Skip to content

Deployment Overview of Haltdos Community WAF on Server

Prerequisites and Basic Requirements

The deployment of Haltdos Community WAF requires the following system specifications and configurations:

  • Operating System: Ubuntu (compatible with apt package manager).

  • Privileges: Root access or sudo privileges are required to install packages, configure services, and manage Docker containers.

  • Domain Configuration: The server must resolve the FQDN in the hostkey.in zone.

  • Ports: Ports 80 and 443 must be accessible for Let's Encrypt certificate validation and HTTPS traffic. Port 3000 is used internally for the application.

FQDN of the Final Panel

The fully qualified domain name (FQDN) for accessing the Haltdos Community WAF panel follows the pattern:

haltdos<Server ID>.hostkey.in

The application is accessible over HTTPS (port 443).

File and Directory Structure

The installation places configuration files, certificates, and data in the following locations:

  • System Configuration: /etc/nginx/sites-available/haltdos.conf

  • Nginx Reverse Proxy Configuration: /etc/nginx/sites-enabled/haltdos.conf (symlink)

  • Let's Encrypt Certificates: /etc/letsencrypt/live/<FQDN>/

  • User Nginx Configurations: /data/nginx/user_conf.d/

  • Docker Compose Configuration: /root/nginx/compose.yml

  • Docker Environment Variables: /data/nginx/nginx-certbot.env

Application Installation Process

The Haltdos Community WAF is installed using the official setup script provided by the vendor. The installation process includes the following steps:

  1. The curl, nginx, and certbot packages are installed via apt.

  2. Existing web servers (nginx, apache2) and Docker containers occupying ports 80 and 443 are stopped to ensure free access.

  3. The official installer is downloaded and executed: 

    curl -s -k -o setup.sh https://binary.haltdos.com/community/waf/setup.sh
chmod +x setup.sh
./setup.sh

  4. The system hostname is updated to match the FQDN, and an entry is added to /etc/hosts to ensure local resolution.

Access Rights and Security

Security measures implemented during deployment include:

  • Firewall and Service Management: Existing services occupying ports 80 and 443 are terminated prior to certificate issuance and reverse proxy configuration.

  • Docker Swarm: If an active Docker Swarm is present, the node is forced to leave the swarm to ensure compatibility.

  • Nginx Restrictions: The default Nginx site is disabled to prevent conflicts with the custom Haltdos configuration.

  • SSL/TLS: Secure communication is enforced via Let's Encrypt certificates with TLSv1.2 and TLSv1.3 protocols enabled.

Proxy Servers

Nginx is configured as a reverse proxy to handle incoming traffic and SSL termination.

  • HTTP Redirect: All HTTP requests on port 80 are redirected to HTTPS.

  • HTTPS Configuration: Nginx listens on port 443 with SSL enabled using certificates from Let's Encrypt.

  • Internal Proxy: Traffic is proxied to the Haltdos application running locally on port 9000 (as configured in the Nginx site file) or port 3000 (as configured in the user-defined proxy pass).

  • Headers: The proxy forwards standard headers including Host, X-Real-IP, X-Forwarded-For, and X-Forwarded-Proto.

  • SSL Verification: Client SSL verification is disabled (proxy_ssl_verify off) for the upstream connection.

Permission Settings

The following permissions are applied to key directories and files:

  • Nginx Directory: The /root/nginx directory is created with root:root ownership and mode 0755.

  • Compose File: The /root/nginx/compose.yml file is set with mode 0644.

  • Nginx Site Config: The configuration file /etc/nginx/sites-available/haltdos.conf is created with mode 0644.

  • Let's Encrypt: Certificates are stored in /etc/letsencrypt/ with permissions managed by the certbot service.

Location of Configuration Files and Data

Key configuration files and data directories are located at:

  • Nginx Site Configuration: /etc/nginx/sites-available/haltdos.conf

  • Docker Compose: /root/nginx/compose.yml

  • User Proxy Config: /data/nginx/user_conf.d/haltdos<Server ID>.hostkey.in.conf

  • Environment Variables: /data/nginx/nginx-certbot.env

  • Certificates: /etc/letsencrypt/live/<haltdos<Server ID>.hostkey.in>/

Available Ports for Connection

The following ports are utilized by the deployment:

Port Protocol Description
80 TCP HTTP (redirects to HTTPS)
443 TCP HTTPS (public access to Haltdos panel)
3000 TCP Internal communication (configured in user proxy)
9000 TCP Internal communication (configured in Nginx reverse proxy)

Starting, Stopping, and Updating

Services are managed via the systemctl command for Nginx and docker compose for containerized components.

  • Start Nginx: 

    systemctl start nginx

  • Enable Nginx on Boot: 

    systemctl enable nginx

  • Restart Docker Containers: 

    cd /root/nginx
docker compose up -d

  • Test Nginx Configuration: 

    nginx -t

  • Reload Nginx: 

    systemctl reload nginx

Docker Containers and Their Deployment

The deployment utilizes a Docker container for managing SSL certificates via Nginx and Certbot.

  • Image: jonasal/nginx-certbot:latest

  • Restart Policy: unless-stopped

  • Network Mode: host

  • Volumes:

  • nginx_secrets mapped to /etc/letsencrypt (external volume).

  • /data/nginx/user_conf.d mapped to /etc/nginx/user_conf.d.

  • Environment:

  • Email for Let's Encrypt: [email protected]

  • Additional variables loaded from /data/nginx/nginx-certbot.env.

The container is started using the compose file located at /root/nginx/compose.yml.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×