【配置】雷池WAF社区版安装

官方文档点击跳转

什么是雷池

雷池（SafeLine）是长亭科技耗时近 10 年倾情打造的 WAF，核心检测能力由智能语义分析算法驱动。

什么是 WAF

WAF 是 Web Application Firewall 的缩写，也被称为 Web 应用防火墙。

区别于传统防火墙，WAF 工作在应用层，对基于 HTTP/HTTPS 协议的 Web 系统有着更好的防护效果，使其免于受到黑客的攻击。

安装

下载雷池社区版镜像包

并传输到需要安装雷池的服务器上，我新增了/nwa/leichi目录，执行以下命令加载镜像

cd /nwa/leichi
cat leichi.tar.gz | gzip -d | docker load

shell中执行以下命令创建并进入雷池安装目录

mkdir -p safeline && cd safeline   # 创建 safeline 目录并且进入

新建compose.yaml在 safeline 目录中

networks:safeline-ce:name: safeline-cedriver: bridgeipam:driver: defaultconfig:- gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1subnet: ${SUBNET_PREFIX}.0/24driver_opts:com.docker.network.bridge.name: safeline-ceservices:postgres:container_name: safeline-pgrestart: alwaysimage: swr.cn-east-3.myhuaweicloud.com/chaitin-safeline/postgres:15.2volumes:- ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data- /etc/localtime:/etc/localtime:roenvironment:- POSTGRES_USER=safeline-ce- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}networks:safeline-ce:ipv4_address: ${SUBNET_PREFIX}.2command: [postgres, -c, max_connections=600]healthcheck:test: pg_isready -U safeline-ce -d safeline-cemgt:container_name: safeline-mgtrestart: alwaysimage: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}volumes:- /etc/localtime:/etc/localtime:ro- ${SAFELINE_DIR}/resources/mgt:/app/dataports:- ${MGT_PORT:-9443}:1443healthcheck:test: curl -k -f https://localhost:1443/api/open/healthenvironment:- MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disabledepends_on:- postgres- fvmdns:- 119.29.29.29- 223.5.5.5- 180.76.76.76- 1.2.4.8- 114.114.114.114- 8.8.8.8logging:options:max-size: "100m"max-file: "10"networks:safeline-ce:ipv4_address: ${SUBNET_PREFIX}.4detect:container_name: safeline-detectorrestart: alwaysimage: ${IMAGE_PREFIX}/safeline-detector:${IMAGE_TAG}volumes:- ${SAFELINE_DIR}/resources/detector:/resources/detector- ${SAFELINE_DIR}/logs/detector:/logs/detector- /etc/localtime:/etc/localtime:roenvironment:- LOG_DIR=/logs/detectornetworks:safeline-ce:ipv4_address: ${SUBNET_PREFIX}.5mario:container_name: safeline-mariorestart: alwaysimage: ${IMAGE_PREFIX}/safeline-mario:${IMAGE_TAG}volumes:- ${SAFELINE_DIR}/resources/mario:/resources/mario- ${SAFELINE_DIR}/logs/mario:/logs/mario- /etc/localtime:/etc/localtime:roenvironment:- LOG_DIR=/logs/mario- GOGC=100- DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-celogging:options:max-size: "100m"max-file: "10"networks:safeline-ce:ipv4_address: ${SUBNET_PREFIX}.6tengine:container_name: safeline-tenginerestart: alwaysimage: ${IMAGE_PREFIX}/safeline-tengine:${IMAGE_TAG}volumes:- /etc/localtime:/etc/localtime:ro- /etc/resolv.conf:/etc/resolv.conf:ro- ${SAFELINE_DIR}/resources/nginx:/etc/nginx- ${SAFELINE_DIR}/resources/detector:/resources/detector- ${SAFELINE_DIR}/logs/nginx:/var/log/nginx- ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cacheenvironment:- TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server- TCD_SNSERVER=${SUBNET_PREFIX}.5:8000# deprecated- SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000ulimits:nofile: 131072network_mode: hostluigi:container_name: safeline-luigirestart: alwaysimage: ${IMAGE_PREFIX}/safeline-luigi:${IMAGE_TAG}environment:- MGT_IP=${SUBNET_PREFIX}.4volumes:- /etc/localtime:/etc/localtime:ro- ${SAFELINE_DIR}/resources/luigi:/app/datalogging:options:max-size: "100m"max-file: "10"depends_on:- detect- mgtnetworks:safeline-ce:ipv4_address: ${SUBNET_PREFIX}.7fvm:container_name: safeline-fvmrestart: alwaysimage: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}volumes:- /etc/localtime:/etc/localtime:rologging:options:max-size: "100m"max-file: "10"networks:safeline-ce:ipv4_address: ${SUBNET_PREFIX}.8bridge:container_name: safeline-bridgerestart: alwaysimage: ${IMAGE_PREFIX}/safeline-bridge:${IMAGE_TAG}command:- /app/bridge- serve- -n- unix- -a- /app/run/safeline.sockvolumes:- /etc/localtime:/etc/localtime:ro- /var/run:/app/runlogging:options:max-size: "100m"max-file: "10"networks:safeline-ce:ipv4_address: ${SUBNET_PREFIX}.9depends_on:- mgt

复制并shell执行以下命令，生成雷池运行所需的相关环境变量

cat >> .env <<EOF
SAFELINE_DIR=$(pwd)
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=chaitin
EOF

docker compose up -d #生成容器

docker compose down # 停止并移除所有容器

云服务器打开9443端口

https://ip:9443

docker exec safeline-mgt resetadmin 查看账号密码

在这里插入图片描述
添加站点

它是作为反向代理来使用的默认是80我也不会改，说下它的工作场景

用户A访问域名正常没雷池------>NG----->自己的网站展示
用户A访问域名正常-------->雷池------>NG----->自己的网站展示

流量就通过雷池的过滤把正常的返回给我们自己的NG上防止sql注入等危害

场景

我现在2台服务器，1台N用来部署雷池，1台M是专门弄网站的，M里2个NG，一个80,一个9091
现在上面的配置输入
*
80
上游服务器如下
http://M的ip:9091
用户A访问域名正常---->NG80解析域名代理-------->雷池------>NG91----->自己的网站展示
由于我域名解析在NG80就懒得换别的方式了

如果就1台服务器，80给雷池，ng给9091，雷池那443证书给上，就可以少掉一个代理，用户直接到雷池再到Ng

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.mzph.cn/bicheng/13514.shtml

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！