别让 SSL 证书暴露了你的源站 IP

有很多站长(比如我)选择为自己的网站套上cdn,比起加速效果我相信更多人是为了保护自己那脆弱可怜幼小无助的源站ip不被人发现,不过有亿些平台 例如 https://search.censys.io/ 会通过nginx的‘特性’来批量扫描 https://ip 以通过ssl证书获取ip与源站的对应关系

扫描IP原理

大概的原理就是在使用nginx的服务器上如果你没有给你的ip绑定一个默认站点,那么访问 https://你的ip 就可以访问到你服务器上最新的站点,即使你像百度一样设置了405之类的状态码,也可以通过查看ssl证书来知道你这个ip对应的是哪个网站

别问人家不知道你的域名怎么知道的你的ip,问就是批量扫的,如果扫到了那就是简单的对应关系了

图片[1] - 别让 SSL 证书暴露了你的源站 IP[基础教程] - 正则时光
图片[2] - 别让 SSL 证书暴露了你的源站 IP[基础教程] - 正则时光

看到这个证书就能发现 [14.215.177.39] 对应的是 baidu.cn,那么反过来baidu.cn对应的源站IP之一就是14.215.177.39

所以说我就中招了(删库跑路中)

解决办法

至于解决方法也很简单(如果你还没中枪),这里用宝塔面板演示一遍(中枪了就赶紧换ip吧)

1.添加站点

首先给你的服务器添加一个站点

图片[3] - 别让 SSL 证书暴露了你的源站 IP[基础教程] - 正则时光

2.设置默认站点

添加完成以后把你的ip默认站点绑定为你刚刚新添加的站

图片[4] - 别让 SSL 证书暴露了你的源站 IP[基础教程] - 正则时光

3.添加自定义ssl证书

接下来访问 https://myssl.com/create_test_cert.html 来自定义一个ssl证书,这里我把我弄好的放在这,需要的可以自取

-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA3JC1fwAf2pFCZsRHBoxNUq2WCZzofhrctHok7c2JXawWOQa9 kvYIKkEnWOIfHfmiF+6CGDr4yCgv17qs6ms2i3iIVS5uxarMp7TWQSRReRq5YH4L r0sIHo5tWhQ5TDUmcVDKVwQIVZF16mP3a5gdKTf9O9TIGst9TB5teVGfwXCbyBZf vKa6dW4cq0nLnbc85jI+b9DRq21w/UfrwAbMjF5CwArTlW8WnkUkKiFXEyMz2mr4 A7OiiPuhFcY3tiwkZS1/RpbJcNplLcR//SWELe/fKurAVinaZsR0NsfLM3ADoAZV 2FnYqFP0SlmjopLcrr0dCyBy775jszSzkkdF8QIDAQABAoIBAQCKUM0gaWmQXQtw +qE3wAA1Wtn+CUHa4umI3BgQcJY2AdalyE5VvKf+J4GPQa4V1BgMPeujWkfs7Raj iFMrZjR8XgfQsx+QIb3ZZZP+odHdyh56HlEhikH7N4HnvUr5OVN0OB/LVaIMVv3F EQ91j5yp3oyVWqhp9TYL6ADq1X8DhHqE5RcPP92bDG0vc84oS+SPPcARWvlbs78t lyh+JVnLbdoZQ4knQNiPQA7OL0PLWmhemn8RxbpcKhnr5+rgeuSvUrFsvE4a257M i4ufbkVs3dmB4G+QQqrDRKnfkqYjeXyXXGMbTzrM7Wyp0Qi2t0IOxoptdsZ+k+SM ZWpnLczpAoGBAO4ApaT2Mu7z2TgZZuOkUtRwWwU4olS0SWqKeRX85n6JTnY3IOoL i4x3w9bxLCwKeb5KvryDJt0R4sHnexp++dQckIdWHXTzXxAs5t2alDjeiGab7SC2 totE0DP0kKjAROwNCVXIRc5tISAZtfqwg6dtgsacLzcKTehlKGvTzWJvAoGBAO0+ gQ/2CUYDQcvdyXTy1selISQqxFQvoYjJ2Z+GOElsLBtGakCT9HV0/9AEjwy+mQQv 1xo///hLbcwx239upg3LNuuPRAEjgviQVIuOS7+GJjalFENkSStw14c0pTP6QMf2 TC44wGvG0HNL0xjIZmJtaauvAadmjU1x8JTBgI2fAoGAKYURYKLWpdsCdQfxbBsZ nBfxuQp1P0OoXx7DGvPgngiEGJlrc4kKEjo+fvvZ0eEN9gWCGs7ic8SQA3XHgwrN uJQ3HnUGdIWUevTqXZR+8SDZONVQ29kkJU2e6MFsjxPjsi5gB4gFrYpaMghqN86d WRMAsndCwV5Z0wX6tDzh4p8CgYAz8nG0Gv1g1Sm9B+0qrFmXEXM2Rh8DCALovrnm Ei+U9BicSEjPpxXp+hphY/4mnj1HC2qgFs9ngKyj/26+cm3tq0d1QMN1NF9jKcc5 X4j6gNcxM+hB8V2MI4Mt2bsqrGsu3aFEpayMbNYLyNiKHqc8ehSfQQytqOjbwk0Z ZV1OpQKBgGtVyv7IC27BM+fcst6kP0RXzRfdvg1dOFl9DpMK12eyjOG2BUzRQY1A TYF70H58arJ167onabe2E5wi0veN3GiMGaTGeDCUcsIST9cFrwuOx0Di9M/wNveb 7N7dGUUJ/XYxbuFeZTy92F6ShF5DWk12/W1adWeR+3rkeKW938pm -----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- MIIEMTCCAxmgAwIBAgIRAIpP63oyckkUvKs4UpxQ+xYwDQYJKoZIhvcNAQELBQAw XjELMAkGA1UEBhMCQ04xDjAMBgNVBAoTBU15U1NMMSswKQYDVQQLEyJNeVNTTCBU ZXN0IFJTQSAtIEZvciB0ZXN0IHVzZSBvbmx5MRIwEAYDVQQDEwlNeVNTTC5jb20w HhcNMjIwMTEwMDU1MDE2WhcNMjcwMTA5MDU1MDE2WjBNMQswCQYDVQQGEwJDTjE+ MDwGA1UEAww15Yir5omr5LqGLuWKs+i1hOeahOe9keermeS4jeaYr+S9oOiDveaJ q+W+l+WIsOeahC5jbm0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc kLV/AB/akUJmxEcGjE1SrZYJnOh+Gty0eiTtzYldrBY5Br2S9ggqQSdY4h8d+aIX 7oIYOvjIKC/XuqzqazaLeIhVLm7FqsyntNZBJFF5GrlgfguvSwgejm1aFDlMNSZx UMpXBAhVkXXqY/drmB0pN/071Mgay31MHm15UZ/BcJvIFl+8prp1bhyrScudtzzm Mj5v0NGrbXD9R+vABsyMXkLACtOVbxaeRSQqIVcTIzPaavgDs6KI+6EVxje2LCRl LX9Glslw2mUtxH/9JYQt798q6sBWKdpmxHQ2x8szcAOgBlXYWdioU/RKWaOiktyu vR0LIHLvvmOzNLOSR0XxAgMBAAGjgfowgfcwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQogSYF0TQaP8Fz D7uTzxUcPwO/fzBjBggrBgEFBQcBAQRXMFUwIQYIKwYBBQUHMAGGFWh0dHA6Ly9v Y3NwLm15c3NsLmNvbTAwBggrBgEFBQcwAoYkaHR0cDovL2NhLm15c3NsLmNvbS9t eXNzbHRlc3Ryc2EuY3J0MEAGA1UdEQQ5MDeCNeWIq+aJq+S6hi7lirPotYTnmoTn vZHnq5nkuI3mmK/kvaDog73miavlvpfliLDnmoQuY25tMA0GCSqGSIb3DQEBCwUA A4IBAQA6SdaUfOx+Ys2tsVAo2zcSaDokV1d9HGyU+k/G2/J8ZvosMlt7pw90uRrK MkGffMlss69Sxx2KAm0JVPaGZ60erx99LP04VYpw2PLCa1nibFoCeGS7D9uvEVa0 LiA1aLnMvYr5YjrX//TdAVuZdkfI8yLCZSeQr0v2M9QfcxCxQ1Bf7JDiEduGIYne pLmPMQ+H9eq+rpAWP+aW2slXN719Tv3MatePPqXK6vGKXMtyzkxCS79pCke/+5y/ JWfEeHaPPw+ASuubQyhl9scyiEPyN8zn/ChLTSVseh+0cTXDGR7j+zz4bKYHs5zz iaxHSWDqoFZh9d4rCPPHNKTgRBRi -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDuzCCAqOgAwIBAgIQSEIWDPfWTDKZcWNyL2O+fjANBgkqhkiG9w0BAQsFADBf MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxLDAqBgNVBAsTI015U1NMIFRl c3QgUm9vdCAtIEZvciB0ZXN0IHVzZSBvbmx5MRIwEAYDVQQDEwlNeVNTTC5jb20w HhcNMTcxMTE2MDUzNTM1WhcNMjcxMTE2MDUzNTM1WjBeMQswCQYDVQQGEwJDTjEO MAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRlc3QgUlNBIC0gRm9yIHRl c3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMBOtZk0uzdG4dcIIdcAdSSYDbua0Bdd6N6s4hZaCOup q7G7lwXkCyViTYAFa3wZ0BMQ4Bl9Q4j82R5IaoqG7WRIklwYnQh4gZ14uRde6Mr8 yzvPRbAXKVoVh4NPqpE6jWMTP38mh94bKc+ITAE5QBRhCTQ0ah2Hq846ZiDAj6sY hMJuhUWegVGd0vh0rvtzvYNx7NGyxzoj6MxkDiYfFiuBhF2R9Tmq2UW9KCZkEBVL Q/YKQuvZZKFqR7WUU8GpCwzUm1FZbKtaCyRRvzLa5otghU2teKS5SKVI+Tpxvasp fu4eXBvveMgyWwDpKlzLCLgvoC9YNpbmdiVxNNkjwNsCAwEAAaN0MHIwDgYDVR0P AQH/BAQDAgGGMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAfBgNV HSMEGDAWgBSa8Z+5JRISiexzGLmXvMX4oAp+UzAdBgNVHQ4EFgQUKIEmBdE0Gj/B cw+7k88VHD8Dv38wDQYJKoZIhvcNAQELBQADggEBAEl01ufit9rUeL5kZ31ox2vq 648azH/r/GR1S+mXci0Mg6RrDdLzUO7VSf0JULJf98oEPr9fpIZuRTyWcxiP4yh0 wVd35OIQBTToLrMOWYWuApU4/YLKvg4A86h577kuYeSsWyf5kk0ngXsL1AFMqjOk Tc7p8PuW68S5/88Pe+Bq3sAaG3U5rousiTIpoN/osq+GyXisgv5jd2M4YBtl/NlD ppZs5LAOjct+Aaofhc5rNysonKjkd44K2cgBkbpOMj0dbVNKyL2/2I0zyY1FU2Mk URUHyMW5Qd5Q9g6Y4sDOIm6It9TF7EjpwMs42R30agcRYzuUsN72ZFBYFJwnBX8= -----END CERTIFICATE-----

然后把这个生成好的证书绑定到新建的站点

图片[5] - 别让 SSL 证书暴露了你的源站 IP[基础教程] - 正则时光

https://你的ip 来查看证书效果了(下图是上面的证书的效果)

图片[6] - 别让 SSL 证书暴露了你的源站 IP[基础教程] - 正则时光
当然,如果你想当一个文明好市民,那你可以用下面这个证书(空证书)
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqeaBTP1WqVuSjS3b/1Io1VyW+y4EGYZUGNovQTLQaGMihFF7
3birFJDCtiut5puIVzICH3A1VZSh19vMaGus2f5Uydg0M1qV8whCmA7mSDlF+ZSo
SlRf1ntWU0oamfLRNAft07Cu1LZMaxW7SMIuutXu/bAImxqtHOygHKz8MMgqQz//
Bv6T+IU1tN4nafeaELKEZnVMMbBNTMIpYy8aKpe8MdBPT9fyyKEvfBb8r+XZSEFc
Cz5x7ZCinNm63iGHvUScAiTk5ugTJAGoOxwvWNLiwqLKJ7o6ClPuOAmvz9f98tHI
ktY09hh6gt6Q2dF+BAPQ51cvuXqALu2X5gxc7QIDAQABAoIBAGnMGfRBRXfMiCPV
zMre9IJ4V6Qt8WublD6tjwOAivqV0OaofwOAfTgfNMCPzohtjacOgvfkvbF/DpEG
U/EqK8bLcy0FruvTmtBt8loR3SBYWdSi13EBvXQn9YeD+7Cl3dQSo+xQd24J3uhH
7gnOsZ6ynVHoDlPXdrkuOD3jEl+lIQQx1kCjHBZCL9QqP511uOfWwZvAhKer+L9T
/ZEg6fxn1kug54YxIbYNSSaZKDuGWiENm67bRPQm+SUstS2tg8Pzfou89IDAajEF
kadX03zZLIVXqeHTX8Gd/gse+EyTHYEPbfVgSQy4IpCYokY7wqFTgqvJCrjc/myz
1hl1lMECgYEA4M3PYbO4sVn2UDWqgaZrYzB1MSzsnxeUv2+SzAn9eAje+mN731BQ
bKMLWSgIZ7rZTH1gEez8p1oGcfrsq5bRZ2AGN3FxXuXhc0+RQQ3YU1DCvw6hxGOa
CbW64BaXfPxwsHlSTuBDZ+TdD/IOjQ2c8VUFGZUWK3SvEBgxhmah63UCgYEAwXo9
WVkvpjbwhBNOXytuqpcGBqqMBf0ilv1Cp5nQpWxLwOS6t6Qj/2Vc1VzwA8VyL9Su
GPKdwRhgcQRzQu2EbxfoLIo0odubrUHt1UlvGaPxN7kljHM1hP8vyMhAKAoFCtRW
V+gBTZToKna/QrKWE4h6Yal5pVjBzplsknyrlJkCgYEAgo2Dnk3tOLHyJerEtr6b
JuOBa6mXUV00eWima/BxT0B3nhogWjQeQLj/YiuplfQhNhapsD9dCyNxEsiSoaPY
wJw3gANVv7LpFzpiNNGBjAEe2C37LD5bur/bY0A7gc5o81PBxSTggHmdGCGO6cO6
HT0u1QiL83i0Ijiqqk74QfECgYBwZIl0+PlULkAkCW8SnBFqqdbHUpWK+RT571+k
KxdosXOEN5s8CO8ccw6tp5KKLk35+Su1tGLuBDIqFTK742x2eMXX8eVHTWKvEEiQ
CVuv4mvDOhvU7ixd+TwSADo8yC1LsDQEVvNC1UjVOiw7G7FQ4YxuZVwUMG5NjRTk
N+YYqQKBgFUeXmYGRpLMCI1HXiQGu+d6IeVKxcDJ8cjZq1NHDPxItsmDdOhkPEY9
bcvsTU7Izg0fvnC+6xF587hRKNR1SC04+HTzIZoxwgzspqiOgtAgOxLiU3HZ2ItQ
gZ7Cn66y//ZPIWKK/E07g3MMyrF72RSNA+MSXxZwnDvIHnzl4gRa
-----END RSA PRIVATE KEY-----
证书(PEM格式)
-----BEGIN CERTIFICATE-----
MIIDyDCCArCgAwIBAgIQZ46RvqIBRD+3viHTPlXJLTANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRl
c3QgUlNBIC0gRm9yIHRlc3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTAe
Fw0yMjAxMTAwNjA0MjBaFw0yNzAxMDkwNjA0MjBaMBkxCzAJBgNVBAYTAkNOMQow
CAYDVQQDEwEgMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqeaBTP1W
qVuSjS3b/1Io1VyW+y4EGYZUGNovQTLQaGMihFF73birFJDCtiut5puIVzICH3A1
VZSh19vMaGus2f5Uydg0M1qV8whCmA7mSDlF+ZSoSlRf1ntWU0oamfLRNAft07Cu
1LZMaxW7SMIuutXu/bAImxqtHOygHKz8MMgqQz//Bv6T+IU1tN4nafeaELKEZnVM
MbBNTMIpYy8aKpe8MdBPT9fyyKEvfBb8r+XZSEFcCz5x7ZCinNm63iGHvUScAiTk
5ugTJAGoOxwvWNLiwqLKJ7o6ClPuOAmvz9f98tHIktY09hh6gt6Q2dF+BAPQ51cv
uXqALu2X5gxc7QIDAQABo4HGMIHDMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUKIEmBdE0Gj/Bcw+7k88V
HD8Dv38wYwYIKwYBBQUHAQEEVzBVMCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5t
eXNzbC5jb20wMAYIKwYBBQUHMAKGJGh0dHA6Ly9jYS5teXNzbC5jb20vbXlzc2x0
ZXN0cnNhLmNydDAMBgNVHREEBTADggEgMA0GCSqGSIb3DQEBCwUAA4IBAQABhU3D
U706jy/N+oRyJvC9xzZmvl1wGkDdhJzElfUS4IKJSft2qH0TJgXhPt41Hn1wkKhs
xGBNoPhLIuVooA7ZYzvJKrB44OOUTG9mTFxYCQqcRONXIOe4kd+ZwnCRd5hIwN6w
HelDY5Ymndg5h20/WuGh/TuFpltIiQCPFvVE2sTQuTGaDrGNcCL6iWBiSHAGVbbM
CiI7LkR+W9lP6PtcFu3F+9Z+TjQBggQ4Oaa1ES0pKlEG2w4/YXoyjmyxnbHXHldk
s3p1j/DWVKxh35kRyK/YD9pRChcNQcnfeODcYUE+HluwvzZMbkGvbNwlEoZdBS0B
wC7Sg8q4fegxTekf
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIQSEIWDPfWTDKZcWNyL2O+fjANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxLDAqBgNVBAsTI015U1NMIFRl
c3QgUm9vdCAtIEZvciB0ZXN0IHVzZSBvbmx5MRIwEAYDVQQDEwlNeVNTTC5jb20w
HhcNMTcxMTE2MDUzNTM1WhcNMjcxMTE2MDUzNTM1WjBeMQswCQYDVQQGEwJDTjEO
MAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRlc3QgUlNBIC0gRm9yIHRl
c3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMBOtZk0uzdG4dcIIdcAdSSYDbua0Bdd6N6s4hZaCOup
q7G7lwXkCyViTYAFa3wZ0BMQ4Bl9Q4j82R5IaoqG7WRIklwYnQh4gZ14uRde6Mr8
yzvPRbAXKVoVh4NPqpE6jWMTP38mh94bKc+ITAE5QBRhCTQ0ah2Hq846ZiDAj6sY
hMJuhUWegVGd0vh0rvtzvYNx7NGyxzoj6MxkDiYfFiuBhF2R9Tmq2UW9KCZkEBVL
Q/YKQuvZZKFqR7WUU8GpCwzUm1FZbKtaCyRRvzLa5otghU2teKS5SKVI+Tpxvasp
fu4eXBvveMgyWwDpKlzLCLgvoC9YNpbmdiVxNNkjwNsCAwEAAaN0MHIwDgYDVR0P
AQH/BAQDAgGGMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAfBgNV
HSMEGDAWgBSa8Z+5JRISiexzGLmXvMX4oAp+UzAdBgNVHQ4EFgQUKIEmBdE0Gj/B
cw+7k88VHD8Dv38wDQYJKoZIhvcNAQELBQADggEBAEl01ufit9rUeL5kZ31ox2vq
648azH/r/GR1S+mXci0Mg6RrDdLzUO7VSf0JULJf98oEPr9fpIZuRTyWcxiP4yh0
wVd35OIQBTToLrMOWYWuApU4/YLKvg4A86h577kuYeSsWyf5kk0ngXsL1AFMqjOk
Tc7p8PuW68S5/88Pe+Bq3sAaG3U5rousiTIpoN/osq+GyXisgv5jd2M4YBtl/NlD
ppZs5LAOjct+Aaofhc5rNysonKjkd44K2cgBkbpOMj0dbVNKyL2/2I0zyY1FU2Mk
URUHyMW5Qd5Q9g6Y4sDOIm6It9TF7EjpwMs42R30agcRYzuUsN72ZFBYFJwnBX8=
-----END CERTIFICATE-----

到这里你那脆弱可怜幼小无助的源站ip就暂时安全了(或许吧

当然,你可以自定义一下IP对应站点的页面,比如

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <title>404 Not Found</title>
  </head>
  <body>
    <center>
      <h1>别扫了,劳资的网站也是你能扫得到的?</h1>
    </center>
    <hr>
    <center>https://search.censys.io/</center>
  </body>
</html>

补充

https://search.censys.io/ 在上面还是能搜索到IP。没有办法。IP已经暴露了。只能更换公网IP了。进入服务器后台直接更换就可以了。我的是腾讯轻量的。管理里面更换就可以了。记得把域名解析换到新IP上哦。

图片[8] - 别让 SSL 证书暴露了你的源站 IP[基础教程] - 正则时光
© 版权声明
THE END
喜欢就支持一下吧
点赞11 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容