CodeNewbie Community 🌱

Sharon428931
Sharon428931

Posted on

Dissecting SafeLine WAF’s mgt Service in Docker Compose

In today's web security landscape, choosing the right Web Application Firewall (WAF) is critical. SafeLine offers a free, open-source WAF that’s not only powerful but developer-friendly. It helps secure websites against a wide range of threats — with minimal setup.

This article walks you through the mgt service configuration in the docker-compose.yml file for the SafeLine, helping you understand how the core management component is structured.


What is docker-compose.yml?

docker-compose.yml is the backbone of Docker Compose, defining and managing multi-container Docker applications. With it, you can spin up, stop, and manage interdependent services using a single command.

Now let’s dive into how the mgt service is configured.


mgt Service Explained

The mgt service handles core system operations and orchestration for SafeLine. Here's a breakdown of its Compose configuration:

Image description

Basic Settings

container_name: safeline-mgt
Enter fullscreen mode Exit fullscreen mode
  • Gives the container a fixed name (safeline-mgt) instead of Docker's default random names, making it easier to manage.
restart: always
Enter fullscreen mode Exit fullscreen mode
  • Ensures the container restarts automatically after a crash or reboot — improving availability.
image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}
Enter fullscreen mode Exit fullscreen mode
  • Specifies the image to use, with version and registry prefix defined via environment variables (IMAGE_PREFIX, IMAGE_TAG), usually stored in a .env file.

Volume Mounts

volumes:
  - /etc/localtime:/etc/localtime:ro
Enter fullscreen mode Exit fullscreen mode
  • Syncs container timezone with the host system.
  - ${SAFELINE_DIR}/resources/mgt:/app/data
Enter fullscreen mode Exit fullscreen mode
  • Persists mgt service data to ensure it survives container restarts.
  - ${SAFELINE_DIR}/logs/nginx:/app/log/nginx:z
Enter fullscreen mode Exit fullscreen mode
  • Maps Nginx logs from the container to the host for easier access and analysis.
  - ${SAFELINE_DIR}/resources/sock:/app/sock
Enter fullscreen mode Exit fullscreen mode
  • Mounts socket files used for inter-service communication.
  - /var/run:/app/run
Enter fullscreen mode Exit fullscreen mode
  • Provides runtime environment by exposing necessary host system directories.

Networking & Ports

ports:
  - ${MGT_PORT:-9443}:1443
Enter fullscreen mode Exit fullscreen mode
  • Exposes the container’s 1443 port to the host. Defaults to 9443 unless MGT_PORT is defined in .env.

Health Check

healthcheck:
  test: curl -k -f ...
Enter fullscreen mode Exit fullscreen mode
  • Runs a health check using curl to verify the service is up and responsive.

Environment Variables

environment:
  - MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable
Enter fullscreen mode Exit fullscreen mode
  • Defines the Postgres connection string for the mgt service.
  • The password is pulled from the POSTGRES_PASSWORD environment variable in .env.

Dependencies

depends_on:
  - postgres
  - fvm
Enter fullscreen mode Exit fullscreen mode
  • Ensures that the postgres and fvm services start before mgt, guaranteeing proper service startup order.

Logging Configuration

logging:
  options:
    max-size: "100m"
    max-file: "5"
Enter fullscreen mode Exit fullscreen mode
  • Limits each log file to 100MB and keeps a maximum of 5 rotated files to avoid disk overuse.

Network Configuration

networks:
  safeline-ce:
    ipv4_address: ${SUBNET_PREFIX}.4
Enter fullscreen mode Exit fullscreen mode
  • Assigns a static IP address to the mgt service using a subnet prefix (SUBNET_PREFIX) defined in .env.

Summary

The mgt service is the brain of the SafeLine WAF setup. Its Docker Compose configuration ensures persistent data, smooth networking, secure database access, and reliable uptime — all essential for running a production-ready WAF.


Join SafeLine Community

Top comments (0)