雷池站库分离部署
介绍
雷池简介
根据官方文档的介绍,雷池(SafeLine)是长亭科技耗时近 10 年倾情打造的 WAF,核心检测能力由智能语义分析算法驱动。其具有便捷性、安全性、高性能、高可用的特点。雷池通过反向代理的方式接入,来对流量进行检测和过滤,将过滤后的流量转发至网站服务器。
容器服务说明
名称 |
定义 |
详情 |
safeline-mgt |
管理容器 |
接收管理后台行为,向其他服务或容器推送消息 |
safeline-detector |
检测容器 |
执行检测的容器,从Tengine 进入的流量会转发到该节点检测 |
safeline-mario |
日志容器 |
记录与统计恶意行为的节点 |
safeline-tengine |
网关 |
转发网关,有简单的过滤功能 |
safeline-pg |
关系型数据库 |
存储攻击日志、保护站点、黑白名单配置的数据库 |
对于管理人员,可以通过 safeline-mgt
来配置waf的功能,如:
-
修改 tengine 的配置文件及对其进行 reload 操作
-
自定义检测的黑白名单,供
safeline-detector
用于检测 -
读取
postgres
数据库,向管理人员返回日志、统计、系统配置等
更多详情可以访问雷池官网来获取,本篇文章主要讲述如何通过自定义参数来实现雷池的站库分离 。
部署
在已经安装docker compose的情况下,可以使用 docker compose 进行部署,主要有两个文件,分别是 .env
、 compose.yaml
,一个是环境变量存储文件,另一个是 docker compose
启动配置文件,以下两个文件是通过脚本部署后获取的,可用于 docker compose
部署
.env
文件内容如下:
SAFELINE_DIR=/root/safeline IMAGE_TAG=latest MGT_PORT=9887 POSTGRES_PASSWORD=3JsfPsx2SlJyJhK8hk9sWk8D0mhJQ7yG SUBNET_PREFIX=172.22.222 IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline
参数名 |
表示 |
SAFELINE_DIR |
雷池根路径 |
IMAGE_TAG |
镜像版本 |
MGT_PORT |
管理后台映射端口 |
POSTGRES_PASSWORD |
数据库密码 |
SUBNET_PREFIX |
子网网段 |
IMAGE_PREFIX |
镜像来源 |
compose.yml
文件内容如下:
networks: safeline-ce: name: safeline-ce driver: bridge ipam: driver: default config: - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1 subnet: ${SUBNET_PREFIX}.0/24 driver_opts: com.docker.network.bridge.name: safeline-ce services: postgres: container_name: safeline-pg restart: always image: swr.cn-east-3.myhuaweicloud.com/chaitin-safeline/postgres:15.2 volumes: - ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data - /etc/localtime:/etc/localtime:ro environment: - POSTGRES_USER=safeline-ce - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required} networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.2 command: [postgres, -c, max_connections=200] mgt: container_name: safeline-mgt restart: always image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required} volumes: - /etc/localtime:/etc/localtime:ro - ${SAFELINE_DIR}/resources/mgt:/app/data healthcheck: test: curl -k -f https://localhost:1443/api/open/health environment: - MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable depends_on: - postgres - fvm dns: - 119.29.29.29 - 223.5.5.5 - 180.76.76.76 - 1.2.4.8 - 114.114.114.114 - 8.8.8.8 logging: options: max-size: "100m" max-file: "10" networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.4 detect: container_name: safeline-detector restart: always image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG} volumes: - ${SAFELINE_DIR}/resources/detector:/resources/detector - ${SAFELINE_DIR}/logs/detector:/logs/detector - /etc/localtime:/etc/localtime:ro environment: - LOG_DIR=/logs/detector networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.5 mario: container_name: safeline-mario restart: always image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG} volumes: - ${SAFELINE_DIR}/resources/mario:/resources/mario - ${SAFELINE_DIR}/logs/mario:/logs/mario - /etc/localtime:/etc/localtime:ro environment: - LOG_DIR=/logs/mario - GOGC=100 - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.6 tengine: container_name: safeline-tengine restart: always image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG} volumes: - /etc/localtime:/etc/localtime:ro - /etc/resolv.conf:/etc/resolv.conf:ro - ${SAFELINE_DIR}/resources/nginx:/etc/nginx - ${SAFELINE_DIR}/resources/detector:/resources/detector - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx - ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache environment: - TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server - TCD_SNSERVER=${SUBNET_PREFIX}.5:8000 # deprecated - SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000 ulimits: nofile: 131072 network_mode: host luigi: container_name: safeline-luigi restart: always image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG} environment: - MGT_IP=${SUBNET_PREFIX}.4 volumes: - /etc/localtime:/etc/localtime:ro - ${SAFELINE_DIR}/resources/luigi:/app/data depends_on: - detect - mgt networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.7 fvm: container_name: safeline-fvm restart: always image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG} volumes: - /etc/localtime:/etc/localtime:ro networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.8 bridge: container_name: safeline-bridge restart: always image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG} command: - /app/bridge - serve - -n - unix - -a - /app/run/safeline.sock volumes: - /etc/localtime:/etc/localtime:ro - /var/run:/app/run logging: options: max-size: "100m" max-file: "10" networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.9 depends_on: - mgt - postgres
官方部署
分为在线安装和离线安装两种方式,具体参考 雷池官方文档
手动站库分离部署
手动部署的情况下可以实现站库分离,其好处在于可以缓解低配服务器的资源分配紧张,在服务器启动雷池时出现内存占满的情况就可以采用站库分离。
修改网段(需要自定义网段时)
.env
中的 SUBNET_PREFIX
修改为未使用的网段即可,掩码需为24位
修改数据库
-
修改
compose.yml
mgt 容器配置中MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
(40 行) -
修改
compose.yml
mario 容器配置中DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce
( 82 行) -
删除
postgres
容器 -
删除
bridge-depends_on
中的 postgres
站库分离示例
部署自定义的内容:
-
网段 192.168.133.0
-
PostgreSQL数据库
-
域名+80端口访问
.env
文件如下
SAFELINE_DIR=/root/safeline IMAGE_TAG=latest MGT_PORT=9887 SUBNET_PREFIX=192.168.133 IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline
其中 POSTGRES_PASSWORD
字段可以删除,为方便后续更新,不建议删除 MGT_PORT
。
compose.yml
文件如下:
networks: safeline-ce: name: safeline-ce driver: bridge ipam: driver: default config: - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1 subnet: ${SUBNET_PREFIX}.0/24 driver_opts: com.docker.network.bridge.name: safeline-ce services: mgt: container_name: safeline-mgt restart: always image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required} volumes: - /etc/localtime:/etc/localtime:ro - ${SAFELINE_DIR}/resources/mgt:/app/data ports: - ${MGT_PORT:-9443}:1443 # mgt的端口映射 healthcheck: test: curl -k -f https://localhost:1443/api/open/health environment: - MGT_PG=postgres://root:SafeLine666.@1.1.1.1:5432/safeline-ce?sslmode=disable # 数据库连接配置 depends_on: - fvm dns: - 119.29.29.29 - 223.5.5.5 - 180.76.76.76 - 1.2.4.8 - 114.114.114.114 - 8.8.8.8 logging: options: max-size: "100m" max-file: "10" networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.4 detect: container_name: safeline-detector restart: always image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG} volumes: - ${SAFELINE_DIR}/resources/detector:/resources/detector - ${SAFELINE_DIR}/logs/detector:/logs/detector - /etc/localtime:/etc/localtime:ro environment: - LOG_DIR=/logs/detector networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.5 mario: container_name: safeline-mario restart: always image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG} volumes: - ${SAFELINE_DIR}/resources/mario:/resources/mario - ${SAFELINE_DIR}/logs/mario:/logs/mario - /etc/localtime:/etc/localtime:ro environment: - LOG_DIR=/logs/mario - GOGC=100 - DATABASE_URL=postgres://root:SafeLine666.@1.1.1.1:5432/safeline-ce # 数据库连接配置 networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.6 tengine: container_name: safeline-tengine restart: always image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG} volumes: - /etc/localtime:/etc/localtime:ro - /etc/resolv.conf:/etc/resolv.conf:ro - ${SAFELINE_DIR}/resources/nginx:/etc/nginx - ${SAFELINE_DIR}/resources/detector:/resources/detector - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx - ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache environment: - TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server - TCD_SNSERVER=${SUBNET_PREFIX}.5:8000 # deprecated - SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000 ulimits: nofile: 131072 network_mode: host luigi: container_name: safeline-luigi restart: always image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG} environment: - MGT_IP=${SUBNET_PREFIX}.4 volumes: - /etc/localtime:/etc/localtime:ro - ${SAFELINE_DIR}/resources/luigi:/app/data depends_on: - detect - mgt networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.7 fvm: container_name: safeline-fvm restart: always image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG} volumes: - /etc/localtime:/etc/localtime:ro networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.8 bridge: container_name: safeline-bridge restart: always image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG} command: - /app/bridge - serve - -n - unix· - -a - /app/run/safeline.sock volumes: - /etc/localtime:/etc/localtime:ro - /var/run:/app/run logging: options: max-size: "100m" max-file: "10" networks: safeline-ce: ipv4_address: ${SUBNET_PREFIX}.9 depends_on: - mgt
连接配置的修改: postgres://[username]:[password]@[host]:[port]/[database]?sslmode=disable
,并创建好数据库。修改完成后,使用 docker compose up -d
启动。
仅使用域名访问需要在 "防护站点 - 添加站点" 添加配置
点击提交后,就可以删除mgt的端口映射,执行 docker compose restart
实现仅域名+80端口访问。
为防止被扫描出后台,建议申请带有复杂字符串的域名。
文末
这篇文章的站库分离适用于 5.0.0 版本,其他版本可用于参考,如有疑问,可以在下方留言。