Docker 部署雷池 WAF 🛡️
📋 目录导航
🎯 项目简介
雷池 WAF(Web Application Firewall)是一款开源的高性能 Web 应用防火墙,专门为现代 Web 应用提供全方位安全防护。它能够有效防御 SQL 注入、XSS 攻击、恶意爬虫、CC 攻击等常见 Web 攻击,同时具备低延迟、高并发和易扩展的特点。
🛠️ 核心特性
✨ 全面防护 - 支持多种 Web 攻击检测和防御,包括 OWASP Top 10 常见漏洞
🚀 高性能 - 基于智能引擎,低延迟、高并发处理能力,不影响业务正常访问
🔧 易于部署 - 提供 Docker 一键部署方案,支持多种环境快速安装
📊 可视化管理 - 提供友好的管理界面,实时展示安全态势和攻击日志
🛡️ 智能学习 - 支持正常流量学习,降低误报率,提高防护精度
🌐 灵活扩展 - 支持自定义规则,可根据业务需求灵活调整防护策略
Docker 部署雷池 WAF 🛡️
雷池 WAF 提供两种部署方式:Linux 自动安装和 Docker 手动部署。您可以根据需求选择适合的方式。
1. Linux 自动安装命令
📦 一键安装:3 分钟即可完成自动安装,适合快速部署场景。
1
| bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/manager.sh)"
|
2. Docker 手动部署
创建部署目录和配置文件 📁
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
mkdir -p /vol1/1000/compose/safeline && cd $_ && \
cat > docker-compose.yml <<'EOF'
networks:
safeline-ce:
name: safeline-ce
driver: bridge
ipam:
driver: default
config:
- gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
subnet: ${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: safeline-ce
services:
postgres:
container_name: safeline-pg
restart: always
image: ${IMAGE_PREFIX}/safeline-postgres${ARCH_SUFFIX}:15.2
volumes:
- ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
environment:
- POSTGRES_USER=safeline-ce
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.2
command: [postgres, -c, max_connections=600]
healthcheck:
test: pg_isready -U safeline-ce -d safeline-ce
mgt:
container_name: safeline-mgt
restart: always
image: ${IMAGE_PREFIX}/safeline-mgt${REGION}${ARCH_SUFFIX}:${IMAGE_TAG:?image tag required}
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/mgt:/app/data
- ${SAFELINE_DIR}/logs/nginx:/app/log/nginx:z
- ${SAFELINE_DIR}/resources/sock:/app/sock
- /var/run:/app/run
ports:
- ${MGT_PORT:-9443}:1443
healthcheck:
test: curl -k -f https://localhost:1443/api/open/health
environment:
- MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
- MGT_PROXY=${MGT_PROXY}
depends_on:
- postgres
- fvm
logging:
driver: "json-file"
options:
max-size: "100m"
max-file: "5"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.4
detect:
container_name: safeline-detector
restart: always
image: ${IMAGE_PREFIX}/safeline-detector${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
volumes:
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/logs/detector:/logs/detector
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_DIR=/logs/detector
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.5
tengine:
container_name: safeline-tengine
restart: always
image: ${IMAGE_PREFIX}/safeline-tengine${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/resolv.conf:/etc/resolv.conf:ro
- ${SAFELINE_DIR}/resources/nginx:/etc/nginx
- ${SAFELINE_DIR}/resources/detector:/resources/detector
- ${SAFELINE_DIR}/resources/chaos:/resources/chaos
- ${SAFELINE_DIR}/logs/nginx:/var/log/nginx:z
- ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
- ${SAFELINE_DIR}/resources/sock:/app/sock
environment:
- TCD_MGT_API=https://${SUBNET_PREFIX}.4:1443/api/open/publish/server
- TCD_SNSERVER=${SUBNET_PREFIX}.5:8000
- SNSERVER_ADDR=${SUBNET_PREFIX}.5:8000
- CHAOS_ADDR=${SUBNET_PREFIX}.10
ulimits:
nofile: 131072
network_mode: host
luigi:
container_name: safeline-luigi
restart: always
image: ${IMAGE_PREFIX}/safeline-luigi${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
environment:
- MGT_IP=${SUBNET_PREFIX}.4
- LUIGI_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
volumes:
- /etc/localtime:/etc/localtime:ro
- ${SAFELINE_DIR}/resources/luigi:/app/data
logging:
driver: "json-file"
options:
max-size: "100m"
max-file: "5"
depends_on:
- detect
- mgt
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.7
fvm:
container_name: safeline-fvm
restart: always
image: ${IMAGE_PREFIX}/safeline-fvm${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
volumes:
- /etc/localtime:/etc/localtime:ro
logging:
driver: "json-file"
options:
max-size: "100m"
max-file: "5"
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.8
chaos:
container_name: safeline-chaos
restart: always
image: ${IMAGE_PREFIX}/safeline-chaos${REGION}${ARCH_SUFFIX}:${IMAGE_TAG}
logging:
driver: "json-file"
options:
max-size: "100m"
max-file: "10"
environment:
- DB_ADDR=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
volumes:
- ${SAFELINE_DIR}/resources/sock:/app/sock
- ${SAFELINE_DIR}/resources/chaos:/app/chaos
networks:
safeline-ce:
ipv4_address: ${SUBNET_PREFIX}.10
EOF
|
创建环境变量配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
|
cat > .env <<'EOF'
SAFELINE_DIR=/vol1/1000/compose/safeline
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=yourpassword
SUBNET_PREFIX=172.23.0
IMAGE_PREFIX=swr.cn-east-3.myhuaweicloud.com/chaitin-safeline
ARCH_SUFFIX=
RELEASE=
REGION=
MGT_PROXY=0
EOF
|
拉取镜像并启动容器 🚀
启动完成后,系统将自动创建以下容器:
- 🗄️
safeline-pg - PostgreSQL 数据库
- 🖥️
safeline-mgt - 管理界面服务
- 🔍
safeline-detector - 攻击检测引擎
- 🌐
safeline-tengine - Tengine Web 服务器
- 📊
safeline-luigi - 日志处理服务
- ⚙️
safeline-fvm - 规则管理服务
- 🛡️
safeline-chaos - 核心防护引擎
🚀 使用雷池 WAF
1. 访问 Web 界面 💻
2. 首次使用步骤 🎯
初始化设置 🔧
- 打开浏览器访问管理界面
- 设置管理员账号和密码
- 配置邮箱通知等基本设置
添加防护站点 🌐
- 进入”站点管理”页面
- 点击”添加站点”按钮
- 填写需要防护的域名和上游服务器地址
配置防护规则 🛡️
- 根据业务特点选择合适的防护规则
- 可启用智能学习模式,降低误报率
- 设置自定义规则应对特定攻击
监控安全态势 📊
- 查看实时攻击日志和统计信息
- 分析攻击来源和类型分布
- 调整防护策略优化效果
性能调优 ⚡
- 根据流量特点调整检测灵敏度
- 配置缓存策略提升性能
- 设置黑白名单管理访问控制
🌐 Nginx 反向代理配置
访问地址示例:https://safeline.example.com:666
通过 Nginx 反向代理可以提供更灵活的访问方式和 SSL 终端卸载功能。
1. 创建 Nginx 配置文件 🔧
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| mkdir -p /etc/nginx/conf.d && \
cat > /etc/nginx/conf.d/safeline.conf <<'EOF'
server {
listen 666 ssl;
listen [::]:666 ssl;
server_name safeline.example.com;
ssl_certificate /etc/nginx/keyfile/cert.pem;
ssl_certificate_key /etc/nginx/keyfile/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE+AESGCM:ECDHE+CHACHA20:!aNULL:!MD5;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
client_max_body_size 100M;
location / {
proxy_pass http://127.0.0.1:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
error_page 404 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
EOF
|
2. 测试并重载 Nginx 🔄
1
2
3
4
5
|
sudo nginx -t
sudo systemctl reload nginx
|
🔧 容器维护命令
1. Docker Compose 命令 🐳
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
cd /vol1/1000/compose/safeline
docker-compose down
docker-compose pull
docker-compose up -d
docker-compose up -d <service_name>
docker-compose ps
docker-compose logs
docker-compose logs -f
docker-compose logs <service_name>
docker-compose down && \
docker-compose pull && \
docker-compose up -d && \
docker image prune -f
|
2. Docker 容器命令 📦
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
docker ps -a --format "{{.Names}}"
docker ps
docker stop <container_name>
docker start <container_name>
docker restart <container_name>
docker rm <container_name>
docker rm -f <container_name>
docker exec -it <container_name> sh
docker exec -it <container_name> bash
docker exec -u 0 -it <container_name> sh
docker exec <container_name> ls -la
docker inspect <container_name>
docker stats <container_name>
docker logs <container_name>
docker logs -f <container_name>
docker logs --tail 100 <container_name>
docker logs -t <container_name>
|
3. Docker 镜像管理 📀
1
2
3
4
| docker images
docker rmi <image_name:tag>
docker image prune -f
docker image prune -a -f
|
🌟 开启安全防护新篇章
通过本文档,您已经成功使用 Docker 部署了雷池 WAF Web 应用防火墙,为您的 Web 应用建立了坚实的安全防线。现在,您可以:
🛡️ 全面防护 - 有效防御 SQL 注入、XSS 攻击等常见 Web 威胁
📊 实时监控 - 可视化界面实时展示安全态势和攻击日志
⚡ 高性能保障 - 低延迟高并发处理,不影响业务正常访问
🔧 灵活配置 - 根据业务需求自定义防护规则和策略
🌐 易扩展 - 支持多种部署方式,轻松应对业务增长
雷池 WAF 将成为您 Web 应用的可靠守护者,7×24 小时不间断提供安全防护,让您专注于业务发展,无需担心安全威胁。
从现在开始,构建安全可靠的 Web 应用环境,为您的用户提供更安心的服务体验!✨
📌 持续更新:建议关注 雷池 WAF 官方更新,及时获取新功能与安全增强
🐛 社区支持:使用中如有疑问或建议,可前往 GitHub Issues 参与讨论
祝您部署顺利,安全无忧!🎉
