Skip to content

Deployment Overview of Haltdos Community WAF on Server

Prerequisites and Basic Requirements

  • Operating System: Ubuntu

  • Privileges: Root access is required for installation and configuration.

  • Domain Zone: The application is deployed under the hostkey.in zone.

  • Required Ports:

  • Port 80: Used for Let's Encrypt certificate validation and HTTP redirection.

  • Port 443: Used for HTTPS traffic to the application panel.

  • Port 3000: Internal port for the Haltdos Community WAF service.

  • Dependencies:

  • curl

  • nginx

  • certbot

  • Docker (required for the reverse proxy container and WAF installation).

Final Panel Address

The Fully Qualified Domain Name (FQDN) for accessing the Haltdos Community WAF panel follows the format: haltdos<Server ID>.hostkey.in

The panel is accessible via HTTPS on port 443.

File and Directory Structure

The following directories and files are created or utilized during the deployment process:

  • /root/nginx: Directory containing the Docker Compose file for the reverse proxy.

  • /root/nginx/compose.yml: Docker Compose configuration for the Nginx-Certbot container.

  • /etc/nginx/sites-available/haltdos.conf: Nginx server block configuration for the application.

  • /etc/nginx/sites-enabled/haltdos.conf: Symlink to enable the Nginx site configuration.

  • /etc/letsencrypt/live/<FQDN>/: Directory containing Let's Encrypt SSL certificates (fullchain.pem, privkey.pem).

  • /data/nginx/nginx-certbot.env: Environment file for the Nginx container.

  • /data/nginx/user_conf.d: Directory for custom user configurations used by the Nginx container.

  • /root/setup.sh: The installer script for Haltdos Community WAF.

Application Installation Process

The Haltdos Community WAF is installed using the official installation script provided by the vendor. The process involves downloading the script to the root directory and executing it.

To install the application manually:

  1. Navigate to the root directory.

  2. Download the setup script from https://binary.haltdos.com/community/waf/setup.sh.

  3. Make the script executable.

  4. Run the script to initiate the installation.

The commands used for this process are: 

cd /root
curl -s -k -o setup.sh https://binary.haltdos.com/community/waf/setup.sh
chmod +x setup.sh
./setup.sh

Proxy Servers

The deployment utilizes Nginx as a reverse proxy to handle incoming HTTPS traffic and manage SSL certificates. Two configurations are managed:

  1. System Nginx: Used when Let's Encrypt is enabled. It listens on ports 80 and 443, handles SSL termination, and proxies requests to the internal Haltdos service.

  2. Docker Nginx-Certbot: A containerized Nginx instance used for managing SSL certificates and routing via Docker.

The Nginx configuration for the system instance (/etc/nginx/sites-available/haltdos.conf) includes:

  • Redirects all HTTP (port 80) traffic to HTTPS.

  • Listens on port 443 with SSL enabled using Let's Encrypt certificates.

  • Proxies requests to the internal service at https://127.0.0.1:9000 (as defined in the task file) or http://127.0.0.1:3000 depending on the specific routing logic in the container environment.

The Docker Compose file for the proxy (/root/nginx/compose.yml) utilizes the jonasal/nginx-certbot:latest image.

Docker Containers and Their Deployment

A Docker container is deployed to manage the Nginx reverse proxy and Let's Encrypt certificates.

Container Image: jonasal/nginx-certbot:latest

Deployment Command: The container is managed via Docker Compose located at /root/nginx/compose.yml. To start the container: 

cd /root/nginx
docker compose up -d

Configuration Details:

  • Network Mode: Host

  • Volumes:

  • nginx_secrets: Maps to /etc/letsencrypt (external volume).

  • /data/nginx/user_conf.d: Mounted to /etc/nginx/user_conf.d inside the container.

  • Environment Variables:

  • CERTBOT_EMAIL: Set to [email protected] (or defined in the .env file).

  • env_file: Points to /data/nginx/nginx-certbot.env.

SSL Certificates

Let's Encrypt is used to automatically obtain and renew SSL certificates for the Haltdos FQDN.

  • Email for Registration: [email protected]

  • Certificate Location: /etc/letsencrypt/live/<haltdos<Server ID>.hostkey.in>/

  • Certificate Files:

  • fullchain.pem

  • privkey.pem

  • Certificate Protocols: TLSv1.2 and TLSv1.3 are enforced.

If Let's Encrypt is enabled, the system ensures that ports 80 and 443 are free by stopping conflicting services (Apache, existing Nginx instances) or Docker containers occupying these ports before obtaining the certificate.

Permission Settings

  • Nginx Configuration Directory: /etc/nginx/sites-available/haltdos.conf is created with 0644 permissions.

  • Docker Compose File: /root/nginx/compose.yml is set with 0644 permissions.

  • Nginx Root Directory: /root/nginx is owned by root:root with 0755 permissions.

  • Docker Volume: The nginx_secrets volume is external and mounted at /etc/letsencrypt.

Available Ports for Connection

The following ports are exposed and utilized by the deployed system:

Port Protocol Purpose
80 TCP HTTP (Redirects to HTTPS / Certbot validation)
443 TCP HTTPS (Public access to Haltdos Community WAF panel)
3000 TCP Internal service port for Haltdos Community WAF

Starting, Stopping, and Updating

System Services:

  • Start Nginx: 

    systemctl start nginx

  • Enable Nginx at Boot: 

    systemctl enable nginx

  • Stop Nginx: 

    systemctl stop nginx

Docker Containers:

  • Start/Restart Proxy Container: 

    cd /root/nginx
docker compose up -d

  • Stop Proxy Container: 

    cd /root/nginx
docker compose down

Updating: To update the application, re-run the installation script provided by the vendor: 

cd /root
./setup.sh
Note: Ensure to stop the Nginx service if port conflicts occur during the update process.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×