Lulu

Posted on Aug 28

Deploying SafeLine WAF on CentOS 7 with Docker

#docker #cybersecurity #devops #opensource

1. Docker Installation

Remove existing Docker versions:

   yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine

Update your yum packages (This may take a moment):

   yum update

Install dependencies for Docker:

   yum install -y yum-utils device-mapper-persistent-data lvm2

Add the Docker repository:

   yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

List available Docker versions:

   yum list docker-ce --showduplicates | sort -r

Install the latest Docker version:

   yum install -y docker-ce

If you want to install a specific version, use:

   yum install docker-ce-18.09* -y

Set Docker to start on boot:

   systemctl start docker
   systemctl enable docker

Verify Docker installation:

   docker --version

2. SafeLine Installation

Online Installation

If your server has internet access, this is the recommended installation method:

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"

Setting Up Protected Sites

Once added, execute the following on the client side:

curl -H "Host: <domain>" http://<SafeLine IP>:<SafeLine listening port>

If you get a response from the website and see an increase in "Today's Request," the configuration is successful.

3. Troubleshooting Access Issues

If the website isn't accessible after deploying SafeLine and configuring the site, follow these steps:

Step 1: Identify the issue

If you see a 502 Bad Gateway error (tengine): This likely means that SafeLine's upstream server configuration is incorrect, or SafeLine cannot reach the upstream server. Continue troubleshooting with the following steps.

If the request returns but is very slow:

Confirm the server load is normal.
On the client side, check the network between SafeLine and the upstream server:

 curl -H "Host: " -vv -o /dev/null -s -w 'timenamelookup: %{timenamelookup}\ntimeconnect: %{timeconnect}\ntimestarttransfer: %{timestarttransfer}\ntimetotal: %{timetotal}\n' http://<upstream server address>

If time_namelookup is too high, check your DNS server configuration.
If time_connect is too high, check the network between SafeLine and the upstream server.
If time_starttransfer is too high, check the upstream server status for resource overload.

Step 2: Check response from SafeLine

On the client side, execute:

curl -H "Host: <domain>" http://<SafeLine IP>:<SafeLine listening port>

You should get a response from the website, and "Request" should increase 1.

If the browser can't access but the curl command works: It may be because the domain hasn’t been pointed to SafeLine, and the browser is accessing http(s)://<SafeLine IP> directly. This could be blocked by the host verification. Modify your local host file to point the domain to the SafeLine IP, then access http(s)://<domain> for accurate testing.
If there’s a 301 redirect: Check the website's response content for special handling, such as redirection to another address.

Step 3: If curl fails

On the SafeLine device, run:

curl -H "Host: <domain>" http://<SafeLine IP>:<SafeLine listening port>

If this works but the previous step didn’t: There may be a network issue between the client and SafeLine. Troubleshoot the network to ensure client access to SafeLine.
If curl still fails, continue to the next step.

Step 4: Final Check

On the SafeLine device, execute:

curl -H "Host: <domain>" http://127.0.0.1:<SafeLine listening port>

If this works but previous steps failed, check for firewall issues on the SafeLine device that might be blocking the listening port. Also, ensure that cloud service provider firewalls are configured to allow access to SafeLine’s listening ports.
If it fails, check the port listening status on SafeLine:

   netstat -anp | grep <SafeLine listening port>

Ensure an Nginx process is listening on 0.0.0.0:<SafeLine listening port>. If it’s not, submit an issue on the Discord forum or GitHub, including your troubleshooting steps.

Check upstream server connectivity:

   curl -H "Host: <domain>" <upstream server address>

If this fails, there’s likely a network issue between SafeLine and the upstream server. Troubleshoot the network to ensure SafeLine can reach the upstream server.

4. Testing the Protection

Confirm Website Accessibility
Ensure your website is accessible by visiting http://:<port>/ in your browser.

The default protocol is HTTP; if SSL is enabled, it will be HTTPS.
The hostname can be SafeLine’s IP or the website’s domain (make sure the domain points to SafeLine).
The port is the one configured for the website in SafeLine.

Simulate Attacks
Open your browser and visit the following URLs to simulate attacks: