How to Run Open Source WAF SafeLine on K8s
Carrie
Posted on September 20, 2024
Recently, I've been learning Kubernetes (k8s) and thought of deploying some applications on it to practice. So, I tried using the SafeLine Community Edition and documented the configuration process briefly.
Running Environment
- System: Ubuntu 22.04
- Configuration: 2C8G
- Disk: 40G
- Tools Used: minikube v1.31.1, SafeLine Community Edition v2.4.0
Configuration Files and Related Settings
The configuration files were obtained by modifying the YAML files generated by the kompose tool. They are divided into two parts: one for the main WAF running module configuration file and the other for the storage database configuration file. Since the database configuration doesn't include persistent storage setup, you can refer to steps 1 and 2 in the second section to make the necessary adjustments if you have your own database cluster.
After downloading the configuration files, move them to the appropriate directory and extract them:
tar -xzvf safeline-ce-k8s-configs.tar.gz
tar -xzvf safeline-ce-k8s-db.tar.gz
Step 1: Upload Images
First, you need to upload the offline images to the Docker repository and then use the following script to load them into the minikube working cluster. (You can find the offline image download on the official website)
minikube image load chaitin/safeline-tengine \
chaitin/safeline-mgt-api \
chaitin/safeline-mario \
chaitin/safeline-detector
After running this, you can check the corresponding images by running minikube image ls
.
Step 2: Modify Database Information
Open the file management-deployment.yaml
. Replace safeline-ce:${POSTGRES_PASSWORD}
with your database user and password, and replace the part after @
in @safeline-postgres
with the domain name of the PostgreSQL database service in your k8s cluster.
Open the file mario-deployment.yaml
. Similarly, replace safeline-ce:${POSTGRES_PASSWORD}
and ${REDIS_PASSWORD}
with the corresponding database information. Also, replace the part after @
with the appropriate domain name.
If the cluster doesn't have the corresponding databases yet, you can use the provided database configuration files for simple testing. (For long-term use, please consider this carefully.) If using the test database, you only need to change the password in the first two steps. First, run the following script to generate random passwords:
echo "POSTGRES_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)" >> .env
echo "REDIS_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)" >> .env
cat .env
Then open postgres-deployment.yaml
and redis-deployment.yaml
respectively and copy the passwords to the appropriate locations.
Step 3: Start Containers
First, ensure the databases are running, then start the WAF. The script to quickly use all configuration files is:
# First, cd to the configuration file directory
kubectl apply -f .
I also wrote a simple script in the safeline-ce-k8s-configs
directory to start. Run bash ./start.sh
to execute it.
You can check the specific running status through kubectl get all
. Below is the status of the pods after startup:
Step 4: Testing
First, you can open a server by running kubectl apply -f test-server.yaml
in the SafeLine configuration file directory. This server runs python3 -m http.server 8089
, and a node port 30007 is opened in the configuration.
Open management-deployment.yaml
and check the user-port
section for the nodePort
item. This item can be changed or assigned automatically by k8s.
Then run kubectl get node -o wide
to get the IP address of the running node. You can access the WAF management interface through :
, for example, you can access it at 192.168.49.2:30018
.
Then run kubectl get node -o wide
to get the IP address of the running node. You can access the WAF management interface through :
, for example, you can access it at 192.168.49.2:30018
.
PS.
The above access method is via nodePort
. If you need to directly access the internal port, such as the 9443 port of management, you can run the script kubectl port-forward service/safeline-management 9440:9443
. Then open a new terminal and access it through localhost:9440
.
For more access methods, you can check kubectl proxy
and related k8s documentation: k8s documentation.
After opening the management page, you can configure the site:
At this point, you can access the server through curl 192.168.49.2:30080
. This is because the configuration opens the mapping from the 80 port of the tengine container to the node's 30080 port, thus successfully forwarding through tengine.
Summary
Although the proxy was successful, from the attack tests, the traffic forwarding from tengine to the detector did not succeed, and the attack statements were not intercepted. This indicates that the detector probably did not receive the traffic, which might be related to the internal nginx configuration of tengine.
More Info:
Website:https://waf.chaitin.com/
Github:https://github.com/chaitin/SafeLine
Discord:https://discord.gg/wVyX7vDE
Email:c0849672@gmail.com
Posted on September 20, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.