雷池站库分离部署

介绍

雷池简介

根据官方文档的介绍,雷池(SafeLine)是长亭科技耗时近 10 年倾情打造的 WAF,核心检测能力由智能语义分析算法驱动。其具有便捷性、安全性、高性能、高可用的特点。雷池通过反向代理的方式接入,来对流量进行检测和过滤,将过滤后的流量转发至网站服务器。

 

容器服务说明

名称

定义

详情

safeline-mgt

管理容器

接收管理后台行为,向其他服务或容器推送消息

safeline-detector

检测容器

执行检测的容器,从Tengine 进入的流量会转发到该节点检测

safeline-mario

日志容器

记录与统计恶意行为的节点

safeline-tengine

网关

转发网关,有简单的过滤功能

safeline-pg

关系型数据库

存储攻击日志、保护站点、黑白名单配置的数据库

对于管理人员,可以通过 safeline-mgt 来配置waf的功能,如:

  • 修改 tengine 的配置文件及对其进行 reload 操作

  • 自定义检测的黑白名单,供 safeline-detector 用于检测

  • 读取 postgres 数据库,向管理人员返回日志、统计、系统配置等

 

更多详情可以访问雷池官网来获取,本篇文章主要讲述如何通过自定义参数来实现雷池的站库分离 。

 

部署

在已经安装docker compose的情况下,可以使用 docker compose 进行部署,主要有两个文件,分别是 .envcompose.yaml,一个是环境变量存储文件,另一个是 docker compose 启动配置文件,以下两个文件是通过脚本部署后获取的,可用于 docker compose 部署

.env 文件内容如下:

SAFELINE_DIR=/root/safeline
IMAGE_TAG=latest
MGT_PORT=9887
POSTGRES_PASSWORD=3JsfPsx2SlJyJhK8hk9sWk8D0mhJQ7yG
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline

 

参数名

表示

SAFELINE_DIR

雷池根路径

IMAGE_TAG

镜像版本

MGT_PORT

管理后台映射端口

POSTGRES_PASSWORD

数据库密码

SUBNET_PREFIX

子网网段

IMAGE_PREFIX

镜像来源

compose.yml 文件内容如下:

networks:
  safeline-ce:
    name: safeline-ce
    driver: bridge
    ipam:
      driver: default
      config:
        - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
          subnet: ${SUBNET_PREFIX}.0/24
    driver_opts:
      com.docker.network.bridge.name: safeline-ce

services:
  postgres:
    container_name: safeline-pg
    restart: always
    image: swr.cn-east-3.myhuaweicloud.com/chaitin-safeline/postgres:15.2
    volumes:
      - ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data
      - /etc/localtime:/etc/localtime:ro
    environment:
      - POSTGRES_USER=safeline-ce
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.2
    command: [postgres, -c, max_connections=200]
  mgt:
    container_name: safeline-mgt
    restart: always
    image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${SAFELINE_DIR}/resources/mgt:/app/data
    healthcheck:
      test: curl -k -f https://localhost:1443/api/open/health
    environment:
      - MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
    depends_on:
      - postgres
      - fvm
    dns:
      - 119.29.29.29
      - 223.5.5.5
      - 180.76.76.76
      - 1.2.4.8
      - 114.114.114.114
      - 8.8.8.8
    logging:
      options:
        max-size: "100m"
        max-file: "10"
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.4
  detect:
    container_name: safeline-detector
    restart: always
    image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG}
    volumes:
      - ${SAFELINE_DIR}/resources/detector:/resources/detector
      - ${SAFELINE_DIR}/logs/detector:/logs/detector
      - /etc/localtime:/etc/localtime:ro
    environment:
      - LOG_DIR=/logs/detector
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.5
  mario:
    container_name: safeline-mario
    restart: always
    image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG}
    volumes:
      - ${SAFELINE_DIR}/resources/mario:/resources/mario
      - ${SAFELINE_DIR}/logs/mario:/logs/mario
      - /etc/localtime:/etc/localtime:ro
    environment:
      - LOG_DIR=/logs/mario
      - GOGC=100
      - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.6
  tengine:
    container_name: safeline-tengine
    restart: always
    image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/resolv.conf:/etc/resolv.conf:ro
      - ${SAFELINE_DIR}/resources/nginx:/etc/nginx
      - ${SAFELINE_DIR}/resources/detector:/resources/detector
      - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx
      - ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
    environment:
      - TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server
      - TCD_SNSERVER=${SUBNET_PREFIX}.5:8000
      # deprecated
      - SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000
    ulimits:
      nofile: 131072
    network_mode: host
  luigi:
    container_name: safeline-luigi
    restart: always
    image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG}
    environment:
      - MGT_IP=${SUBNET_PREFIX}.4
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${SAFELINE_DIR}/resources/luigi:/app/data
    depends_on:
      - detect
      - mgt
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.7
  fvm:
    container_name: safeline-fvm
    restart: always
    image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}
    volumes:
      - /etc/localtime:/etc/localtime:ro
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.8
  bridge:
    container_name: safeline-bridge
    restart: always
    image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG}
    command:
      - /app/bridge
      - serve
      - -n
      - unix
      - -a
      - /app/run/safeline.sock
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run:/app/run
    logging:
      options:
        max-size: "100m"
        max-file: "10"
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.9
    depends_on:
      - mgt
      - postgres

 

 

 

官方部署

分为在线安装和离线安装两种方式,具体参考 雷池官方文档

手动站库分离部署

手动部署的情况下可以实现站库分离,其好处在于可以缓解低配服务器的资源分配紧张,在服务器启动雷池时出现内存占满的情况就可以采用站库分离。

修改网段(需要自定义网段时)

.env 中的 SUBNET_PREFIX 修改为未使用的网段即可,掩码需为24位

修改数据库

  • 修改 compose.yml mgt 容器配置中 MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable(40 行)

  • 修改 compose.yml mario 容器配置中 DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce( 82 行)

  • 删除 postgres 容器

  • 删除 bridge-depends_on 中的 postgres

 

站库分离示例

部署自定义的内容:

  • 网段 192.168.133.0

  • PostgreSQL数据库

  • 域名+80端口访问

 

.env 文件如下

SAFELINE_DIR=/root/safeline
IMAGE_TAG=latest
MGT_PORT=9887
SUBNET_PREFIX=192.168.133
IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline

 

其中 POSTGRES_PASSWORD 字段可以删除,为方便后续更新,不建议删除 MGT_PORT

 

compose.yml 文件如下:

networks:    
  safeline-ce:
    name: safeline-ce
    driver: bridge
    ipam:
      driver: default
      config:
        - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
          subnet: ${SUBNET_PREFIX}.0/24
    driver_opts:
      com.docker.network.bridge.name: safeline-ce

services:
  mgt:
    container_name: safeline-mgt
    restart: always
    image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${SAFELINE_DIR}/resources/mgt:/app/data
    ports:
      - ${MGT_PORT:-9443}:1443    #    mgt的端口映射
    healthcheck:
      test: curl -k -f https://localhost:1443/api/open/health
    environment:
      - MGT_PG=postgres://root:SafeLine666.@1.1.1.1:5432/safeline-ce?sslmode=disable          #    数据库连接配置
    depends_on:
      - fvm
    dns:
      - 119.29.29.29
      - 223.5.5.5
      - 180.76.76.76
      - 1.2.4.8
      - 114.114.114.114
      - 8.8.8.8
    logging:
      options:
        max-size: "100m"
        max-file: "10"
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.4
  detect:
    container_name: safeline-detector
    restart: always
    image: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG}
    volumes:
      - ${SAFELINE_DIR}/resources/detector:/resources/detector
      - ${SAFELINE_DIR}/logs/detector:/logs/detector
      - /etc/localtime:/etc/localtime:ro
    environment:
      - LOG_DIR=/logs/detector
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.5
  mario:
    container_name: safeline-mario
    restart: always
    image: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG}
    volumes:
      - ${SAFELINE_DIR}/resources/mario:/resources/mario
      - ${SAFELINE_DIR}/logs/mario:/logs/mario
      - /etc/localtime:/etc/localtime:ro
    environment:
      - LOG_DIR=/logs/mario
      - GOGC=100
      - DATABASE_URL=postgres://root:SafeLine666.@1.1.1.1:5432/safeline-ce          #    数据库连接配置
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.6
  tengine:
    container_name: safeline-tengine
    restart: always
    image: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/resolv.conf:/etc/resolv.conf:ro
      - ${SAFELINE_DIR}/resources/nginx:/etc/nginx
      - ${SAFELINE_DIR}/resources/detector:/resources/detector
      - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx
      - ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
    environment:
      - TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server
      - TCD_SNSERVER=${SUBNET_PREFIX}.5:8000
      # deprecated
      - SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000
    ulimits:
      nofile: 131072
    network_mode: host
  luigi:
    container_name: safeline-luigi
    restart: always
    image: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG}
    environment:
      - MGT_IP=${SUBNET_PREFIX}.4
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${SAFELINE_DIR}/resources/luigi:/app/data
    depends_on:
      - detect
      - mgt
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.7
  fvm:
    container_name: safeline-fvm
    restart: always
    image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}
    volumes:
      - /etc/localtime:/etc/localtime:ro
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.8
  bridge:
    container_name: safeline-bridge
    restart: always
    image: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG}
    command:
      - /app/bridge
      - serve
      - -n
      - unix·
      - -a
      - /app/run/safeline.sock
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run:/app/run
    logging:
      options:
        max-size: "100m"
        max-file: "10"
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.9
    depends_on:
      - mgt

 

连接配置的修改: postgres://[username]:[password]@[host]:[port]/[database]?sslmode=disable,并创建好数据库。修改完成后,使用 docker compose up -d 启动。

 

仅使用域名访问需要在 "防护站点 - 添加站点" 添加配置

waftest.png

点击提交后,就可以删除mgt的端口映射,执行 docker compose restart 实现仅域名+80端口访问。

为防止被扫描出后台,建议申请带有复杂字符串的域名。

 

文末

这篇文章的站库分离适用于 5.0.0 版本,其他版本可用于参考,如有疑问,可以在下方留言。

原文地址:雷池站库分离部署 | Duoduo (seveo.cn)

posted @ 2024-03-20 22:36  蹦蹦炸弹wink  阅读(212)  评论(0编辑  收藏  举报