陌路人大概的原理就是在使用nginx的服务器上如果你没有给你的ip绑定一个默认站点,那么访问 https://你的ip 就可以访问到你服务器上最新的站点,即使你像百度一样设置了405之类的状态码,也可以通过查看ssl证书来知道你这个ip对应的是哪个网站
别问人家不知道你的域名怎么知道的你的ip,问就是人家批量扫的,如果扫到了那就是简单的对应关系了。
同时也是很多站点,明明套上了cdn,依然能被打到源站IP的原因。
看到这个证书就能发现 [220.181.38.148] 对应的是 baidu.cn,那么反过来baidu.cn对应的源站IP之一就是220.181.38.148
这就中招了
解决方法1:
添加一个自签ip证书
首先给你的服务器添加一个站点
添加完成以后把你的ip默认站点绑定为你刚刚新添加的站点
接下来访问 https://myssl.com/create_test_cert.html 来自定义一个ssl证书,这里我把我弄好的放在这,需要的可以自取生成好了的
密钥(KEY)
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAqeaBTP1WqVuSjS3b/1Io1VyW+y4EGYZUGNovQTLQaGMihFF7 3birFJDCtiut5puIVzICH3A1VZSh19vMaGus2f5Uydg0M1qV8whCmA7mSDlF+ZSo SlRf1ntWU0oamfLRNAft07Cu1LZMaxW7SMIuutXu/bAImxqtHOygHKz8MMgqQz// Bv6T+IU1tN4nafeaELKEZnVMMbBNTMIpYy8aKpe8MdBPT9fyyKEvfBb8r+XZSEFc Cz5x7ZCinNm63iGHvUScAiTk5ugTJAGoOxwvWNLiwqLKJ7o6ClPuOAmvz9f98tHI ktY09hh6gt6Q2dF+BAPQ51cvuXqALu2X5gxc7QIDAQABAoIBAGnMGfRBRXfMiCPV zMre9IJ4V6Qt8WublD6tjwOAivqV0OaofwOAfTgfNMCPzohtjacOgvfkvbF/DpEG U/EqK8bLcy0FruvTmtBt8loR3SBYWdSi13EBvXQn9YeD+7Cl3dQSo+xQd24J3uhH 7gnOsZ6ynVHoDlPXdrkuOD3jEl+lIQQx1kCjHBZCL9QqP511uOfWwZvAhKer+L9T /ZEg6fxn1kug54YxIbYNSSaZKDuGWiENm67bRPQm+SUstS2tg8Pzfou89IDAajEF kadX03zZLIVXqeHTX8Gd/gse+EyTHYEPbfVgSQy4IpCYokY7wqFTgqvJCrjc/myz 1hl1lMECgYEA4M3PYbO4sVn2UDWqgaZrYzB1MSzsnxeUv2+SzAn9eAje+mN731BQ bKMLWSgIZ7rZTH1gEez8p1oGcfrsq5bRZ2AGN3FxXuXhc0+RQQ3YU1DCvw6hxGOa CbW64BaXfPxwsHlSTuBDZ+TdD/IOjQ2c8VUFGZUWK3SvEBgxhmah63UCgYEAwXo9 WVkvpjbwhBNOXytuqpcGBqqMBf0ilv1Cp5nQpWxLwOS6t6Qj/2Vc1VzwA8VyL9Su GPKdwRhgcQRzQu2EbxfoLIo0odubrUHt1UlvGaPxN7kljHM1hP8vyMhAKAoFCtRW V+gBTZToKna/QrKWE4h6Yal5pVjBzplsknyrlJkCgYEAgo2Dnk3tOLHyJerEtr6b JuOBa6mXUV00eWima/BxT0B3nhogWjQeQLj/YiuplfQhNhapsD9dCyNxEsiSoaPY wJw3gANVv7LpFzpiNNGBjAEe2C37LD5bur/bY0A7gc5o81PBxSTggHmdGCGO6cO6 HT0u1QiL83i0Ijiqqk74QfECgYBwZIl0+PlULkAkCW8SnBFqqdbHUpWK+RT571+k KxdosXOEN5s8CO8ccw6tp5KKLk35+Su1tGLuBDIqFTK742x2eMXX8eVHTWKvEEiQ CVuv4mvDOhvU7ixd+TwSADo8yC1LsDQEVvNC1UjVOiw7G7FQ4YxuZVwUMG5NjRTk N+YYqQKBgFUeXmYGRpLMCI1HXiQGu+d6IeVKxcDJ8cjZq1NHDPxItsmDdOhkPEY9 bcvsTU7Izg0fvnC+6xF587hRKNR1SC04+HTzIZoxwgzspqiOgtAgOxLiU3HZ2ItQ gZ7Cn66y//ZPIWKK/E07g3MMyrF72RSNA+MSXxZwnDvIHnzl4gRa -----END RSA PRIVATE KEY-----
证书(PEM格式)
-----BEGIN CERTIFICATE----- MIIDyDCCArCgAwIBAgIQZ46RvqIBRD+3viHTPlXJLTANBgkqhkiG9w0BAQsFADBe MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRl c3QgUlNBIC0gRm9yIHRlc3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTAe Fw0yMjAxMTAwNjA0MjBaFw0yNzAxMDkwNjA0MjBaMBkxCzAJBgNVBAYTAkNOMQow CAYDVQQDEwEgMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqeaBTP1W qVuSjS3b/1Io1VyW+y4EGYZUGNovQTLQaGMihFF73birFJDCtiut5puIVzICH3A1 VZSh19vMaGus2f5Uydg0M1qV8whCmA7mSDlF+ZSoSlRf1ntWU0oamfLRNAft07Cu 1LZMaxW7SMIuutXu/bAImxqtHOygHKz8MMgqQz//Bv6T+IU1tN4nafeaELKEZnVM MbBNTMIpYy8aKpe8MdBPT9fyyKEvfBb8r+XZSEFcCz5x7ZCinNm63iGHvUScAiTk 5ugTJAGoOxwvWNLiwqLKJ7o6ClPuOAmvz9f98tHIktY09hh6gt6Q2dF+BAPQ51cv uXqALu2X5gxc7QIDAQABo4HGMIHDMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUKIEmBdE0Gj/Bcw+7k88V HD8Dv38wYwYIKwYBBQUHAQEEVzBVMCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5t eXNzbC5jb20wMAYIKwYBBQUHMAKGJGh0dHA6Ly9jYS5teXNzbC5jb20vbXlzc2x0 ZXN0cnNhLmNydDAMBgNVHREEBTADggEgMA0GCSqGSIb3DQEBCwUAA4IBAQABhU3D U706jy/N+oRyJvC9xzZmvl1wGkDdhJzElfUS4IKJSft2qH0TJgXhPt41Hn1wkKhs xGBNoPhLIuVooA7ZYzvJKrB44OOUTG9mTFxYCQqcRONXIOe4kd+ZwnCRd5hIwN6w HelDY5Ymndg5h20/WuGh/TuFpltIiQCPFvVE2sTQuTGaDrGNcCL6iWBiSHAGVbbM CiI7LkR+W9lP6PtcFu3F+9Z+TjQBggQ4Oaa1ES0pKlEG2w4/YXoyjmyxnbHXHldk s3p1j/DWVKxh35kRyK/YD9pRChcNQcnfeODcYUE+HluwvzZMbkGvbNwlEoZdBS0B wC7Sg8q4fegxTekf -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDuzCCAqOgAwIBAgIQSEIWDPfWTDKZcWNyL2O+fjANBgkqhkiG9w0BAQsFADBf MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxLDAqBgNVBAsTI015U1NMIFRl c3QgUm9vdCAtIEZvciB0ZXN0IHVzZSBvbmx5MRIwEAYDVQQDEwlNeVNTTC5jb20w HhcNMTcxMTE2MDUzNTM1WhcNMjcxMTE2MDUzNTM1WjBeMQswCQYDVQQGEwJDTjEO MAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRlc3QgUlNBIC0gRm9yIHRl c3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMBOtZk0uzdG4dcIIdcAdSSYDbua0Bdd6N6s4hZaCOup q7G7lwXkCyViTYAFa3wZ0BMQ4Bl9Q4j82R5IaoqG7WRIklwYnQh4gZ14uRde6Mr8 yzvPRbAXKVoVh4NPqpE6jWMTP38mh94bKc+ITAE5QBRhCTQ0ah2Hq846ZiDAj6sY hMJuhUWegVGd0vh0rvtzvYNx7NGyxzoj6MxkDiYfFiuBhF2R9Tmq2UW9KCZkEBVL Q/YKQuvZZKFqR7WUU8GpCwzUm1FZbKtaCyRRvzLa5otghU2teKS5SKVI+Tpxvasp fu4eXBvveMgyWwDpKlzLCLgvoC9YNpbmdiVxNNkjwNsCAwEAAaN0MHIwDgYDVR0P AQH/BAQDAgGGMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAfBgNV HSMEGDAWgBSa8Z+5JRISiexzGLmXvMX4oAp+UzAdBgNVHQ4EFgQUKIEmBdE0Gj/B cw+7k88VHD8Dv38wDQYJKoZIhvcNAQELBQADggEBAEl01ufit9rUeL5kZ31ox2vq 648azH/r/GR1S+mXci0Mg6RrDdLzUO7VSf0JULJf98oEPr9fpIZuRTyWcxiP4yh0 wVd35OIQBTToLrMOWYWuApU4/YLKvg4A86h577kuYeSsWyf5kk0ngXsL1AFMqjOk Tc7p8PuW68S5/88Pe+Bq3sAaG3U5rousiTIpoN/osq+GyXisgv5jd2M4YBtl/NlD ppZs5LAOjct+Aaofhc5rNysonKjkd44K2cgBkbpOMj0dbVNKyL2/2I0zyY1FU2Mk URUHyMW5Qd5Q9g6Y4sDOIm6It9TF7EjpwMs42R30agcRYzuUsN72ZFBYFJwnBX8= -----END CERTIFICATE-----
这个证书的效果如下图,是一个空证书
如果宝塔部署时出现错误,那就只能自己去申请和创建网站名对应的证书了。
解决方法2:
禁止直接访问IP
# 禁止IP直接访问网站
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
解决方法3:
使用自签IP的SSL证书,返回444
自签证书的目的不是为了访问,而是避开Nginx的这个缺陷。生成自签的IP SSL证书可以用开源的Mkcert(https://myssl.com/create_test_cert.html)工具。Mkcert使用起来稍微麻烦,或者用一个测试证书的在线网页工具:https://myssl.com/create_test_cert.html
在填写域名的位置填上IP地址,点生成按钮会自动测试证书展示在下面,各自保存为.pem文件和.key文件。然后在nginx里配置上“return 444”,类似配置大概:
{
listen 80 ;
listen 443 ssl http2 default_server;
server_name ip;
#HTTP_TO_HTTPS_END
ssl_certificate xxxx.pem;
ssl_certificate_key xxxx.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
return 444;
}
解决方法4:
仅允许指定cdn的IP访问
Nginx仅允许指定cdn的IP访问,避免放到公网上被任何人扫。以腾讯云CDN段为例,在Nginx网站配置文件里,添加如下:
location / {
allow 58.250.143.0/24;
allow 58.251.121.0/24;
allow 59.36.120.0/24;
allow 61.151.163.0/24;
allow 101.227.163.0/24;
allow 111.161.109.0/24;
allow 116.128.128.0/24;
allow 123.151.76.0/24;
allow 125.39.46.0/24;
allow 140.207.120.0/24;
allow 180.163.22.0/24;
allow 183.3.254.0/24;
allow 223.166.151.0/24;
deny all;
}
查一下使用的CDN商家的文档,如果有新的IP段更新,也加到里面。如果是小商家没有文档可以使用站长工具查询。
发表评论