1. Docker Installation
Remove existing Docker versions:
yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine
Update your yum packages (This may take a moment):
yum update
Install dependencies for Docker:
yum install -y yum-utils device-mapper-persistent-data lvm2
Add the Docker repository:
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
List available Docker versions:
yum list docker-ce --showduplicates | sort -r
Install the latest Docker version:
yum install -y docker-ce
If you want to install a specific version, use:
yum install docker-ce-18.09* -y
Set Docker to start on boot:
systemctl start docker
systemctl enable docker
Verify Docker installation:
docker --version
2. SafeLine Installation
Online Installation
If your server has internet access, this is the recommended installation method:
bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"
Setting Up Protected Sites
Once added, execute the following on the client side:
curl -H "Host: <domain>" http://<SafeLine IP>:<SafeLine listening port>
If you get a response from the website and see an increase in "Today's Request," the configuration is successful.
3. Troubleshooting Access Issues
If the website isn't accessible after deploying SafeLine and configuring the site, follow these steps:
Step 1: Identify the issue
If you see a 502 Bad Gateway error (tengine): This likely means that SafeLine's upstream server configuration is incorrect, or SafeLine cannot reach the upstream server. Continue troubleshooting with the following steps.
-
If the request returns but is very slow:
- Confirm the server load is normal.
- On the client side, check the network between SafeLine and the upstream server:
curl -H "Host: " -vv -o /dev/null -s -w 'timenamelookup: %{timenamelookup}\ntimeconnect: %{timeconnect}\ntimestarttransfer: %{timestarttransfer}\ntimetotal: %{timetotal}\n' http://<upstream server address>
- If
time_namelookupis too high, check your DNS server configuration. - If
time_connectis too high, check the network between SafeLine and the upstream server. - If
time_starttransferis too high, check the upstream server status for resource overload.
Step 2: Check response from SafeLine
On the client side, execute:
curl -H "Host: <domain>" http://<SafeLine IP>:<SafeLine listening port>
You should get a response from the website, and "Request" should increase 1.
If the browser can't access but the curl command works: It may be because the domain hasn’t been pointed to SafeLine, and the browser is accessing
http(s)://<SafeLine IP>directly. This could be blocked by the host verification. Modify your local host file to point the domain to the SafeLine IP, then accesshttp(s)://<domain>for accurate testing.If there’s a 301 redirect: Check the website's response content for special handling, such as redirection to another address.
Step 3: If curl fails
On the SafeLine device, run:
curl -H "Host: <domain>" http://<SafeLine IP>:<SafeLine listening port>
If this works but the previous step didn’t: There may be a network issue between the client and SafeLine. Troubleshoot the network to ensure client access to SafeLine.
If curl still fails, continue to the next step.
Step 4: Final Check
On the SafeLine device, execute:
curl -H "Host: <domain>" http://127.0.0.1:<SafeLine listening port>
If this works but previous steps failed, check for firewall issues on the SafeLine device that might be blocking the listening port. Also, ensure that cloud service provider firewalls are configured to allow access to SafeLine’s listening ports.
If it fails, check the port listening status on SafeLine:
netstat -anp | grep <SafeLine listening port>
Ensure an Nginx process is listening on 0.0.0.0:<SafeLine listening port>. If it’s not, submit an issue on the Discord forum or GitHub, including your troubleshooting steps.
- Check upstream server connectivity:
curl -H "Host: <domain>" <upstream server address>
If this fails, there’s likely a network issue between SafeLine and the upstream server. Troubleshoot the network to ensure SafeLine can reach the upstream server.
4. Testing the Protection
Confirm Website Accessibility
Ensure your website is accessible by visiting http://:<port>/ in your browser.
- The default protocol is HTTP; if SSL is enabled, it will be HTTPS.
- The hostname can be SafeLine’s IP or the website’s domain (make sure the domain points to SafeLine).
- The port is the one configured for the website in SafeLine.
Simulate Attacks
Open your browser and visit the following URLs to simulate attacks:
-
Simulate SQL Injection:
http://:<port>/?id=1%20AND%201=1 -
Simulate XSS:
http://:<port>/?html=
You'll see that SafeLine detects and blocks these attack requests.
Top comments (2)
Instead of CentOS, check out AlmaLinux. Otherwise, nice write up!
Thanks for the suggestion!