Dissecting SafeLine WAF’s mgt Service in Docker Compose

In today's web security landscape, choosing the right Web Application Firewall (WAF) is critical. SafeLine offers a free, open-source WAF that’s not only powerful but developer-friendly. It helps secure websites against a wide range of threats — with minimal setup.

This article walks you through the mgt service configuration in the docker-compose.yml file for the SafeLine, helping you understand how the core management component is structured.

What is docker-compose.yml?

docker-compose.yml is the backbone of Docker Compose, defining and managing multi-container Docker applications. With it, you can spin up, stop, and manage interdependent services using a single command.

Now let’s dive into how the mgt service is configured.

mgt Service Explained

The mgt service handles core system operations and orchestration for SafeLine. Here's a breakdown of its Compose configuration:

Basic Settings

container_name: safeline-mgt

• Gives the container a fixed name (safeline-mgt) instead of Docker's default random names, making it easier to manage.

restart: always

• Ensures the container restarts automatically after a crash or reboot — improving availability.

image: ${IMAGE_PREFIX}/safeline-mgt:${IMAGE_TAG:?image tag required}

• Specifies the image to use, with version and registry prefix defined via environment variables (IMAGE_PREFIX, IMAGE_TAG), usually stored in a .env file.

Volume Mounts

volumes:
  - /etc/localtime:/etc/localtime:ro

• Syncs container timezone with the host system.

  - ${SAFELINE_DIR}/resources/mgt:/app/data

• Persists mgt service data to ensure it survives container restarts.

  - ${SAFELINE_DIR}/logs/nginx:/app/log/nginx:z

• Maps Nginx logs from the container to the host for easier access and analysis.

  - ${SAFELINE_DIR}/resources/sock:/app/sock

• Mounts socket files used for inter-service communication.

  - /var/run:/app/run

• Provides runtime environment by exposing necessary host system directories.

Networking & Ports

ports:
  - ${MGT_PORT:-9443}:1443

• Exposes the container’s 1443 port to the host. Defaults to 9443 unless MGT_PORT is defined in .env.

Health Check

healthcheck:
  test: curl -k -f ...

• Runs a health check using curl to verify the service is up and responsive.

Environment Variables

environment:
  - MGT_PG=postgres://safeline-ce:${POSTGRES_PASSWORD}@safeline-pg/safeline-ce?sslmode=disable

• Defines the Postgres connection string for the mgt service.
• The password is pulled from the POSTGRES_PASSWORD environment variable in .env.

Dependencies

depends_on:
  - postgres
  - fvm

• Ensures that the postgres and fvm services start before mgt, guaranteeing proper service startup order.

Logging Configuration

logging:
  options:
    max-size: "100m"
    max-file: "5"

• Limits each log file to 100MB and keeps a maximum of 5 rotated files to avoid disk overuse.

Network Configuration

networks:
  safeline-ce:
    ipv4_address: ${SUBNET_PREFIX}.4

• Assigns a static IP address to the mgt service using a subnet prefix (SUBNET_PREFIX) defined in .env.

Summary

The mgt service is the brain of the SafeLine WAF setup. Its Docker Compose configuration ensures persistent data, smooth networking, secure database access, and reliable uptime — all essential for running a production-ready WAF.

Join SafeLine Community

• SafeLine WAF GitHub
• Official Docs
• Join Our Discord