长亭waf-ce 版本试用

最近长亭提供了ce 版本的waf ,部分开源了(部分管理UI,t1k 部分,部分语义分析自动机引擎)

运行

 
networks:
  safeline-ce:
    name: safeline-ce
    driver: bridge
    ipam:
      driver: default
      config:
      - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
        subnet: ${SUBNET_PREFIX}.0/24
    driver_opts:
      com.docker.network.bridge.name: safeline-ce
 
services:
  postgres:
    container_name: safeline-postgres
    restart: always
    image: postgres:15.2
    volumes:
    - ./resources/postgres/data:/var/lib/postgresql/data
    - /etc/localtime:/etc/localtime:ro
    environment:
    - POSTGRES_USER=safeline-ce
    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.2
    cap_drop:
    - net_raw
    command: [postgres, -c, max_connections=200]
  redis:
    container_name: safeline-redis
    restart: always
    image: redis:7.0.11
    volumes:
      - ./resources/redis/data:/data
      - /etc/localtime:/etc/localtime:ro
    command: redis-server --appendonly yes --requirepass  ${POSTGRES_PASSWORD}
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.3
    cap_drop:
      - net_raw
    sysctls:
      net.core.somaxconn: "511"
  management:
    container_name: safeline-mgt-api
    restart: always
    image: chaitin/safeline-mgt-api:${IMAGE_TAG:?image tag required}
    volumes:
    - ./resources/management:/resources/management
    - ./resources/nginx:/resources/nginx
    - ./logs:/logs
    - /etc/localtime:/etc/localtime:ro
    ports:
    - ${MGT_PORT:-9443}:1443
    environment:
    - MANAGEMENT_RESOURCES_DIR=/resources/management
    - NGINX_RESOURCES_DIR=/resources/nginx
    - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@127.0.0.1/safeline-ce
    - MANAGEMENT_LOGS_DIR=/logs/management
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.4
    cap_drop:
    - net_raw
  detector:
    container_name: safeline-detector
    restart: always
    image: chaitin/safeline-detector:${IMAGE_TAG}
    volumes:
    - ./resources/detector:/resources/detector
    - ./logs/detector:/logs/detector
    - /etc/localtime:/etc/localtime:ro
    environment:
    - LOG_DIR=/logs/detector
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.5
    cap_drop:
    - net_raw
  mario:
    container_name: safeline-mario
    restart: always
    image: chaitin/safeline-mario:${IMAGE_TAG}
    volumes:
    - ./resources/mario:/resources/mario
    - ./logs/mario:/logs/mario
    - /etc/localtime:/etc/localtime:ro
    environment:
    - LOG_DIR=/logs/mario
    - GOGC=100
    - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-postgres/safeline-ce
    - REDIS_URL=redis://:${POSTGRES_PASSWORD}@safeline-redis:6379/0
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.6
    cap_drop:
    - net_raw
  tengine:
    container_name: safeline-tengine
    restart: always
    image: chaitin/safeline-tengine:${IMAGE_TAG}
    volumes:
    - ./resources/nginx:/etc/nginx
    - ./resources/management:/resources/management
    - ./resources/detector:/resources/detector
    - ./logs/nginx:/var/log/nginx
    - /etc/localtime:/etc/localtime:ro
    - ./resources/cache:/usr/local/nginx/cache
    - /etc/resolv.conf:/etc/resolv.conf
    environment:
    - MGT_ADDR=${SUBNET_PREFIX}.4:9002
    ulimits:
      nofile: 131072
    network_mode: host

.env 文件

SAFELINE_DIR=$PWD
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=evgpqNU9MglspscuudHwd5GwuQPxv7Vn
SUBNET_PREFIX=169.254.0
  • 启动
docker-compose up -d

说明

目前来说ce 版本提供的配置能力(ui 上)还是比较少的,而且很不灵活,可以结合safeline-open-platform 提供的api 进行添加,整体上实际长亭waf 是基于了tengine
同时开发了自己的nginx 扩展模块,参考构建参数

 
Tengine version: Tengine/2.3.3
nginx version: nginx/1.18.0
built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1) 
built with OpenSSL 1.1.1o  3 May 2022 (running with OpenSSL 1.1.1t  7 Feb 2023)
TLS SNI support enabled
configure arguments: --conf-path=/etc/nginx/nginx.conf --add-module=modules/ngx_http_upstream_check_module --add-module=modules/ngx_http_upstream_dynamic_module --add-module=modules/ngx_http_upstream_session_sticky_module --add-module=src/http/modules/t1k --add-module=modules/ngx_brotli/filter --with-openssl-async --with-http_v2_module --with-http_realip_module --with-stream --with-stream_ssl_module --with-stream_sni --with-dispatch --with-dispatch_ssl_module --with-dispatch_sni --with-pcre-jit --with-jemalloc --with-cpu-opt=amd64 --with-cc-opt='-fpie -O2 -fstack-protector-strong -Wextra -Wformat -Werror=format-security -Wno-implicit-fallthrough -D_FORTIFY_SOURCE=2 -DNGX_SECURE_MEM -I/opt/ssl/include' --with-ld-opt='-fpie -Wl,-z,relro -L/opt/ssl/lib -ldl -Wl,-rpath,/opt/ssl/lib' --with-exec-ld-opt=-pie

对于web 站点管理部分基于了api 以及生成nginx 配置,参考生成配置

 


作为一个可以免费使用的,还是很不错的,值得试用下

参考资料

https://github.com/chaitin/safeline
https://github.com/chaitin/lua-resty-t1k
https://github.com/chaitin/yanshi
https://github.com/chaitin/safeline-open-platform
http://demo.waf-ce.chaitin.cn/image.tar.gz
https://github.com/chaitin/safeline-open-platform/tree/master/series_20/api_doc
https://tengine.taobao.org/

posted on 2023-06-26 22:56  荣锋亮  阅读(290)  评论(0编辑  收藏  举报

导航