commit 99bfa5a65e07bf34f4cefb57417599a625307ecb Author: zclaiqcc Date: Tue Apr 11 14:22:23 2023 +0800 feat: init v1.0.0 diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..edd91bf --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,18 @@ +SAFELINE-CE CHANGELOG +=== + +## [Unreleased] + +- 仪表盘 +- 自定义规则 +- 告警 + +## [1.0.0] - 2023-04-13 + +- 站点配置 + +## [0.9.0] - 2023-03-20 + +- OTP 登录 +- 攻击检测日志 +- 默认防护策略 \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3d47167 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 Chaitin Tech + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..9a15815 --- /dev/null +++ b/README.md @@ -0,0 +1,88 @@ +

+ +

+

雷池 SafeLine 社区版

+

不让黑客越雷池半步

+
+

+ + + + + + +

+ +一款简单、好用的 WAF 工具。基于长亭科技王牌的 🤖️智能语义分析算法🤖️ 打造,专为社区设计。 + +## ✨ Demo + +![](https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_detect_log.gif) + +![](https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_website.gif) + +## 🚀 安装 + +### 1. 确保机器上正确安装 [Docker](https://docs.docker.com/engine/install/) 和 [Compose V2](https://docs.docker.com/compose/install/) +``` +docker info +docker compose version +``` + +### 2. 安装产品镜像 + +```shell +# 下载安装脚本文件 +wget https://github.com/chaitin/safeline/releases/download/v1.0.0/safeline.zip -O safeline.zip +unzip safeline.zip +cd safeline +# 首次部署需执行 `./safeline-ce.sh` 生成初始化配置,默认安装在 `/data/safeline-ce/` 目录下 +./safeline-ce.sh +# 运行 +sudo docker compose up -d +``` + +## 🕹️ 快速使用 + +### 1. 登录 + +浏览器打开后台管理页面 `https://:9443`。根据界面提示,使用 **支持 TOPT 的认证软件** 扫描二维码,然后输入动态口令登录: + +![safeline_login.gif](https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_login.gif) + +### 2. 添加站点 + +![safeline_website.gif](https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_website.gif) + +💡 TIPS: 添加后,执行 `curl -H "Host: <域名>" http://:<端口>` 应能获取到业务网站的响应。 + +### 3. 将网站流量切到雷池 + +- 若网站通过域名访问,则可将域名的 DNS 解析指向雷池所在设备 +- 若网站前有 nginx 、负载均衡等代理设备,则可将雷池部署在代理设备和业务服务器之间,然后将代理设备的 upstream 指向雷池 + +### 4. 开始防护👌 + +试试这些攻击方式: + +- 浏览器访问 `http://:<端口>/webshell.php` +- 浏览器访问 `http://:<端口>/?id=1%20AND%201=1` +- 浏览器访问 `http://:<端口>/?a=` + +## 📖 FAQ + +Q: 添加站点后,执行 `curl -H "Host: <域名>" http://:<端口>` 无法访问到业务服务器。 + +—— A: 请检查雷池和业务服务器之间的网络连接 + +## 🏘️ 联系我们 +1. 您可以通过 GitHub Issue 直接进行 Bug 反馈和功能建议。 +2. 扫描下方二维码可以加入雷池社区版用户讨论群进行详细讨论 + + + + +## ✨ CTStack + + +雷池 SafeLine 现已加入 [CTStack](https://stack.chaitin.com/tool/detail?id=174) 社区 \ No newline at end of file diff --git a/VERSION.TXT b/VERSION.TXT new file mode 100644 index 0000000..afaf360 --- /dev/null +++ b/VERSION.TXT @@ -0,0 +1 @@ +1.0.0 \ No newline at end of file diff --git a/compose.yaml b/compose.yaml new file mode 100644 index 0000000..fd40a21 --- /dev/null +++ b/compose.yaml @@ -0,0 +1,94 @@ +networks: + safeline-ce: + name: safeline-ce + driver: bridge + ipam: + driver: default + config: + - gateway: 169.254.0.1 + subnet: 169.254.0.0/24 + driver_opts: + com.docker.network.bridge.name: safeline-ce + +services: + postgres: + container_name: safeline-postgres + restart: always + image: postgres:15.2 + volumes: + - ${HOST_RESOURCES_DIR}/postgres/data:/var/lib/postgresql/data + environment: + - POSTGRES_USER=safeline-ce + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + networks: + safeline-ce: + ipv4_address: 169.254.0.2 + cap_drop: + - net_raw + command: [postgres, -c, max_connections=200] + management: + container_name: safeline-mgt-api + restart: always + image: chaitinops/safeline-mgt-api:${IMAGE_TAG} + volumes: + - ${HOST_RESOURCES_DIR}/management:/resources/management + - ${HOST_RESOURCES_DIR}/nginx:/resources/nginx + - ${HOST_LOGS_DIR}:/logs + - /etc/localtime:/etc/localtime:ro + ports: + - 9443:1443 + environment: + - MANAGEMENT_RESOURCES_DIR=/resources/management + - NGINX_RESOURCES_DIR=/resources/nginx + - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@127.0.0.1/safeline-ce + - MANAGEMENT_LOGS_DIR=/logs/management + networks: + safeline-ce: + ipv4_address: 169.254.0.4 + cap_drop: + - net_raw + detector: + container_name: safeline-detector + restart: always + image: chaitinops/safeline-detector:${IMAGE_TAG} + volumes: + - ${HOST_RESOURCES_DIR}/detector:/resources/detector + - ${HOST_LOGS_DIR}/detector:/logs/detector + environment: + - LOG_DIR=/logs/detector + networks: + safeline-ce: + ipv4_address: 169.254.0.5 + cap_drop: + - net_raw + mario: + container_name: safeline-mario + restart: always + image: chaitinops/safeline-mario:${IMAGE_TAG} + volumes: + - ${HOST_RESOURCES_DIR}/mario:/resources/mario + - ${HOST_LOGS_DIR}/mario:/logs/mario + environment: + - LOG_DIR=/logs/mario + - GOGC=100 + - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@169.254.0.2/safeline-ce + networks: + safeline-ce: + ipv4_address: 169.254.0.6 + cap_drop: + - net_raw + tengine: + container_name: safeline-tengine + restart: always + image: chaitinops/safeline-tengine:${IMAGE_TAG} + volumes: + - ${HOST_RESOURCES_DIR}/nginx:/etc/nginx + - ${HOST_RESOURCES_DIR}/management:/resources/management + - ${HOST_RESOURCES_DIR}/detector:/resources/detector + - ${HOST_LOGS_DIR}/nginx:/var/log/nginx + - /etc/localtime:/etc/localtime:ro + - ${HOST_RESOURCES_DIR}/cache:/usr/local/nginx/cache + - /etc/resolv.conf:/etc/resolv.conf + ulimits: + nofile: 131072 + network_mode: host \ No newline at end of file diff --git a/safeline-ce.sh b/safeline-ce.sh new file mode 100755 index 0000000..2312290 --- /dev/null +++ b/safeline-ce.sh @@ -0,0 +1,43 @@ +#! /bin/bash +set -eE + +installer_path=$1 + +version_file="VERSION.TXT" + +if [[ ! -f $version_file ]]; then + echo "Error: VERSION.TXT not found!" + exit 1 +fi + +version=$(cat VERSION.TXT) + +if [ -z "$installer_path" ];then + installer_path="/data/safeline-ce" +fi + +if [[ ! -e $installer_path ]]; then + echo "WAF will be installed at $installer_path, y/N" + read answer + if [ "$answer" != "${answer#[Yy]}" ] ; then + echo "Start installing..." + else + echo "End" + exit 1 + fi +elif [[ ! -d $installer_path ]]; then + echo "Error: $installer_path already exists but is not a directory" + exit 1 +fi + +env_file=".env" +if [[ ! -f $env_file ]]; then + echo -n "POSTGRES_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 $env_file +fi + +mkdir -p $installer_path