介绍
雷池简介
根据官方文档的介绍,雷池(SafeLine)是长亭科技耗时近 10 年倾情打造的 WAF,核心检测能力由智能语义分析算法驱动。其具有便捷性、安全性、高性能、高可用的特点。雷池通过反向代理的方式接入,来对流量进行检测和过滤,将过滤后的流量转发至网站服务器。
容器服务说明
|
名称 |
定义 |
详情 |
|
safeline-mgt |
管理容器 |
接收管理后台行为,向其他服务或容器推送消息 |
|
safeline-detector |
检测容器 |
执行检测的容器,从Tengine 进入的流量会转发到该节点检测 |
|
safeline-mario |
日志容器 |
记录与统计恶意行为的节点 |
|
safeline-tengine |
网关 |
转发网关,有简单的过滤功能 |
|
safeline-pg |
关系型数据库 |
存储攻击日志、保护站点、黑白名单配置的数据库 |
对于管理人员,可以通过 safeline-mgt 来配置waf的功能,如:
-
修改 tengine 的配置文件及对其进行 reload 操作
-
自定义检测的黑白名单,供
safeline-detector用于检测 -
读取
postgres数据库,向管理人员返回日志、统计、系统配置等
更多详情可以访问雷池官网来获取,本篇文章主要讲述如何通过自定义参数来实现雷池的站库分离 。
部署
在已经安装docker compose的情况下,可以使用 docker compose 进行部署,主要有两个文件,分别是 .env 、 compose.yaml,一个是环境变量存储文件,另一个是 docker compose 启动配置文件,以下两个文件是通过脚本部署后获取的,可用于 docker compose 部署
.env 文件内容如下:
SAFELINE_DIR=/root/safeline IMAGE_TAG=latest MGT_PORT=9887 POSTGRES_PASSWORD=3JsfPsx2SlJyJhK8hk9sWk8D0mhJQ7yG SUBNET_PREFIX=172.22.222 IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline
|
参数名 |
表示 |
|
SAFELINE_DIR |
雷池根路径 |
|
IMAGE_TAG |
镜像版本 |
|
MGT_PORT |
管理后台映射端口 |
|
POSTGRES_PASSWORD |
数据库密码 |
|
SUBNET_PREFIX |
子网网段 |
|
IMAGE_PREFIX |
镜像来源 |
compose.yml 文件内容如下:
networks:
safeline-ce:
name: safeline-ce
driver: bridge
ipam:
driver: default
config:
- gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
subnet: ${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: safeline-ce
services:
postgres:
container_name: safeline-pg
restart: always
image: swr.cn-east-3.myhuaweicloud.com/chaitin-safeline/postgres:15.2
volumes:
- ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
environment:
- POSTGRES_USER=safeline-ce
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.2
command: [postgres, -c, max_connections=200]
mgt:
container_name: safeline-mgt
restart: always
image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/mgt:/app/data
healthcheck:
test: curl -k -f https://localhost:1443/api/open/health
environment:
- MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
depends_on:
- postgres
- fvm
dns:
- 119.29.29.29
- 223.5.5.5
- 180.76.76.76
- 1.2.4.8
- 114.114.114.114
- 8.8.8.8
logging:
options:
max-size: "100m"
max-file: "10"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.4
detect:
container_name: safeline-detector
restart: always
image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG}
volumes:
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/logs/detector:/logs/detector
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_DIR=/logs/detector
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.5
mario:
container_name: safeline-mario
restart: always
image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG}
volumes:
- ${SAFELINE_DIR}/resources/mario:/resources/mario
- ${SAFELINE_DIR}/logs/mario:/logs/mario
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_DIR=/logs/mario
- GOGC=100
- DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.6
tengine:
container_name: safeline-tengine
restart: always
image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/resolv.conf:/etc/resolv.conf:ro
- ${SAFELINE_DIR}/resources/nginx:/etc/nginx
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/logs/nginx:/var/log/nginx
- ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
environment:
- TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server
- TCD_SNSERVER=${SUBNET_PREFIX}.5:8000
# deprecated
- SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000
ulimits:
nofile: 131072
network_mode: host
luigi:
container_name: safeline-luigi
restart: always
image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG}
environment:
- MGT_IP=${SUBNET_PREFIX}.4
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/luigi:/app/data
depends_on:
- detect
- mgt
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.7
fvm:
container_name: safeline-fvm
restart: always
image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.8
bridge:
container_name: safeline-bridge
restart: always
image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG}
command:
- /app/bridge
- serve
- -n
- unix
- -a
- /app/run/safeline.sock
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run:/app/run
logging:
options:
max-size: "100m"
max-file: "10"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.9
depends_on:
- mgt
- postgres
官方部署
分为在线安装和离线安装两种方式,具体参考 雷池官方文档
手动站库分离部署
手动部署的情况下可以实现站库分离,其好处在于可以缓解低配服务器的资源分配紧张,在服务器启动雷池时出现内存占满的情况就可以采用站库分离。
修改网段(需要自定义网段时)
.env 中的 SUBNET_PREFIX 修改为未使用的网段即可,掩码需为24位
修改数据库
-
修改
compose.ymlmgt 容器配置中MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable(40 行) -
修改
compose.ymlmario 容器配置中DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce( 82 行) -
删除
postgres容器 -
删除
bridge-depends_on中的 postgres
站库分离示例
部署自定义的内容:
-
网段 192.168.133.0
-
PostgreSQL数据库
-
域名+80端口访问
.env 文件如下
SAFELINE_DIR=/root/safeline IMAGE_TAG=latest MGT_PORT=9887 SUBNET_PREFIX=192.168.133 IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline
其中 POSTGRES_PASSWORD 字段可以删除,为方便后续更新,不建议删除 MGT_PORT。
compose.yml 文件如下:
networks:
safeline-ce:
name: safeline-ce
driver: bridge
ipam:
driver: default
config:
- gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
subnet: ${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: safeline-ce
services:
mgt:
container_name: safeline-mgt
restart: always
image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/mgt:/app/data
ports:
- ${MGT_PORT:-9443}:1443 # mgt的端口映射
healthcheck:
test: curl -k -f https://localhost:1443/api/open/health
environment:
- MGT_PG=postgres://root:[email protected]:5432/safeline-ce?sslmode=disable # 数据库连接配置
depends_on:
- fvm
dns:
- 119.29.29.29
- 223.5.5.5
- 180.76.76.76
- 1.2.4.8
- 114.114.114.114
- 8.8.8.8
logging:
options:
max-size: "100m"
max-file: "10"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.4
detect:
container_name: safeline-detector
restart: always
image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG}
volumes:
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/logs/detector:/logs/detector
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_DIR=/logs/detector
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.5
mario:
container_name: safeline-mario
restart: always
image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG}
volumes:
- ${SAFELINE_DIR}/resources/mario:/resources/mario
- ${SAFELINE_DIR}/logs/mario:/logs/mario
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_DIR=/logs/mario
- GOGC=100
- DATABASE_URL=postgres://root:[email protected]:5432/safeline-ce # 数据库连接配置
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.6
tengine:
container_name: safeline-tengine
restart: always
image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/resolv.conf:/etc/resolv.conf:ro
- ${SAFELINE_DIR}/resources/nginx:/etc/nginx
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/logs/nginx:/var/log/nginx
- ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
environment:
- TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server
- TCD_SNSERVER=${SUBNET_PREFIX}.5:8000
# deprecated
- SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000
ulimits:
nofile: 131072
network_mode: host
luigi:
container_name: safeline-luigi
restart: always
image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG}
environment:
- MGT_IP=${SUBNET_PREFIX}.4
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/luigi:/app/data
depends_on:
- detect
- mgt
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.7
fvm:
container_name: safeline-fvm
restart: always
image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.8
bridge:
container_name: safeline-bridge
restart: always
image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG}
command:
- /app/bridge
- serve
- -n
- unix·
- -a
- /app/run/safeline.sock
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run:/app/run
logging:
options:
max-size: "100m"
max-file: "10"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.9
depends_on:
- mgt
连接配置的修改: postgres://[username]:[password]@[host]:[port]/[database]?sslmode=disable,并创建好数据库。修改完成后,使用 docker compose up -d 启动。
仅使用域名访问需要在 "防护站点 - 添加站点" 添加配置
点击提交后,就可以删除mgt的端口映射,执行 docker compose restart 实现仅域名+80端口访问。
为防止被扫描出后台,建议申请带有复杂字符串的域名。
文末
这篇文章的站库分离适用于 5.0.0 版本,其他版本可用于参考,如有疑问,可以在下方留言。
标签:SUBNET,雷池,部署,IMAGE,etc,PREFIX,站库,safeline,localtime From: https://www.cnblogs.com/bengbengzhadan/p/18086293