How to Run Open Source WAF SafeLine on K8s

carrie_luo1

Carrie

Posted on September 20, 2024

How to Run Open Source WAF SafeLine on K8s

Recently, I've been learning Kubernetes (k8s) and thought of deploying some applications on it to practice. So, I tried using the SafeLine Community Edition and documented the configuration process briefly.

Running Environment

  • System: Ubuntu 22.04
  • Configuration: 2C8G
  • Disk: 40G
  • Tools Used: minikube v1.31.1, SafeLine Community Edition v2.4.0

Configuration Files and Related Settings

The configuration files were obtained by modifying the YAML files generated by the kompose tool. They are divided into two parts: one for the main WAF running module configuration file and the other for the storage database configuration file. Since the database configuration doesn't include persistent storage setup, you can refer to steps 1 and 2 in the second section to make the necessary adjustments if you have your own database cluster.

After downloading the configuration files, move them to the appropriate directory and extract them:

tar -xzvf safeline-ce-k8s-configs.tar.gz
tar -xzvf safeline-ce-k8s-db.tar.gz
Enter fullscreen mode Exit fullscreen mode

Step 1: Upload Images

First, you need to upload the offline images to the Docker repository and then use the following script to load them into the minikube working cluster. (You can find the offline image download on the official website)

minikube image load chaitin/safeline-tengine \
                    chaitin/safeline-mgt-api \
                    chaitin/safeline-mario \
                    chaitin/safeline-detector
Enter fullscreen mode Exit fullscreen mode

After running this, you can check the corresponding images by running minikube image ls.

Step 2: Modify Database Information

Open the file management-deployment.yaml. Replace safeline-ce:${POSTGRES_PASSWORD} with your database user and password, and replace the part after @ in @safeline-postgres with the domain name of the PostgreSQL database service in your k8s cluster.

Image description

Open the file mario-deployment.yaml. Similarly, replace safeline-ce:${POSTGRES_PASSWORD} and ${REDIS_PASSWORD} with the corresponding database information. Also, replace the part after @ with the appropriate domain name.

Image description

If the cluster doesn't have the corresponding databases yet, you can use the provided database configuration files for simple testing. (For long-term use, please consider this carefully.) If using the test database, you only need to change the password in the first two steps. First, run the following script to generate random passwords:

echo "POSTGRES_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)" >> .env
echo "REDIS_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)" >> .env
cat .env
Enter fullscreen mode Exit fullscreen mode

Then open postgres-deployment.yaml and redis-deployment.yaml respectively and copy the passwords to the appropriate locations.

Image description

Image description

Step 3: Start Containers

First, ensure the databases are running, then start the WAF. The script to quickly use all configuration files is:

# First, cd to the configuration file directory
kubectl apply -f .
Enter fullscreen mode Exit fullscreen mode

I also wrote a simple script in the safeline-ce-k8s-configs directory to start. Run bash ./start.sh to execute it.

You can check the specific running status through kubectl get all. Below is the status of the pods after startup:

Image description

Step 4: Testing

First, you can open a server by running kubectl apply -f test-server.yaml in the SafeLine configuration file directory. This server runs python3 -m http.server 8089, and a node port 30007 is opened in the configuration.

Open management-deployment.yaml and check the user-port section for the nodePort item. This item can be changed or assigned automatically by k8s.

Image description

Then run kubectl get node -o wide to get the IP address of the running node. You can access the WAF management interface through :, for example, you can access it at 192.168.49.2:30018.

Image description

Then run kubectl get node -o wide to get the IP address of the running node. You can access the WAF management interface through :, for example, you can access it at 192.168.49.2:30018.

Image description

PS.

The above access method is via nodePort. If you need to directly access the internal port, such as the 9443 port of management, you can run the script kubectl port-forward service/safeline-management 9440:9443. Then open a new terminal and access it through localhost:9440.

For more access methods, you can check kubectl proxy and related k8s documentation: k8s documentation.

After opening the management page, you can configure the site:

Image description

At this point, you can access the server through curl 192.168.49.2:30080. This is because the configuration opens the mapping from the 80 port of the tengine container to the node's 30080 port, thus successfully forwarding through tengine.

Summary

Although the proxy was successful, from the attack tests, the traffic forwarding from tengine to the detector did not succeed, and the attack statements were not intercepted. This indicates that the detector probably did not receive the traffic, which might be related to the internal nginx configuration of tengine.

More Info:
Website:https://waf.chaitin.com/
Github:https://github.com/chaitin/SafeLine
Discord:https://discord.gg/wVyX7vDE
Email:c0849672@gmail.com

💖 💪 🙅 🚩
carrie_luo1
Carrie

Posted on September 20, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

How to Run Open Source WAF SafeLine on K8s
kubernetes How to Run Open Source WAF SafeLine on K8s

September 20, 2024