Deploy SafeLine WAF with Docker Compose: A Step-by-Step Guide

SafeLine WAF is an open-source, powerful web application firewall designed to protect your web applications from a range of security threats. In this guide, we’ll walk you through deploying SafeLine using Docker Compose, configuring the necessary environment file (.env), and retrieving the admin account login details after deployment.

Prerequisites

Before getting started, ensure that you have Docker and Docker Compose installed on your machine. You will also need to have a basic understanding of Docker containers and Compose files.

Step 1: Setting Up the Directory

First, you need to create a directory where SafeLine will store its configuration files and resources.

1. Open your terminal and run the following commands to create the directory and navigate into it:
   

   mkdir -p /home/<user>/docker/safeline
   cd /home/<user>/docker/safeline
   

Note: Replace <user> with your actual system username. For example, if your username is techdox, run:

```bash
mkdir -p /home/techdox/docker/safeline
cd /home/techdox/docker/safeline
```

Step 2: Fetch the Docker Compose File

Now, download the SafeLine Docker Compose file by running:

wget "https://waf.chaitin.com/release/latest/compose.yaml"

The compose.yaml file doesn’t require any editing, but we will create a .env file next to configure the environment.

Step 3: Create and Configure the .env File

Create a .env file in the same directory where the compose.yaml file is located. Below is an example of how to configure your .env file:

SAFELINE_DIR=/home/<user>/docker/safeline
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=testing
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=chaitin
ARCH_SUFFIX=
RELEASE=

Explanation of Variables

• SAFELINE_DIR: Path to the SafeLine directory. Replace <user> with your username.
• IMAGE_TAG: Specifies the Docker image version. Use latest for the most up-to-date version.
• MGT_PORT: The port for the SafeLine Management service (default: 9443).
• POSTGRES_PASSWORD: Password for the PostgreSQL database (choose a secure one).
• SUBNET_PREFIX: Prefix for the Docker network subnet. Modify this if it conflicts with your existing network settings.
• IMAGE_PREFIX: Docker image prefix (default is chaitin).
• ARCH_SUFFIX: Architecture-specific suffix (leave empty for default).
• RELEASE: The release version (leave empty for the latest stable version).

Step 4: Docker Compose Configuration Breakdown

Networks

The Docker Compose file defines a custom network for SafeLine to run on. Here’s a breakdown:

networks:
  safeline-ce:
    name: safeline-ce
    driver: bridge
    ipam:
      driver: default
      config:
        - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
          subnet: ${SUBNET_PREFIX}.0/24
    driver_opts:
      com.docker.network.bridge.name: safeline-ce

• name: The network name (safeline-ce).
• driver: The network driver (bridge).
• gateway: Gateway address for the network.
• subnet: The subnet for the Docker network (e.g., 172.22.222.0/24).
• driver_opts: Sets advanced Docker network options.

Services

The SafeLine deployment consists of several services:

PostgreSQL

services:
  postgres:
    container_name: safeline-pg
    restart: always
    image: ${IMAGE_PREFIX}/safeline-postgres${ARCH_SUFFIX}:15.2
    volumes:
      - ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=safeline-ce
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.2
    command: [postgres, -c, max_connections=600]
    healthcheck:
      test: pg_isready -U safeline-ce -d safeline-ce

• volumes: Stores persistent PostgreSQL data.
• networks: Assigns a static IP address (${SUBNET_PREFIX}.2).
• healthcheck: Checks the health of the PostgreSQL service.

Management Service

  mgt:
    container_name: safeline-mgt
    restart: always
    image: ${IMAGE_PREFIX}/safeline-mgt-g${ARCH_SUFFIX}${RELEASE}:${IMAGE_TAG}
    ports:
      - ${MGT_PORT:-9443}:1443
    volumes:
      - ${SAFELINE_DIR}/resources/mgt:/app/data
    healthcheck:
      test: curl -k -f https://localhost:1443/api/open/health
    depends_on:
      - postgres
      - fvm
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.4

• ports: Exposes the management service on port 9443 by default.
• depends_on: Ensures dependencies like PostgreSQL and FVM start first.

Detector Service

  detect:
    container_name: safeline-detector
    restart: always
    image: ${IMAGE_PREFIX}/safeline-detector-g${ARCH_SUFFIX}${RELEASE}:${IMAGE_TAG}
    volumes:
      - ${SAFELINE_DIR}/resources/detector:/resources/detector
    environment:
      - LOG_DIR=/logs/detector
    networks:
      safeline-ce:
        ipv4_address: ${SUBNET_PREFIX}.5

• volumes: Mounts logs and detector resources.

Step 5: Deploy SafeLine

Now you’re ready to deploy SafeLine! In your terminal, run the following command:

docker-compose up -d

This command will start the SafeLine services in the background.

Step 6: Retrieve Admin Login Details

After the deployment is complete, run the following command to retrieve the admin account details:

docker exec safeline-mgt resetadmin

This command will display the admin username and password required to log into the SafeLine management interface.

Step 7: Access the Management Interface

Once the deployment is complete, you can access the SafeLine Management service via your browser at the URL:

https://<your-server-ip>:9443

Log in using the credentials provided by the resetadmin command.

Congratulations! You’ve successfully deployed SafeLine using Docker Compose. You now have a powerful open-source WAF protecting your web applications.

For support, you can join the Discord community, where our team is available to help.

Disclaimer

This guide is provided as-is for informational purposes. Always ensure you follow best security practices and thoroughly test in your environment before using in production.