前言 宝塔这个脑缠Nginx暴露源站证书是一个老生常谈的问题了,不过也方便了许多人绕过CDN打人,当然本文给出的解决方案只是从扫证书这方面解决漏源问题,实际使用中还需要注意许许多多方面来防止泄露源站IP

1.宝塔新建默认站点

网站-添加站点-域名随意写但是不要写你自己的域名这里以censys.thanks为例

upload successful

配置SSL证书 随便来个自签证书即可

upload successful

密钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4oho8XIhH0w+a
94YO9Z+Q4giPpq/P1bOFYEFUJGiF1dy8PG+U8l2/8aibK6hwewAhoHNmP+Qex0Dj
x8CwPQ0KxGaZ9RlEYb9j6YJx1bd9wyEBhVPpoqxOgoT/VfjsCVcpm/kOTy+aSGKB
f+5Jdq26Jk4a4ZYSh/jFwOOkFaPMJXSZeQWPg2RD+lvq5rjctAzkP38hPgI+GtT6
l2Y3YSaxGzBF8DB1d1Ds3SipNYh4i9CXoqcaYLCa2CacH05Iwaj02VE2C6AHHYDM
dCZzzyMhVFYrPO1ub0js90QnoHvJEAkrMAFdlg/HESQnpW/73DkSg4JVRAPXltCc
ynOrBNo7AgMBAAECggEBALUtLL2Kt5hzfl69AenwEVKk223LTb6On4kD+VdOGtsq
D18Plxb79g8CXkdWQgWOTYSx5Euz6nBhakWaoHTQk9m6/Eubfd3iZWLvozd9Vn+s
WNkbMkqTfK3V2hiNDqTgTY3hJjZqcfXdjfwxw2yHbta5++7Y6uDoWLAFJdy/92m8
spT8A7UJ4ypLKm26ORdnj9ZJ7w+KRZb/y0FxOBd+DlTWtOGZhDD3SLTHOzAbH6mF
3CGFD8sw9X1Q/uypTKf6V6XThXHUlC38Dp2tfOgo+UqNQs8RbzjlwFqNqp19RYhw
yUgR/EFmJ0tDMsvn+9asMz5kQP1ryW/2wH5AhTwAOTECgYEA8MKbCTX0yXQuaGse
uZmgNw4X8kHv5QJgTXmn8Ca4zvpoY3iwfmGnUY2qQ1t5Uvau0SKUGrr3n1XJbC/B
SEGsVzR2UGtKp3OY3Yr5vip59j12Jbtz3Y7tl1nR2Xwx/y0+f46V/rj2RvQyQYvC
71C1Tlws5537EgK/0Qy1YjvsoacCgYEAxFH9Bk4uiIP+mVUS0MC23VpMoRivlOF0
029WtwUEcv5zY2YpnIYb5S2x4XoSOa0u8Di2XLr+7EGFTg24iCkE1zVZ/FYQG456
QvaXq9k+ftK5iYw29+6EnErrgCMVoAW0T+1+ItNdN1SuDrX8uoWO1nraOazgUetC
LF+uQZMfTU0CgYEAyoVolJ7mgm9QelVhSw6HTsh0LDx651DQYVtsgP6Rhsns9X+Y
Nzc938Qi7PYNYFRRSWqk2rdbhJRNEsw48ecMaW6f95XI/oKmm/VDj0t7vD6HG8ZK
+Jw6D45mj2OBSv1sDTCLy/EaeSUBAVHncBeb64Zt34dsowHdCKSAD1oI+xECgYEA
nSpN9+hLFHsnLbWPtJMzUg3iXu2WUwgTMNlngGmB4FWYJrE5CtfKKTTlvO6u/IGK
nEGqrJ3/S0BA6fXODyNXfrp1aa+0gXsUodssHSV0BK/KXTVlJCNNAppv4ks0GsG2
Um58loDDlXIzTg+fXetiKI59ecLOaoZ+mWuX42NWodkCgYAwjcI7X3Gkvtl5qr0X
HYYtFSfASvmUc6lQTuS9OtCqDqK0Gg83lyxMquE0IKFXyI2wSlH+ZiXLuEWca59I
5HXtuZBe/U3Znqonkf4OtD0YtxU2s1v80Y6PzdAjse0aFrK5+Cz1sDVBDWvCsgoK
qWwUIfGWQxAsGKDYXxAm3XUPGg==
-----END PRIVATE KEY-----

证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIUEHx5PeAf9w7AIn+mIjLucVoxniUwDQYJKoZIhvcNAQEF
BQAwNzETMBEGA1UEAwwKbm1zbGNlbnN5czETMBEGA1UECgwKbm1zbGNlbnN5czEL
MAkGA1UEBhMCSlAwHhcNMjIwODA3MTgxMDAwWhcNMjkwMjEwMTE1NTAwWjBxMQsw
CQYDVQQGEwJKUDENMAsGA1UECAwEbm1zbDENMAsGA1UEBwwEbm1zbDEWMBQGA1UE
CgwNZnVja2NlbnN5c2luYzENMAsGA1UECwwEbm1zbDEdMBsGA1UEAwwUZnVja2Nl
bnN5c21vdGhlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4
oho8XIhH0w+a94YO9Z+Q4giPpq/P1bOFYEFUJGiF1dy8PG+U8l2/8aibK6hwewAh
oHNmP+Qex0Djx8CwPQ0KxGaZ9RlEYb9j6YJx1bd9wyEBhVPpoqxOgoT/VfjsCVcp
m/kOTy+aSGKBf+5Jdq26Jk4a4ZYSh/jFwOOkFaPMJXSZeQWPg2RD+lvq5rjctAzk
P38hPgI+GtT6l2Y3YSaxGzBF8DB1d1Ds3SipNYh4i9CXoqcaYLCa2CacH05Iwaj0
2VE2C6AHHYDMdCZzzyMhVFYrPO1ub0js90QnoHvJEAkrMAFdlg/HESQnpW/73DkS
g4JVRAPXltCcynOrBNo7AgMBAAGjHTAbMAsGA1UdEQQEMAKCADAMBgNVHRMBAf8E
AjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAjiHcT6TqWDV35871fviJuzmnHGtS2vvuy
v/REkXd/WGFeQlnYH9UWnanteiaJ44EnCaYI+U2uVHGWTB3NN9Xpf13LhxUUshT+
TBJEb/kOhA6KMYh8Itp+t8O1ZfwQ9ScAofo0FmSKJ0rLnl3fHDqUTY0tXbmSNfid
xJAiEQFWHP+uUoHnA4o57y6ak25yIgfSsqu3QugRWF+MHPOVIkQQr8R3vZPvHLFD
VU/jdNdMAfbmnwPoM4LOFYaI4bzjQsVpqG4fduwiDamW6nolm8S8mXqxUVj+qn11
4njriPvwRvjisk1Jm+7P00MdW1Uvx1FnM3VDtQNr/Mf+86nj3+87
-----END CERTIFICATE-----

配置伪静态 填入

upload successful

1
2
3
location / {
return 404;
}

2.宝塔拉黑Censys IP段 (该方法可以快速删除你在censys上的记录,一般来说一周就会删除)

先访问 Censys官方界面 来获取最新的IP段 这很必要 很多教程的过时了
宝塔-安全-IP规则-添加IP规则
目前的Censys爬虫IP

1
2
3
4
5
6
7
8
9
162.142.125.0/24
167.94.138.0/24
167.94.145.0/24
167.94.146.0/24
167.248.133.0/24
199.45.154.0/24
199.45.155.0/24
2602:80d:1000:b0cc:e::/80
2620:96:e000:b0cc:e::/80

策略屏蔽保存即可

3.宝塔Nginx防火墙拉黑Censys的UA

宝塔-软件商店-搜索Nginx-安装Nginx免费防火墙
upload successful
upload successful
设置-全局配置-User-Agent过滤
upload successful
规则内容:

1
^(?=.*censys)