雷池防火墙6.3.0安装记录

WEB服务器,在互联网上,不可避免的遇到安全问题,推荐一款免费的WAF.

一、基础环境

$ uname -a
Linux open-boots-1.localdomain 5.14.0-60.el9.x86_64 #1 SMP PREEMPT Tue Feb 15 06:49:54 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ uname -r
5.14.0-60.el9.x86_64
$ uname -m
x86_64
$ dnf install tar git g++ -y SourceByrd's Blog-https://note.t4x.org/basic/config-safeline-waf/

二、安装配置

2.0 Docker安装

sudo dnf -y install dnf-plugins-core sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin sudo systemctl enable --now docker

0 1 2 3

sudo dnf -y install dnf-plugins-core sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin sudo systemctl enable --now docker

2.1 创建目录

mkdir /data/safeline

0	mkdir /data/safeline

2.2 下载脚本

cd "/data/safeline" wget "https://waf-ce.chaitin.cn/release/latest/compose.yaml"

0 1	cd "/data/safeline" wget "https://waf-ce.chaitin.cn/release/latest/compose.yaml"

2.3 环境变量

cat >> /data/safeline/.env <<BYRD SAFELINE_DIR=/data/safeline IMAGE_TAG=6.3.0 #最新版请修改为latest MGT_PORT=9443 POSTGRES_PASSWORD=yourpassword SUBNET_PREFIX=172.22.222 IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline ARCH_SUFFIX= RELEASE= BYRD

0 1 2 3 4 5 6 7 8 9

cat >> /data/safeline/.env <<BYRD SAFELINE_DIR=/data/safeline IMAGE_TAG=6.3.0    #最新版请修改为latest MGT_PORT=9443 POSTGRES_PASSWORD=yourpassword SUBNET_PREFIX=172.22.222 IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline ARCH_SUFFIX= RELEASE= BYRD

2.4 启动

docker compose up -d

0	docker compose up -d

2.5 6.3.0 compose

cat compose.yaml networks: safeline-ce: name: safeline-ce driver: bridge ipam: driver: default config: - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1 subnet: ${SUBNET_PREFIX}.0/24 driver_opts: com.docker.network.bridge.name: safeline-ce services: postgres: container_name: safeline-pg restart: always image: ${IMAGE_PREFIX}/safeline-postgres:15.2 volumes: - ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data - /etc/localtime:/etc/localtime:ro environment: - POSTGRES_USER=safeline-ce - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required} networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.2 command: [postgres, -c, max_connections=600] healthcheck: test: pg_isready -U safeline-ce -d safeline-ce mgt: container_name: safeline-mgt restart: always image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required} volumes: - /etc/localtime:/etc/localtime:ro - ${SAFELINE_DIR}/resources/mgt:/app/data ports: - ${MGT_PORT:-9443}:1443 healthcheck: test: curl -k -f https://localhost:1443/api/open/health environment: - MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable depends_on: - postgres - fvm logging: options: max-size: "100m" max-file: "5" networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.4 detect: container_name: safeline-detector restart: always image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG} volumes: - ${SAFELINE_DIR}/resources/detector:/resources/detector - ${SAFELINE_DIR}/logs/detector:/logs/detector - /etc/localtime:/etc/localtime:ro environment: - LOG_DIR=/logs/detector networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.5 mario: container_name: safeline-mario restart: always image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG} volumes: - ${SAFELINE_DIR}/resources/mario:/resources/mario - ${SAFELINE_DIR}/logs/mario:/logs/mario - /etc/localtime:/etc/localtime:ro environment: - LOG_DIR=/logs/mario - GOGC=100 - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce logging: options: max-size: "100m" max-file: "5" networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.6 tengine: container_name: safeline-tengine restart: always image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG} volumes: - /etc/localtime:/etc/localtime:ro - /etc/resolv.conf:/etc/resolv.conf:ro - ${SAFELINE_DIR}/resources/nginx:/etc/nginx - ${SAFELINE_DIR}/resources/detector:/resources/detector - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx - ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache - ${SAFELINE_DIR}/resources/chaos:/resources/chaos - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx:z - ${SAFELINE_DIR}/resources/sock:/app/sock environment: - TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server - TCD_SNSERVER=${SUBNET_PREFIX}.5:8000 # deprecated - SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000 ulimits: nofile: 131072 network_mode: host luigi: container_name: safeline-luigi restart: always image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG} environment: - MGT_IP=${SUBNET_PREFIX}.4 volumes: - /etc/localtime:/etc/localtime:ro - ${SAFELINE_DIR}/resources/luigi:/app/data logging: options: max-size: "100m" max-file: "5" depends_on: - detect - mgt networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.7 fvm: container_name: safeline-fvm restart: always image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG} volumes: - /etc/localtime:/etc/localtime:ro logging: options: max-size: "100m" max-file: "5" networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.8 bridge: container_name: safeline-bridge restart: always image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG} command: - /app/bridge - serve - -n - unix - -a - /app/run/safeline.sock volumes: - /etc/localtime:/etc/localtime:ro - /var/run:/app/run logging: options: max-size: "100m" max-file: "5" networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.9 depends_on: - mgt chaos: container_name: safeline-chaos restart: always image: ${IMAGE_PREFIX}/safeline-chaos${ARCH_SUFFIX}${RELEASE}:${IMAGE_TAG} logging: options: max-size: "100m" max-file: "10" volumes: - ${SAFELINE_DIR}/resources/sock:/app/sock - ${SAFELINE_DIR}/resources/chaos:/app/chaos networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.10

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

cat compose.yaml networks:   safeline-ce:     name: safeline-ce     driver: bridge     ipam:       driver: default       config:         - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1           subnet: ${SUBNET_PREFIX}.0/24     driver_opts:       com.docker.network.bridge.name: safeline-ce   services:   postgres:     container_name: safeline-pg     restart: always     image: ${IMAGE_PREFIX}/safeline-postgres:15.2     volumes:       - ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data       - /etc/localtime:/etc/localtime:ro     environment:       - POSTGRES_USER=safeline-ce       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}     networks:       safeline-ce:         ipv4_address: ${SUBNET_PREFIX}.2     command: [postgres, -c, max_connections=600]     healthcheck:       test: pg_isready -U safeline-ce -d safeline-ce   mgt:     container_name: safeline-mgt     restart: always     image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}     volumes:       - /etc/localtime:/etc/localtime:ro       - ${SAFELINE_DIR}/resources/mgt:/app/data     ports:       - ${MGT_PORT:-9443}:1443     healthcheck:       test: curl -k -f https://localhost:1443/api/open/health     environment:       - MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable     depends_on:       - postgres       - fvm     logging:       options:         max-size: "100m"         max-file: "5"     networks:       safeline-ce:         ipv4_address: ${SUBNET_PREFIX}.4   detect:     container_name: safeline-detector     restart: always     image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG}     volumes:       - ${SAFELINE_DIR}/resources/detector:/resources/detector       - ${SAFELINE_DIR}/logs/detector:/logs/detector       - /etc/localtime:/etc/localtime:ro     environment:       - LOG_DIR=/logs/detector     networks:       safeline-ce:         ipv4_address: ${SUBNET_PREFIX}.5   mario:     container_name: safeline-mario     restart: always     image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG}     volumes:       - ${SAFELINE_DIR}/resources/mario:/resources/mario       - ${SAFELINE_DIR}/logs/mario:/logs/mario       - /etc/localtime:/etc/localtime:ro     environment:       - LOG_DIR=/logs/mario       - GOGC=100       - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce     logging:       options:         max-size: "100m"         max-file: "5"     networks:       safeline-ce:         ipv4_address: ${SUBNET_PREFIX}.6   tengine:     container_name: safeline-tengine     restart: always     image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG}     volumes:       - /etc/localtime:/etc/localtime:ro       - /etc/resolv.conf:/etc/resolv.conf:ro       - ${SAFELINE_DIR}/resources/nginx:/etc/nginx       - ${SAFELINE_DIR}/resources/detector:/resources/detector       - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx       - ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache       - ${SAFELINE_DIR}/resources/chaos:/resources/chaos       - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx:z       - ${SAFELINE_DIR}/resources/sock:/app/sock     environment:       - TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server       - TCD_SNSERVER=${SUBNET_PREFIX}.5:8000       # deprecated       - SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000     ulimits:       nofile: 131072     network_mode: host   luigi:     container_name: safeline-luigi     restart: always     image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG}     environment:       - MGT_IP=${SUBNET_PREFIX}.4     volumes:       - /etc/localtime:/etc/localtime:ro       - ${SAFELINE_DIR}/resources/luigi:/app/data     logging:       options:         max-size: "100m"         max-file: "5"     depends_on:       - detect       - mgt     networks:       safeline-ce:         ipv4_address: ${SUBNET_PREFIX}.7   fvm:     container_name: safeline-fvm     restart: always     image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}     volumes:       - /etc/localtime:/etc/localtime:ro     logging:       options:         max-size: "100m"         max-file: "5"     networks:       safeline-ce:         ipv4_address: ${SUBNET_PREFIX}.8   bridge:     container_name: safeline-bridge     restart: always     image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG}     command:       - /app/bridge       - serve       - -n       - unix       - -a       - /app/run/safeline.sock     volumes:       - /etc/localtime:/etc/localtime:ro       - /var/run:/app/run     logging:       options:         max-size: "100m"         max-file: "5"     networks:       safeline-ce:         ipv4_address: ${SUBNET_PREFIX}.9     depends_on:       - mgt   chaos:     container_name: safeline-chaos     restart: always     image: ${IMAGE_PREFIX}/safeline-chaos${ARCH_SUFFIX}${RELEASE}:${IMAGE_TAG}     logging:       options:         max-size: "100m"         max-file: "10"     volumes:       - ${SAFELINE_DIR}/resources/sock:/app/sock       - ${SAFELINE_DIR}/resources/chaos:/app/chaos     networks:       safeline-ce:         ipv4_address: ${SUBNET_PREFIX}.10

SourceByrd's Blog-https://note.t4x.org/basic/config-safeline-waf/

三、其他信息

之所以使用6.3.0是因为我从5.x升级到最新版本以后,发现以前很多free的功能开始收费了.降了一下版本。 SourceByrd's Blog-https://note.t4x.org/basic/config-safeline-waf/

官方资料：
1：https://docs.waf-ce.chaitin.cn/
2：https://github.com/chaitin/SafeLine/SourceByrd's Blog-https://note.t4x.org/basic/config-safeline-waf/ SourceByrd's Blog-https://note.t4x.org/basic/config-safeline-waf/