Analysis of the Compose Configuration File for SafeLine WAF - MGT

Abstract:

In modern cybersecurity, choosing the right web application firewall is crucial. SafeLine Community Edition is free and easy to use. It provides comprehensive protection for websites, helping them defend against various cyberattacks.

The compose.yml file is the core file of Docker Compose, used to define and manage multiple Docker containers. Through this file, users can start, stop, and manage multiple related containers with simple commands.

Explanation of the MGT Configuration

The MGT service is responsible for managing and coordinating the main operations of the system. Below is a detailed explanation of the Compose configuration.

Configuration Details

Basic Settings

• container_name: safeline-mgt
  
  This names the container as safeline-mgt, replacing Docker's default random name, which facilitates subsequent management and identification.

• restart: always
  
  Sets the container's restart policy to always, ensuring the container automatically restarts after exiting for any reason, enhancing service availability.

• image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}
  
  Specifies the image address used by the container, where IMAGE_PREFIX and IMAGE_TAG are environment variables. These are typically defined in the .env file, allowing for dynamic control of the image version and repository prefix through parameters.

Volume Mounts

• /etc/localtime:/etc/localtime:ro
  
  Mounts the host's /etc/localtime file to the container in read-only mode, ensuring that the container's timezone matches the host's.

• ${SAFELINE_DIR}/resources/mgt:/app/data
  
  Persists the data directory for the MGT service, ensuring that data is not lost when the container restarts.

• ${SAFELINE_DIR}/logs/nginx:/app/log/nginx:z
  
  Maps the container's nginx log directory to the host for easier viewing and analysis of logs.

• ${SAFELINE_DIR}/resources/sock:/app/sock
  
  Mounts the sock file directory to support inter-service communication.

• /var/run:/app/run
  
  Maps the local directory required for the container's operation, providing the necessary runtime environment.

Network and Ports

• ports: ${MGT_PORT:-9443}:1443 Maps the host port to the container's port 1443, defaulting to 9443. If MGT_PORT is not specified in the .env file, the default value will be 9443.

Health Check

• test: curl -k -f https://localhost:1443/api/open/health Configures the health check test command, confirming the service status by sending a curl request to the service's health check endpoint.

Environment Variables

• MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable Sets the address for the MGT service to connect to the Postgres database. POSTGRES_PASSWORD is an environment variable typically defined in the .env file.

Dependencies

• depends_on:
  • postgres
  • fvm Indicates that the MGT service depends on the postgres and fvm services, which need to start first to ensure proper operation.

Logging Management

• logging:
  
  options:

  • max-size: "100m" Limits the maximum size of a single log file to 100MB. When a log file reaches this size, a new log file is automatically created.
  • max-file: "5" Sets the upper limit for the number of log files to 5. Older log files will be deleted once this limit is exceeded, helping control disk space used by logs.

Network Configuration

• networks:
  • safeline-ce:
  • ipv4_address: ${SUBNET_PREFIX}.4 Specifies a static IP address for the MGT service, configured with the subnet prefix from ${SUBNET_PREFIX} and the suffix .4 for the service's specific IP.