CodeNewbie Community 🌱

Sharon428931
Sharon428931

Posted on

Docker Hardening Guide: Add SafeLine WAF Protection

Docker has become the go-to solution for deploying lightweight, portable applications—but out-of-the-box setups often lack critical security and performance tuning. In this guide, you’ll learn how to:

  • Install and optimize Docker on CentOS
  • Tune the system for stability and efficiency
  • Secure your containers with SafeLine WAF, a free and powerful Web Application Firewall

Let’s get started.


Step-by-Step Docker Installation (CentOS)

1. Install Docker via Script

curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
Enter fullscreen mode Exit fullscreen mode

2. Add Aliyun Mirror Repo

sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
Enter fullscreen mode Exit fullscreen mode

3. Install Required Dependencies

sudo yum install -y yum-utils device-mapper-persistent-data lvm2
Enter fullscreen mode Exit fullscreen mode

4. Remove Old Docker Versions

yum remove docker docker-client docker-common docker-latest docker-engine
Enter fullscreen mode Exit fullscreen mode

5. List Available Versions

yum list docker-ce --showduplicates | sort -r
Enter fullscreen mode Exit fullscreen mode

6. Install a Specific Version (Optional)

yum install docker-ce-19.03.13 docker-ce-cli-19.03.13 containerd.io
Enter fullscreen mode Exit fullscreen mode

7. Or Install the Latest Version

yum -y install docker-ce
Enter fullscreen mode Exit fullscreen mode

8. Start and Enable Docker

systemctl start docker
systemctl enable docker
Enter fullscreen mode Exit fullscreen mode

Docker Optimization Tips

Move Docker Data to a New Directory

systemctl stop docker
mkdir -p /home/jamelli/docker/data/lib
rsync -r -avz /var/lib/docker /home/jamelli/docker/data/lib
Enter fullscreen mode Exit fullscreen mode

Update the Docker service config:

cat <<EOF > /etc/systemd/system/docker.service.d/devicemapper.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --graph=/home/jamelli/docker/data/lib/docker
EOF

systemctl daemon-reload
systemctl restart docker
Enter fullscreen mode Exit fullscreen mode

Configure Log Rotation

cat <<EOF > /etc/docker/daemon.json
{
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m",
    "max-file": "3"
  }
}
EOF

systemctl restart docker
Enter fullscreen mode Exit fullscreen mode

Free Up Disk Space

Run these commands to clean up unused resources:

docker system df
docker system prune
docker system prune -a
docker system df -v
Enter fullscreen mode Exit fullscreen mode

Useful Docker Commands

docker system df             # Disk usage
docker image ls              # List images
docker info                  # System details
docker stats                 # Live container metrics
docker logs -f <container>   # Follow logs in real-time
Enter fullscreen mode Exit fullscreen mode

Add SafeLine WAF to Secure Your Stack

Now that Docker is optimized, it's time to secure it. SafeLine WAF is a high-performance, open-source Web Application Firewall that protects against SQL injection, XSS, RCE, SSRF, brute-force attacks, and more.

1. Install SafeLine

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/manager.sh)" -- --en
Enter fullscreen mode Exit fullscreen mode

2. Open the Management Port

firewall-cmd --zone=public --add-port=9443/tcp --permanent
firewall-cmd --reload
Enter fullscreen mode Exit fullscreen mode

Then visit:

https://<your-server-ip>:9443/
Enter fullscreen mode Exit fullscreen mode

SafeLine: Your Docker Security Layer

SafeLine sits in front of your Dockerized apps, acting as a smart gatekeeper. It inspects traffic and blocks known attack patterns, all while maintaining high performance thanks to its Nginx-based architecture.

It’s a great fit for any modern DevSecOps pipeline—and it’s completely free.


Fix: Docker TLS Handshake Timeout

If pulling images fails with this error:

Error response from daemon: net/http: TLS handshake timeout
Enter fullscreen mode Exit fullscreen mode

Add a registry mirror:

sudo vim /etc/docker/daemon.json

{
  "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}

systemctl daemon-reload
systemctl restart docker
Enter fullscreen mode Exit fullscreen mode

✅ Final Thoughts

By combining Docker and SafeLine WAF, you're not just deploying fast—you’re deploying securely. Whether you're building internal apps, SaaS platforms, or production APIs, this setup will help you run efficiently while minimizing exposure to real-world threats.


Join SafeLine Community

Top comments (0)