通常,我们在搭建网站的时候,为了防止被攻击,可能会使用一些CDN/WAF来保护源站,但是如果配置不恰当,源站ip可能还是会暴露(如Censys.io等网站),这里提供一些方法来避免这种情况的发生。
443端口SSL证书泄露
在使用nginx作为web服务器的时候,对于未绑定的域名可能会解析到其他站点,容易被恶意解析。在443端口上,这种情况可能更加严重,在直接访问443端口时,nginx会使用第一个配置了SSL的站点的证书来建立连接,导致源站暴露,我们可以通过配置一个空白证书到默认站点来解决问题。
先在任意目录下建立ssl.crt和ssl.key两个文件,内容如下(这是一份长期有效的空白证书):
2023.1 更新:旧证书为RSA 1024位,在新版nginx上会出现错误,现更换位2048位。
ssl.crt
代码语言:javascript复制-----BEGIN CERTIFICATE-----
MIIC7TCCAdWgAwIBAgIJAIUEdCNdPEsTMA0GCSqGSIb3DQEBCwUAMAwxCjAIBgNV
BAMMASAwIBcNMjMwMTI1MTM1ODIyWhgPMjA5OTEyMzExMzU4MjJaMAwxCjAIBgNV
BAMMASAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDH1bur21v3yfP7
vS2bidXhKsAiLEnSonFwzzPCPTdrB6aRqNca6eCIV/jsA8 eHNsGCa4iZ5gKmNhP
0SIMojVkAHARKTxR RUP4sA1D34LfmgvGPrOlRTprLo T0wUtihFeBKV eUu/b 0
JXLPDlKSLzwpoLU7x1DnavrNobsh/sX1wEQbHId0xddnyBH0QTUzMFmRt/et6hor
xwE0VMqge88PKs4E0HPuqjCnnRBmGCol5ZD4N2n4uiE4Q12JT3Lhyz7kHwIz2YA8
shB4MTpS816hXhDLi5DGnQDpNS4yM2TQw 58EqR7ogAcMpDpEM21zK9EANEzS8d/
0qa8cWUjAgMBAAGjUDBOMB0GA1UdDgQWBBQSFF1h5bSotZ8eYLId8BSw/BeEfzAf
BgNVHSMEGDAWgBQSFF1h5bSotZ8eYLId8BSw/BeEfzAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQC/VfZvMmnPW4xNlFyFWzYnOXvYitlGHIojYZnuJg3I
p59kU2d3N18NK28W8nZ0MtltSuuXg6iqgEX/6wgvpCjpvUslj/DnuewJLdzx3mcm
a/711DFua7rR7DjluWqHZ4C/BVThea0A/bpZROQzLvrM8kNxjlRwyAZZMxncHOZK
tmx99SOK4QAYh11 l7AeaPhqE ne5hggl5xam5IBsXtfcPk9FPvesqnTNRS4Jdji
DScYUCQ/6t2bc3R8e/lxT6iI9crTc1KWEjKJEyjZQTjajpHUsJUofAwfa1zd1yNt
9QOie70NJ9zt18SrmJozFXlMnMYv 1TYLc9dBqQ84JaV
-----END CERTIFICATE-----ssl.key
代码语言:javascript复制-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDH1bur21v3yfP7
vS2bidXhKsAiLEnSonFwzzPCPTdrB6aRqNca6eCIV/jsA8 eHNsGCa4iZ5gKmNhP
0SIMojVkAHARKTxR RUP4sA1D34LfmgvGPrOlRTprLo T0wUtihFeBKV eUu/b 0
JXLPDlKSLzwpoLU7x1DnavrNobsh/sX1wEQbHId0xddnyBH0QTUzMFmRt/et6hor
xwE0VMqge88PKs4E0HPuqjCnnRBmGCol5ZD4N2n4uiE4Q12JT3Lhyz7kHwIz2YA8
shB4MTpS816hXhDLi5DGnQDpNS4yM2TQw 58EqR7ogAcMpDpEM21zK9EANEzS8d/
0qa8cWUjAgMBAAECggEAVQIoBrCXC 6 Op28VAkrkdCk0SSz9sWhqlKKexudgotL
oXUIpGtPV9DMlGH pQ0zYvslN3 IHyHsCvA1ItiyC6tgAPzgqyJhglN8XlYL0Ynh
ef PWefzcIBI7g6/l6Pxt7OffGtEwluxfEnd8BTwrT0ow7CYyCg 02Mf8 /T8l50
W DnKTx8pLXC6yUVHwDIsr4 vXvtvI4iUP0vXDpinEcS G3m jHz4ckTQZQ63dVw
dGhF7a8pXaTtjcKjv7 rzFGBPZtTZXK4WTLpnsl/QIP1Dv6bpxq1XLY4TVqVK8zv
MsuBjHgaSw1xQE9Hy29bt6bSWLVLpBz9t5Z3jXu0oQKBgQD9akfcLOSdr/jRuM0v
cma1X2ByHM3TcMUwRtCyT0KMrP7sCeVsYcQfkYRqKYDl9PCDsqBLxibipdTOkyF0
ZJGXYsLyLe50S3Jh9c8NDO1Xy54qzbxA3hEkZO32kBA5P 0avMfven20Bs8t5kHI
Q UZoMVH2t95y/40b u qqH/EwKBgQDJ34sS3xRjE9TNn/59uAphPEqkhxSp81YM
88KBmy6EOmqqltonNR/n8FgTsYJoxcKOlhWG9hezIFWDZeP6n55WgW96jMVuSQU5
n40MT3pM3MGNFzDqiDgTQtyfVr1WE2Uf1OmG4WQZe4Uf IEmk3TJLvumewx1BcwJ
tqxuSovzsQKBgQDI2b7A1FgSXxG/70 5Rlv/buu7JfdAmYXAgLASU120r7yQijtr
ToWqW6RunByMpjkmuKHxzMivJK5pWBXQ8ZCvQtiuKBdx1wZ e9uyRUesKTdgR5Xo
d9lwVgqBPKePKIqdgXiZ5yTQVgFJKNGEj8N6L4GNNP2gxDzjhL19bjJdPwKBgCVD
8OZg6 CGTqhOuqn2iWP9v0Gz9eqRkvb9IJDQVrvuFLa89jR6qBMm2Pt5rzssFog/
yGWLlEBq3Z5N9tHTGWWaqzuSNPfw3tgOTflRyp/ZuJkVCOCimMdldlirqHP1TJud
sCZIATR7Cs4mD6FRYyOoWqgW2uvXUB0S7a3GcSNhAoGBAM9XlMu3TMz2nSFf4vfy
swWgfNH UArgTQXVnWRZzCsqU46Vjtm84WxqqWdr6ADA/Qv7JrxYD0QXuBpF5I1g
6LZLcJsTTaBs4IQFdYMCuC39Mk7WZp LN5hk6pi2fxqjHVlmy6N1V/or/Gyi99cc
JCqy9a/kzoFHCHT2VF8KGcfs
-----END PRIVATE KEY-----然后我们在nginx默认配置文件(此处以宝塔 /www/server/panel/vhost/nginx/0.default.conf 为例,不同环境可能位置不同)中添加如下内容:
代码语言:javascript复制server
{
listen 80;
server_name _;
index index.html;
root /www/server/nginx/html; #这里填写web默认目录
return 444;
}
server
{
listen 443 ssl;
server_name _;
ssl_certificate /xxx/ssl.crt; #这里填写你的证书绝对路径
ssl_certificate_key /xxx/ssl.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
index index.html;
root /www/server/nginx/html; #这里填写web默认目录
return 444;
}然后再重启nginx服务器,就大功告成了,这样服务器在被未绑定域名访问时就会直接断开连接(返回 HTTP 444),避免了潜在的安全风险。
旧的RSA1024证书:
ssl.crt
-----BEGIN CERTIFICATE-----
MIIBkjCB/AIJAI3bCYqa39hiMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAYTAiAg
MCAXDTE4MTEyNDA5MDMzOFoYDzIwOTkxMjMxMDkwMzM4WjANMQswCQYDVQQGEwIg
IDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA18hepvNcznqDj735Opxircn3
M0Ruv8nkpHHPuurxr6tLPKAe1XAsy5dWHDbK7t4sXpT0ds9c74yqmvfwKofPk7z9
ZBhmyw/5sp454/JftL1c2fr58wB9ETfX6as5aR5hQR0M0NuQLSAB/KVzi9eeNWDd
EzT0QN5B1Ai9BR/ApMMCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBiqHZsuVP09ubT
GzBSlAFEoqbM63sU51nwQpzkVObgGm9v9nnxS8Atid4be0THsz8nVjWcDym3Tydp
lznrhoSrHyqAAlK3/WSMwyuPnDCNM5g1RdsV40TjZXk9/md8xWxGJ6n1MoBdlK8T
H6h2ROkf59bb096TttB8lxXiT0uiDQ==
-----END CERTIFICATE-----ssl.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDXyF6m81zOeoOPvfk6nGKtyfczRG6/yeSkcc 66vGvq0s8oB7V
cCzLl1YcNsru3ixelPR2z1zvjKqa9/Aqh8 TvP1kGGbLD/mynjnj8l 0vVzZ vnz
AH0RN9fpqzlpHmFBHQzQ25AtIAH8pXOL1541YN0TNPRA3kHUCL0FH8CkwwIDAQAB
AoGAQ4ejh6AV5VCWJ8AOZXdXsofIYzUBa glNAmiNx8b8BwteZWq0KVAf56nBkFn
lQXW4OrA7wXKUfW11rXNZaIHJePJXv1swkN9 Em18Hon6BrtcqnKAwzAbhok3SzY
IVjI/zrgOABH6 ii77xCRBzI1itVPNN88DAUHC7PYLYiaaECQQD7PSoij37 kMc/
wPeEkl9r3vzU0OrsCsjU8Ev714OaoL/SIuAh6nsiRh9rcbUrrpGSSzIcmsk9HMDa
hXBNkNl5AkEA298yQvssaUc4tbEWxAVfd9DsHJdCdbXfgf9Dy5/tpCzYncY7T0du
VVHqKu3jXWoMc5XlesiCOerU/DIlMM8dGwJBANQn7GLO5iC1xWvS2bF7oVSIMtzL
pvW4jaszWBbNAPccc59RkA9T4LMqn/GtTZ4bhhYRpbl BB21IC3nrNPzU5ECQG8T
Ln0QDruQs2F2eR3F6RjKfr1i3LxCiQtPPZycypzp2vS5tDS0zVRk8XuGehoy/N9X
lnqU2NURgU92tbsWpokCQQDdc9tU3B/OM/YfzUNwvOLmUVwrJX6PFSFsOn XHrCC
q9LcGEAHyzaf5GEWje84ee4rkv5oaZcwll3dg4IioBnC
-----END RSA PRIVATE KEY-----
