质是让流量先进入雷池,再从雷池去对应服务