feat: init v1.0.0

CHANGELOG.md

@@ -0,0 +1,18 @@
+SAFELINE-CE CHANGELOG
+===
+
+## [Unreleased]
+
+- 仪表盘
+- 自定义规则
+- 告警
+
+## [1.0.0] - 2023-04-13
+
+- 站点配置
+
+## [0.9.0] - 2023-03-20
+
+- OTP 登录
+- 攻击检测日志
+- 默认防护策略

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Chaitin Tech
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,88 @@
+<p align="center">
+  <img src="https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_logo.png" width="120">
+</p>
+<h1 align="center">雷池 SafeLine 社区版</h1>
+<h3 align="center">不让黑客越雷池半步</h3>
+<br>
+<p align="center">
+  <img src="https://img.shields.io/badge/SafeLine-BEST_WAF-blue">
+  <img src="https://img.shields.io/github/release/chaitin/safeline.svg?color=blue" />
+  <img src="https://img.shields.io/github/release-date/chaitin/safeline.svg?color=blue&label=update" />
+  <img src="https://img.shields.io/docker/v/chaitinops/safeline-mgt-api?color=blue">
+  <img src="https://img.shields.io/github/license/chaitin/safeline?color=blue">
+  <img src="https://img.shields.io/github/stars/chaitin/safeline?style=social">
+</p>
+
+一款简单、好用的 WAF 工具。基于长亭科技王牌的 🤖️智能语义分析算法🤖️ 打造，专为社区设计。
+
+## ✨ Demo
+
+![](https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_detect_log.gif)
+
+![](https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_website.gif)
+
+## 🚀 安装
+
+### 1. 确保机器上正确安装 [Docker](https://docs.docker.com/engine/install/) 和 [Compose V2](https://docs.docker.com/compose/install/)
+```
+docker info
+docker compose version
+```
+
+### 2. 安装产品镜像
+
+```shell
+# 下载安装脚本文件
+wget https://github.com/chaitin/safeline/releases/download/v1.0.0/safeline.zip -O safeline.zip
+unzip safeline.zip
+cd safeline
+# 首次部署需执行 `./safeline-ce.sh` 生成初始化配置，默认安装在 `/data/safeline-ce/` 目录下
+./safeline-ce.sh
+# 运行
+sudo docker compose up -d
+```
+
+## 🕹️ 快速使用
+
+### 1. 登录
+
+浏览器打开后台管理页面 `https://<waf-ip>:9443`。根据界面提示，使用 **支持 TOPT 的认证软件** 扫描二维码，然后输入动态口令登录：
+
+![safeline_login.gif](https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_login.gif)
+
+### 2. 添加站点
+
+![safeline_website.gif](https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_website.gif)
+
+<font color=grey>💡 TIPS: 添加后，执行 `curl -H "Host: <域名>" http://<WAF IP>:<端口>` 应能获取到业务网站的响应。</font>
+
+### 3. 将网站流量切到雷池
+
+- 若网站通过域名访问，则可将域名的 DNS 解析指向雷池所在设备
+- 若网站前有 nginx 、负载均衡等代理设备，则可将雷池部署在代理设备和业务服务器之间，然后将代理设备的 upstream 指向雷池
+
+### 4. 开始防护👌
+
+试试这些攻击方式：
+
+- 浏览器访问 `http://<IP或域名>:<端口>/webshell.php`
+- 浏览器访问 `http://<IP或域名>:<端口>/?id=1%20AND%201=1`
+- 浏览器访问 `http://<IP或域名>:<端口>/?a=<script>alert(1)</script>`
+
+## 📖 FAQ
+
+Q: 添加站点后，执行 `curl -H "Host: <域名>" http://<WAF IP>:<端口>` 无法访问到业务服务器。
+
+—— A: 请检查雷池和业务服务器之间的网络连接
+
+## 🏘️ 联系我们
+1. 您可以通过 GitHub Issue 直接进行 Bug 反馈和功能建议。
+2. 扫描下方二维码可以加入雷池社区版用户讨论群进行详细讨论
+
+<img src="https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_wx_light.jpg" width="30%" />
+<img src="https://ctstack-oss.oss-cn-beijing.aliyuncs.com/veinmind/safeline-assets/safeline_qq_light.jpg" width="30%" />
+
+## ✨ CTStack
+<img src="https://ctstack-oss.oss-cn-beijing.aliyuncs.com/CT%20Stack-2.png" width="30%" />
+
+雷池 SafeLine 现已加入 [CTStack](https://stack.chaitin.com/tool/detail?id=174) 社区

VERSION.TXT

@@ -0,0 +1 @@
+1.0.0

compose.yaml

@@ -0,0 +1,94 @@
+networks:
+  safeline-ce:
+    name: safeline-ce
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - gateway: 169.254.0.1
+        subnet: 169.254.0.0/24
+    driver_opts:
+      com.docker.network.bridge.name: safeline-ce
+
+services:
+  postgres:
+    container_name: safeline-postgres
+    restart: always
+    image: postgres:15.2
+    volumes:
+    - ${HOST_RESOURCES_DIR}/postgres/data:/var/lib/postgresql/data
+    environment:
+    - POSTGRES_USER=safeline-ce
+    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+    networks:
+      safeline-ce:
+        ipv4_address: 169.254.0.2
+    cap_drop:
+    - net_raw
+    command: [postgres, -c, max_connections=200]
+  management:
+    container_name: safeline-mgt-api
+    restart: always
+    image: chaitinops/safeline-mgt-api:${IMAGE_TAG}
+    volumes:
+    - ${HOST_RESOURCES_DIR}/management:/resources/management
+    - ${HOST_RESOURCES_DIR}/nginx:/resources/nginx
+    - ${HOST_LOGS_DIR}:/logs
+    - /etc/localtime:/etc/localtime:ro
+    ports:
+    - 9443:1443
+    environment:
+    - MANAGEMENT_RESOURCES_DIR=/resources/management
+    - NGINX_RESOURCES_DIR=/resources/nginx
+    - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@127.0.0.1/safeline-ce
+    - MANAGEMENT_LOGS_DIR=/logs/management
+    networks:
+      safeline-ce:
+        ipv4_address: 169.254.0.4
+    cap_drop:
+    - net_raw
+  detector:
+    container_name: safeline-detector
+    restart: always
+    image: chaitinops/safeline-detector:${IMAGE_TAG}
+    volumes:
+    - ${HOST_RESOURCES_DIR}/detector:/resources/detector
+    - ${HOST_LOGS_DIR}/detector:/logs/detector
+    environment:
+    - LOG_DIR=/logs/detector
+    networks:
+      safeline-ce:
+        ipv4_address: 169.254.0.5
+    cap_drop:
+    - net_raw
+  mario:
+    container_name: safeline-mario
+    restart: always
+    image: chaitinops/safeline-mario:${IMAGE_TAG}
+    volumes:
+    - ${HOST_RESOURCES_DIR}/mario:/resources/mario
+    - ${HOST_LOGS_DIR}/mario:/logs/mario
+    environment:
+    - LOG_DIR=/logs/mario
+    - GOGC=100
+    - DATABASE_URL=postgres://safeline-ce:${POSTGRES_PASSWORD}@169.254.0.2/safeline-ce
+    networks:
+      safeline-ce:
+        ipv4_address: 169.254.0.6
+    cap_drop:
+    - net_raw
+  tengine:
+    container_name: safeline-tengine
+    restart: always
+    image: chaitinops/safeline-tengine:${IMAGE_TAG}
+    volumes:
+    - ${HOST_RESOURCES_DIR}/nginx:/etc/nginx
+    - ${HOST_RESOURCES_DIR}/management:/resources/management
+    - ${HOST_RESOURCES_DIR}/detector:/resources/detector
+    - ${HOST_LOGS_DIR}/nginx:/var/log/nginx
+    - /etc/localtime:/etc/localtime:ro
+    - ${HOST_RESOURCES_DIR}/cache:/usr/local/nginx/cache
+    - /etc/resolv.conf:/etc/resolv.conf
+    ulimits:
+      nofile: 131072
+    network_mode: host

safeline-ce.sh

@@ -0,0 +1,43 @@
+#! /bin/bash
+set -eE
+
+installer_path=$1
+
+version_file="VERSION.TXT"
+
+if [[ ! -f $version_file ]]; then
+    echo "Error: VERSION.TXT not found!"
+    exit 1
+fi
+
+version=$(cat VERSION.TXT)
+
+if [ -z "$installer_path" ];then
+    installer_path="/data/safeline-ce"
+fi
+
+if [[ ! -e $installer_path ]]; then
+    echo "WAF will be installed at $installer_path, y/N"
+    read answer
+    if [ "$answer" != "${answer#[Yy]}" ] ; then
+        echo "Start installing..."
+    else
+        echo "End"
+        exit 1
+    fi
+elif [[ ! -d $installer_path ]]; then
+    echo "Error: $installer_path already exists but is not a directory"
+    exit 1
+fi
+
+env_file=".env"
+if [[ ! -f $env_file ]]; then
+    echo -n "POSTGRES_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)
+HOST_RESOURCES_DIR=$installer_path/resources
+HOST_LOGS_DIR=$installer_path/logs
+IMAGE_TAG=$version
+COMPOSE_PROJECT_NAME=safeline-ce
+COMPOSE_FILE=compose.yaml" > $env_file
+fi
+
+mkdir -p $installer_path