部署和使用雷池WAF，为网站提供更多保护

前言

最近在鼓捣一些奇奇怪怪的东西，例如waf什么的，偶然发现了一款直接适配nginx的waf：长亭科技的雷池，能做一些基本的防护，而且是基于nginx的生态。

简单说下WAF是什么->WAF 是 Web Application Firewall 的缩写，也被称为 Web 应用防火墙。区别于传统防火墙，WAF 工作在应用层，对基于 HTTP/HTTPS 协议的 Web 系统有着更好的防护效果，使其免于受到黑客的攻击。

部署雷池

雷池部署还是比较简单的，官方文档，直接使用docker-compose部署，由于默认的compose.yaml自建了postgres和redis，在实际使用中，我自己有外部的postgres和redis可用，所以将官方的compose简单改了改就直接使用了。

官方的docker-compose.yaml

networks:
  safeline-ce:
    name: safeline-ce
    driver: bridge
    ipam:
      driver: default
      config:
      - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
        subnet: ${SUBNET_PREFIX}.0/24
    driver_opts:
      com.docker.network.bridge.name: safeline-ce

services:
  postgres:
    container_name: safeline-postgres
    restart: always
    image: postgres:15.2
    volumes:
    - ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data
    - /etc/localtime:/etc/localtime:ro
    environment:
    - POSTGRES_USER=safeline-ce
    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.2
    cap_drop:
    - net_raw
    command: [postgres, -c, max_connections=200]
  redis:
    container_name: safeline-redis
    restart: always
    image: redis:7.0.10
    volumes:
      - ${SAFELINE_DIR}/resources/redis/data:/data
      - /etc/localtime:/etc/localtime:ro
    command: redis-server --appendonly yes --requirepass  ${REDIS_PASSWORD}
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.3
    cap_drop:
      - net_raw
    sysctls:
      net.core.somaxconn: "511"
  management:
    container_name: safeline-mgt-api
    restart: always
    image: chaitin/safeline-mgt-api:${IMAGE_TAG:?image tag required}
    volumes:
    - ${SAFELINE_DIR?safeline dir required}/resources/management:/resources/management
    - ${SAFELINE_DIR}/resources/nginx:/resources/nginx
    - ${SAFELINE_DIR}/logs:/logs
    - /etc/localtime:/etc/localtime:ro
    ports:
    - ${MGT_PORT:-9443}:1443
    environment:
    - MANAGEMENT_RESOURCES_DIR=/resources/management
    - NGINX_RESOURCES_DIR=/resources/nginx
    - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-postgres/safeline-ce
    - MARIO_URL=http://safeline-mario:3335
    - DETECTOR_URL=http://safeline-detector:8001
    - REDIS_URL=redis://:${REDIS_PASSWORD}@safeline-redis:6379/0
    - MANAGEMENT_LOGS_DIR=/logs/management
    dns: 
      - 119.29.29.29
      - 223.5.5.5
      - 180.76.76.76
      - 1.2.4.8
      - 114.114.114.114
      - 8.8.8.8
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.4
    cap_drop:
    - net_raw
  detector:
    container_name: safeline-detector
    restart: always
    image: chaitin/safeline-detector:${IMAGE_TAG}
    volumes:
    - ${SAFELINE_DIR}/resources/detector:/resources/detector
    - ${SAFELINE_DIR}/logs/detector:/logs/detector
    - /etc/localtime:/etc/localtime:ro
    environment:
    - LOG_DIR=/logs/detector
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.5
    cap_drop:
    - net_raw
  mario:
    container_name: safeline-mario
    restart: always
    image: chaitin/safeline-mario:${IMAGE_TAG}
    volumes:
    - ${SAFELINE_DIR}/resources/mario:/resources/mario
    - ${SAFELINE_DIR}/logs/mario:/logs/mario
    - /etc/localtime:/etc/localtime:ro
    environment:
    - LOG_DIR=/logs/mario
    - GOGC=100
    - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-postgres/safeline-ce
    - REDIS_URL=redis://:${REDIS_PASSWORD}@safeline-redis:6379/0
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.6
    cap_drop:
    - net_raw
  tengine:
    container_name: safeline-tengine
    restart: always
    image: chaitin/safeline-tengine:${IMAGE_TAG}
    volumes:
    - ${SAFELINE_DIR}/resources/nginx:/etc/nginx
    - ${SAFELINE_DIR}/resources/management:/resources/management
    - ${SAFELINE_DIR}/resources/detector:/resources/detector
    - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx
    - /etc/localtime:/etc/localtime:ro
    - ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
    - /etc/resolv.conf:/etc/resolv.conf
    environment:
    - REDIS_URL=redis://:${REDIS_PASSWORD}@${SUBNET_PREFIX}.3:6379/0
    - MGT_ADDR=${SUBNET_PREFIX}.4:9002
    ulimits:
      nofile: 131072
    network_mode: host

我修改后的docker-compose.yaml


---
version: '3.3'


services:
  management:
    container_name: safeline-mgt-api
    restart: always
    image: chaitin/safeline-mgt-api:${IMAGE_TAG:?image tag required}
    volumes:
    - ${SAFELINE_DIR?safeline dir required}/resources/management:/resources/management
    - ${SAFELINE_DIR}/resources/nginx:/resources/nginx
    - ${SAFELINE_DIR}/logs:/logs
    - /etc/localtime:/etc/localtime:ro
    ports:
    - ${MGT_PORT:-9443}:1443
    - 9002:9002
    environment:
    - MANAGEMENT_RESOURCES_DIR=/resources/management
    - NGINX_RESOURCES_DIR=/resources/nginx
    - DATABASE_URL=${DATABASE_URL}
    - MARIO_URL=http://safeline-mario:3335
    - DETECTOR_URL=http://safeline-detector:8001
    - REDIS_URL=${REDIS_URL}
    - MANAGEMENT_LOGS_DIR=/logs/management
    dns:
      - 119.29.29.29
      - 223.5.5.5
      - 180.76.76.76
      - 1.2.4.8
      - 114.114.114.114
      - 8.8.8.8
    networks:
      - gateway
    cap_drop:
    - net_raw
  detector:
    container_name: safeline-detector
    restart: always
    image: chaitin/safeline-detector:${IMAGE_TAG}
    volumes:
    - ${SAFELINE_DIR}/resources/detector:/resources/detector
    - ${SAFELINE_DIR}/logs/detector:/logs/detector
    - /etc/localtime:/etc/localtime:ro
    environment:
    - LOG_DIR=/logs/detector
    networks:
      - gateway
    cap_drop:
    - net_raw
  mario:
    container_name: safeline-mario
    restart: always
    image: chaitin/safeline-mario:${IMAGE_TAG}
    volumes:
    - ${SAFELINE_DIR}/resources/mario:/resources/mario
    - ${SAFELINE_DIR}/logs/mario:/logs/mario
    - /etc/localtime:/etc/localtime:ro
    environment:
    - LOG_DIR=/logs/mario
    - GOGC=100
    - DATABASE_URL=${DATABASE_URL}
    - REDIS_URL=${REDIS_URL}
    networks:
      - gateway
    cap_drop:
    - net_raw
  tengine:
    container_name: safeline-tengine
    restart: always
    image: chaitin/safeline-tengine:${IMAGE_TAG}
    volumes:
    - ${SAFELINE_DIR}/resources/nginx:/etc/nginx
    - ${SAFELINE_DIR}/resources/management:/resources/management
    - ${SAFELINE_DIR}/resources/detector:/resources/detector
    - ${SAFELINE_DIR}/logs/nginx:/var/log/nginx
    - /etc/localtime:/etc/localtime:ro
    - ${SAFELINE_DIR}/resources/cache:/usr/local/nginx/cache
    - /etc/resolv.conf:/etc/resolv.conf
    environment:
    - REDIS_URL=${REDIS_URL}
    - MGT_ADDR=127.0.0.1:9002
    ulimits:
      nofile: 131072
    network_mode: host

networks:
  gateway:
    external: true

主要改了以下几个方面：

去掉了自带的postgres和redis依赖
修改了network，改为使用我自己创建的统一的gateway
去掉了设置的ip地址段
management对外暴露了9002端口，方便tengine调用

修改*.env*，内容如下：

SAFELINE_DIR=/data/safeline
IMAGE_TAG=latest
MGT_PORT=1443
DATABASE_URL=postgres://user:pwd@host:port/safeline?sslmode=disable&connect_timeout=10
REDIS_URL=redis://:pwd@host:port/db_index