Understanding the `fvm` Service in SafeLine WAF's Docker Compose Setup

In today’s cybersecurity landscape, choosing the right Web Application Firewall (WAF) is essential. SafeLine stands out as a free, open source, and powerful WAF that helps websites defend against a wide range of web attacks.

SafeLine is deployed using Docker, and at the heart of its deployment is the docker-compose.yml file. This file defines and manages multiple containers, making it easy to start, stop, and orchestrate them using simple commands.

In this post, we’ll focus on the configuration of one service—fvm—from the SafeLine Compose file. We'll explain every setting in detail to help you understand how it works and how to customize it.

Sample Configuration: fvm Service

fvm:
  container_name: safeline-fvm
  restart: always
  image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}
  volumes:
    - /etc/localtime:/etc/localtime:ro
  logging:
    options:
      max-size: "100m"
      max-file: "5"
  networks:
    safeline-ce:
      ipv4_address: ${SUBNET_PREFIX}.8

Configuration Breakdown

fvm

This is the service name. It’s referenced within the docker-compose.yml file and is also used as an alias for the container. Other services on the same Docker network can communicate with it using this name.

1. container_name

container_name: safeline-fvm

• This sets the container’s name to safeline-fvm, replacing the random name Docker would assign by default.
• A custom container name makes it easier to identify and manage containers in logs and during troubleshooting.

2. restart

restart: always

• This sets the container’s restart policy.
• always means Docker will automatically restart the container no matter why it exited, even after a system reboot.

3. image

image: ${IMAGE_PREFIX}/safeline-fvm:${IMAGE_TAG}

• This defines which Docker image to use for the container.
• ${IMAGE_PREFIX} and ${IMAGE_TAG} are environment variables, typically defined in a .env file or passed in at runtime.
• This setup allows flexible control over the image source and version (e.g., changing registry or upgrading to a new tag).

4. volumes

volumes:
  - /etc/localtime:/etc/localtime:ro

• Docker volumes allow persistent storage or mounting host files into the container.
• This line mounts the host’s /etc/localtime file into the container to ensure consistent timezone settings between the host and the container.
• :ro makes the mount read-only, preventing the container from modifying the host file.

5. logging

logging:
  options:
    max-size: "100m"
    max-file: "5"

• Configures log rotation for the container.
  • max-size: "100m" means each log file is capped at 100MB.
  • max-file: "5" keeps a maximum of 5 log files.
• When the size limit is reached, Docker creates a new log file, and once the limit is exceeded, the oldest file is deleted.
• This helps limit disk space usage and keeps logs manageable in long-running environments.

6. networks

networks:
  safeline-ce:
    ipv4_address: ${SUBNET_PREFIX}.8

• Specifies the Docker network the container connects to.
• safeline-ce is a user-defined network in the same Compose file.
• The ipv4_address setting assigns a static IP to the container.
  • ${SUBNET_PREFIX} is an environment variable (e.g., 172.20.0) that defines the subnet.
  • .8 assigns a unique address within that subnet.
• Static IPs are useful for inter-container communication, especially when some services rely on fixed addresses.

Summary

This breakdown of the fvm service in SafeLine’s Docker Compose file provides a deeper understanding of how each option works. With this knowledge, you can confidently:

• Customize your SafeLine deployment
• Maintain consistent environments
• Troubleshoot issues more effectively

SafeLine’s modular, container-based architecture brings enterprise-grade WAF features to developers and teams for free. Stay tuned for more in-depth configuration guides on other SafeLine components.

Join SafeLine Community

• SafeLine WAF GitHub
• Official Docs
• Join Our Discord