Deploying SafeLine with Docker Compose

Introduction to SafeLine SafeLine is a powerful open-source web application firewall designed to protect web applications from a variety of security threats. This guide walks you through deploying SafeLine using Docker Compose, configuring its environment file (.env), and running the required command to retrieve admin account login details after deployment. Directory Setup Before deploying SafeLine, you need to set up a directory to store its configuration and resources. Replace with your actual system username. mkdir -p /home//docker/safeline cd /home//docker/safeline For example, if your username is techdox: mkdir -p /home/techdox/docker/safeline cd /home/techdox/docker/safeline Fetching the Docker Compose File Download the SafeLine Docker Compose file: wget "https://waf.chaitin.com/release/latest/compose.yaml" This file does not need editing, but you must create a .env file for the deployment. .env File Configuration Create a .env file in the same directory as the Compose file. Below is an example .env file: SAFELINE_DIR=/home//docker/safeline IMAGE_TAG=latest MGT_PORT=9443 POSTGRES_PASSWORD=testing SUBNET_PREFIX=172.22.222 IMAGE_PREFIX=chaitin ARCH_SUFFIX= RELEASE= Explanation of Variables SAFELINE_DIR: Path to the SafeLine directory. Replace with your username. IMAGE_TAG: Specifies the image version. Use latest for the most recent version. MGT_PORT: Port for the SafeLine Management service. POSTGRES_PASSWORD: Password for the PostgreSQL database. Replace with a strong password. SUBNET_PREFIX: Subnet prefix for the Docker network. Adjust as needed to avoid conflicts with existing networks. IMAGE_PREFIX: Docker image prefix (default: chaitin). ARCH_SUFFIX: Architecture-specific suffix (leave empty for default). RELEASE: Release version (leave empty for stable). Docker Compose Configuration Breakdown Networks networks: safeline-ce: name: safeline-ce driver: bridge ipam: driver: default config: - gateway: \${SUBNET_PREFIX:?SUBNET_PREFIX required}.1 subnet: \${SUBNET_PREFIX}.0/24 driver_opts: com.docker.network.bridge.name: safeline-ce name: Defines the network name. driver: Specifies the bridge network driver. ipam: Configures IP allocation for the network. gateway: The gateway address for the network. subnet: Defines the subnet (e.g., 172.22.222.0/24). driver_opts: Sets advanced driver options (e.g., bridge name). Services PostgreSQL services: postgres: container_name: safeline-pg restart: always image: ${IMAGE_PREFIX}/safeline-postgres${ARCH_SUFFIX}:15.2 volumes: - ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data environment: - POSTGRES_USER=safeline-ce - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required} networks: safeline-ce: ipv4_address: \${SUBNET_PREFIX}.2 command: [postgres, -c, max_connections=600] healthcheck: test: pg_isready -U safeline-ce -d safeline-ce POSTGRES_PASSWORD: Password for the database. volumes: Stores persistent PostgreSQL data. networks: Assigns the service a static IP address (${SUBNET_PREFIX}.2). Management Service mgt: container_name: safeline-mgt restart: always image: ${IMAGE_PREFIX}/safeline-mgt-g${ARCH_SUFFIX}${RELEASE}:${IMAGE_TAG:?image tag required} ports: - \${MGT_PORT:-9443}:1443 volumes: - \${SAFELINE_DIR}/resources/mgt:/app/data healthcheck: test: curl -k -f https://localhost:1443/api/open/health depends_on: - postgres - fvm networks: safeline-ce: ipv4_address: \${SUBNET_PREFIX}.4 ports: Exposes the management service on the host at port 9443 by default. depends_on: Ensures the postgres and fvm services start first. Detector Service detect: container_name: safeline-detector restart: always image: ${IMAGE_PREFIX}/safeline-detector-g${ARCH_SUFFIX}${RELEASE}:${IMAGE_TAG} volumes: - \${SAFELINE_DIR}/resources/detector:/resources/detector environment: - LOG_DIR=/logs/detector networks: safeline-ce: ipv4_address: \${SUBNET_PREFIX}.5 volumes: Mounts logs and detector resources. Other Services tengine: Handles traffic and communicates with detector. luigi: Supports management services. fvm: File version management. chaos: Adds chaos testing features. Deployment Steps Prepare the Directory and Files Create the directory: mkdir -p /home//docker/safeline Create a .env file based on the example above. Fetch the Docker Compose file: wget "https://waf.chaitin.com/release/latest/compose.yaml" Deploy Safeline: docker compose up -d Retrieve Admin Login Details: After deployment, run the following command to retrieve the admin account details: docker exec safeline-mgt resetadmin This command will display the admin username and password. Conclusion By following this guide, you have succe

May 8, 2025 - 10:59

Introduction to SafeLine

SafeLine is a powerful open-source web application firewall designed to protect web applications from a variety of security threats. This guide walks you through deploying SafeLine using Docker Compose, configuring its environment file (.env), and running the required command to retrieve admin account login details after deployment.

Directory Setup

Before deploying SafeLine, you need to set up a directory to store its configuration and resources. Replace with your actual system username.


mkdir -p /home//docker/safeline
cd /home//docker/safeline

For example, if your username is techdox:


mkdir -p /home/techdox/docker/safeline
cd /home/techdox/docker/safeline

Fetching the Docker Compose File

Download the SafeLine Docker Compose file:


wget "https://waf.chaitin.com/release/latest/compose.yaml"

This file does not need editing, but you must create a .env file for the deployment.

`.env` File Configuration

Create a .env file in the same directory as the Compose file. Below is an example .env file:


SAFELINE_DIR=/home//docker/safeline
IMAGE_TAG=latest
MGT_PORT=9443
POSTGRES_PASSWORD=testing
SUBNET_PREFIX=172.22.222
IMAGE_PREFIX=chaitin
ARCH_SUFFIX=
RELEASE=

Explanation of Variables

SAFELINE_DIR: Path to the SafeLine directory. Replace with your username.
IMAGE_TAG: Specifies the image version. Use latest for the most recent version.
MGT_PORT: Port for the SafeLine Management service.
POSTGRES_PASSWORD: Password for the PostgreSQL database. Replace with a strong password.
SUBNET_PREFIX: Subnet prefix for the Docker network. Adjust as needed to avoid conflicts with existing networks.
IMAGE_PREFIX: Docker image prefix (default: chaitin).
ARCH_SUFFIX: Architecture-specific suffix (leave empty for default).
RELEASE: Release version (leave empty for stable).

Docker Compose Configuration Breakdown

Networks


networks:
safeline-ce:
name: safeline-ce
driver: bridge
ipam:
driver: default
config:
- gateway: \${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
subnet: \${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: safeline-ce

name: Defines the network name.
driver: Specifies the bridge network driver.
ipam: Configures IP allocation for the network.
gateway: The gateway address for the network.
subnet: Defines the subnet (e.g., 172.22.222.0/24).
driver_opts: Sets advanced driver options (e.g., bridge name).

Services

PostgreSQL


services:
postgres:
container_name: safeline-pg
restart: always
image: ${IMAGE_PREFIX}/safeline-postgres${ARCH_SUFFIX}:15.2
volumes:
- ${SAFELINE_DIR}/resources/postgres/data:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=safeline-ce
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?postgres password required}
networks:
safeline-ce:
ipv4_address: \${SUBNET_PREFIX}.2
command: [postgres, -c, max_connections=600]
healthcheck:
test: pg_isready -U safeline-ce -d safeline-ce

POSTGRES_PASSWORD: Password for the database.
volumes: Stores persistent PostgreSQL data.
networks: Assigns the service a static IP address (${SUBNET_PREFIX}.2).

Management Service


mgt:
container_name: safeline-mgt
restart: always
image: ${IMAGE_PREFIX}/safeline-mgt-g${ARCH_SUFFIX}${RELEASE}:${IMAGE_TAG:?image tag required}
ports:
- \${MGT_PORT:-9443}:1443
volumes:
- \${SAFELINE_DIR}/resources/mgt:/app/data
healthcheck:
test: curl -k -f https://localhost:1443/api/open/health
depends_on:
- postgres
- fvm
networks:
safeline-ce:
ipv4_address: \${SUBNET_PREFIX}.4

ports: Exposes the management service on the host at port 9443 by default.
depends_on: Ensures the postgres and fvm services start first.

Detector Service


detect:
container_name: safeline-detector
restart: always
image: ${IMAGE_PREFIX}/safeline-detector-g${ARCH_SUFFIX}${RELEASE}:${IMAGE_TAG}
volumes:
- \${SAFELINE_DIR}/resources/detector:/resources/detector
environment:
- LOG_DIR=/logs/detector
networks:
safeline-ce:
ipv4_address: \${SUBNET_PREFIX}.5

volumes: Mounts logs and detector resources.

Other Services

tengine: Handles traffic and communicates with detector.
luigi: Supports management services.
fvm: File version management.
chaos: Adds chaos testing features.

Deployment Steps

Prepare the Directory and Files
Create the directory:
```
mkdir -p /home//docker/safeline
```
Create a .env file based on the example above.

Fetch the Docker Compose file:

wget "https://waf.chaitin.com/release/latest/compose.yaml"

Deploy Safeline:
```
docker compose up -d
```
Retrieve Admin Login Details:

After deployment, run the following command to retrieve the admin account details:
```
docker exec safeline-mgt resetadmin
```

This command will display the admin username and password.

Conclusion

By following this guide, you have successfully deployed SafeLine using Docker Compose.

You can now access the SafeLine management service via the port specified in the .env file (default: 9443).

Disclaimer

This guide is provided as-is for informational purposes only.

The author and contributors are not responsible for any issues arising from the use of this guide.

Always ensure you follow best security practices and test thoroughly in your environment.