长亭waf-ce 版本试用

最近长亭提供了ce 版本的waf ，部分开源了（部分管理UI，t1k 部分，部分语义分析自动机引擎）

运行

• 离线下载docker 镜像
  以下地址http://demo.waf-ce.chaitin.cn/image.tar.gz
  加载镜像cat image.tar.gz | gzip -d | docker load
• docker-compose 文件

 

networks:

  safeline-ce:

    name: safeline-ce

    driver: bridge

    ipam:

      driver: default

      config:

      - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1

        subnet: ${SUBNET_PREFIX}.0/24

    driver_opts:

      com.docker.network.bridge.name: safeline-ce

 

services:

  postgres:

    container_name: safeline-postgres

    restart: always

    image: postgres:15.2

    volumes:

    - ./resources/postgres/data:/var/lib/postgresql/data

    - /etc/localtime:/etc/localtime:ro

    environment:

    - POSTGRES_USER=safeline-ce

    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}

    networks:

      safeline-ce:

        ipv4_address: ${SUBNET_PREFIX}.2

    cap_drop:

    - net_raw

    command: [postgres, -c, max_connections=200]

  redis:

    container_name: safeline-redis

    restart: always

    image: redis:7.0.11

    volumes:

      - ./resources/redis/data:/data

      - /etc/localtime:/etc/localtime:ro

    command: redis-server --appendonly yes --requirepass  ${POSTGRES_PASSWORD}

    networks:

      safeline-ce:

        ipv4_address: ${SUBNET_PREFIX}.3

    cap_drop:

      - net_raw

    sysctls:

      net.core.somaxconn: "511"

  management:

    container_name: safeline-mgt-api

    restart: always

    image: chaitin/safeline-mgt-api:${IMAGE_TAG:?image tag required}

    volumes:

    - ./resources/management:/resources/management

    - ./resources/nginx:/resources/nginx

    - ./logs:/logs

    - /etc/localtime:/etc/localtime:ro

    ports:

    - ${MGT_PORT:-9443}:1443

    environment:

    - MANAGEMENT_RESOURCES_DIR=/resources/management

    - NGINX_RESOURCES_DIR=/resources/nginx

    - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@127.0.0.1/safeline-ce

    - MANAGEMENT_LOGS_DIR=/logs/management

    networks:

      safeline-ce:

        ipv4_address: ${SUBNET_PREFIX}.4

    cap_drop:

    - net_raw

  detector:

    container_name: safeline-detector

    restart: always

    image: chaitin/safeline-detector:${IMAGE_TAG}

    volumes:

    - ./resources/detector:/resources/detector

    - ./logs/detector:/logs/detector

    - /etc/localtime:/etc/localtime:ro

    environment:

    - LOG_DIR=/logs/detector

    networks:

      safeline-ce:

        ipv4_address: ${SUBNET_PREFIX}.5

    cap_drop:

    - net_raw

  mario:

    container_name: safeline-mario

    restart: always

    image: chaitin/safeline-mario:${IMAGE_TAG}

    volumes:

    - ./resources/mario:/resources/mario

    - ./logs/mario:/logs/mario

    - /etc/localtime:/etc/localtime:ro

    environment:

    - LOG_DIR=/logs/mario

    - GOGC=100

    - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-postgres/safeline-ce

    - REDIS_URL=redis://:${POSTGRES_PASSWORD}@safeline-redis:6379/0

    networks:

      safeline-ce:

        ipv4_address: ${SUBNET_PREFIX}.6

    cap_drop:

    - net_raw

  tengine:

    container_name: safeline-tengine

    restart: always

    image: chaitin/safeline-tengine:${IMAGE_TAG}

    volumes:

    - ./resources/nginx:/etc/nginx

    - ./resources/management:/resources/management

    - ./resources/detector:/resources/detector

    - ./logs/nginx:/var/log/nginx

    - /etc/localtime:/etc/localtime:ro

    - ./resources/cache:/usr/local/nginx/cache

    - /etc/resolv.conf:/etc/resolv.conf

    environment:

    - MGT_ADDR=${SUBNET_PREFIX}.4:9002

    ulimits:

      nofile: 131072

    network_mode: host

.env 文件

SAFELINE_DIR=$PWD

IMAGE_TAG=latest

MGT_PORT=9443

POSTGRES_PASSWORD=evgpqNU9MglspscuudHwd5GwuQPxv7Vn

SUBNET_PREFIX=169.254.0

• 启动

docker-compose up -d

• 登录
  https://localhost:9443/dashboard 首次需要绑定动态口令
• 效果

说明

目前来说ce 版本提供的配置能力（ui 上）还是比较少的，而且很不灵活，可以结合safeline-open-platform 提供的api 进行添加，整体上实际长亭waf 是基于了tengine
同时开发了自己的nginx 扩展模块，参考构建参数

 

Tengine version: Tengine/2.3.3

nginx version: nginx/1.18.0

built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1) 

built with OpenSSL 1.1.1o  3 May 2022 (running with OpenSSL 1.1.1t  7 Feb 2023)

TLS SNI support enabled

configure arguments: --conf-path=/etc/nginx/nginx.conf --add-module=modules/ngx_http_upstream_check_module --add-module=modules/ngx_http_upstream_dynamic_module --add-module=modules/ngx_http_upstream_session_sticky_module --add-module=src/http/modules/t1k --add-module=modules/ngx_brotli/filter --with-openssl-async --with-http_v2_module --with-http_realip_module --with-stream --with-stream_ssl_module --with-stream_sni --with-dispatch --with-dispatch_ssl_module --with-dispatch_sni --with-pcre-jit --with-jemalloc --with-cpu-opt=amd64 --with-cc-opt='-fpie -O2 -fstack-protector-strong -Wextra -Wformat -Werror=format-security -Wno-implicit-fallthrough -D_FORTIFY_SOURCE=2 -DNGX_SECURE_MEM -I/opt/ssl/include' --with-ld-opt='-fpie -Wl,-z,relro -L/opt/ssl/lib -ldl -Wl,-rpath,/opt/ssl/lib' --with-exec-ld-opt=-pie

对于web 站点管理部分基于了api 以及生成nginx 配置，参考生成配置

 

作为一个可以免费使用的，还是很不错的，值得试用下

参考资料

https://github.com/chaitin/safeline
https://github.com/chaitin/lua-resty-t1k
https://github.com/chaitin/yanshi
https://github.com/chaitin/safeline-open-platform
http://demo.waf-ce.chaitin.cn/image.tar.gz
https://github.com/chaitin/safeline-open-platform/tree/master/series_20/api_doc
https://tengine.taobao.org/