网络安全之宝塔面板防止SSL证书泄露源站IP

网络安全学无止境,你费劲千辛万苦做的安全策略,可能用工具扫描一下,就把源站IP、端口等给暴露出来了。

即使接入了 CDN 也无济于事,工具可以通过 SSL 证书暴露的 IP 找到你。

本篇文章教大家,宝塔面板nginx设置禁止通过IP直接访问网站80、443端口防止SSL泄露IP恶意解析

教程

1.在宝塔中创建一个默认站点,域名随便填!然后提交。(纯静态)

添加站点

2.修改默认站点到新创建的这个域名

默认站点

3.给IP配置上一张SSL证书(给默认站点设置证书)

ssl证书

这里给大家提供一个有效期至2099年的SSL证书

密钥(KEY):
-----BEGIN PRIVATE KEY----- 
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCsaPnKq4uCcgF6 4tA0dxydma3+UXKvA5PjeKlyLeI43ji5dAGmUqJqw2bQ19lECeW/eKDwyVLSq38X fGuC50ZuA5vuCwKBNahBvCWfaJ97S1m/ImqNKvUwg+/qUuUHmTAgnT22U3LLgEZw HtTfsorrBEXPWLilo2FQCakJ1cde/0LLlp5TGVVCCT+lp1Y2OSD7yv7EdSv80qQ2 DG7XBf2bMGcVjnbxFkUlJYu80ADutWsA02FMkZm+IbkVYMuNfInEmnKRVio9LBkn wBjl5QdeixycZimGuTIDAZKlc2BzWX1oRKz6zC7im9BCotLISAdqs3q+/QtXUydI WJcd6wLzAgMBAAECggEAV8jnjtsDoLqdqE0+R8hyKIisP/aGlzgSH9s7I6jbK6ty ZHL9uAsRKZ0uh52vwWXsti4cfB1171Bk2LeAIlnR0YhC59RxRQrmDfpXibACrAt0 uc4zRIef6kDzcnMcrF7CU4jceC5LH/TDaKk6KGBHPVyiku2Qrr3eeZtBl4FjDynA /HWyEchxNMZ60y37QFSxFlMH7Db8cdpFs/Okzn3LV14mTP4K10Ixs7FfJMyDlcxa /HdgISTWANG8jUl/pBxc8nB55uPS+heK8HjfMJW+er6WuimgPotcEE5BA/x32SKV nASQBhS7fvLWne1tFRrvdK53+44wHjjPhwoLvgBfeQKBgQDiBcoJDQCp3AEPFgAG OgxaYdCd43wOgqCjhB27Yanr31aZ7Kadfg6RU/9bQUXXLQnuoE19bOEp8q5xSCne wCMcUXZ03gTM3qZIPPphJObjnBGuhjbXpYkqPRLiUwZrxw5PLFJXMkLbp4Gdfo+P mvsTnms2CA/k7cOp1hzQjtqAtQKBgQDDRt04GpneyFVDeYeUH5538UZCGvj41JYn WAQxCXV+r/SrqeWCw3IOh3QRJlD/Ze5Y35SXporUFUFD5YDIKieq+KwrnQKnNfsi A/XUhvqp821xbQD4r6N4hy6vMzaKf5wetaKf9vHpBHIooh6b4b2xUykfnwrzJXNt tHG/k8BGBwKBgQDe1uJYhg9PaO9KVmBzwyuGuMWbxTr8e2GxlYJSynljanDRlXa3 9B6cvfoXmIUpHuiZ8kY0EPL2DqRaX9GYIkr7kn19v59v9VxwAF7DBET3x1nPfdf4 SOaxVEGYDk9YV4sOGB6ehZlRQxcRlkQoS56buybswIobJSgx/D2wigd3uQKBgQCL G4ovk1OVjqSeoo5giH2899WS9d/yco5cjKi/vftDOllTiH4EvvIbQ4b9SIxew+Ac 03jo5yzylAmgMnehH9aORwNvNjRTpXK28pdGxLkAJHcMXBhbD9Ol4rbw+8yYsPso LUAiMCp4UkB4jbS8Wv1kutcKvaNxPnaR6f81+Cz6NQKBgQDQkBU9LdN/4fru/qC1 IrzReMRc2abUGzUvEfw/RHsiNAwtNvRqPdod0sXtk+HlsJw9XKK++wMb8YAicm4O A+LrVLC96GskD2rdmL6Q4Ba/t6rl7SHhf+GeLx0P/8Epd/gNp6Ag0OHL8yAfFZGY 
He3r0GpOpxPCsfW+icj8oZFdTg== 
-----END PRIVATE KEY-----
证书(CRT/PEM):
-----BEGIN CERTIFICATE----- 
MIIDgTCCAmmgAwIBAgIUY3AAIzlwAhrE8uDpBBr8tXB74QYwDQYJKoZIhvcNAQEN BQAwQTEZMBcGA1UEAwwQVHJ1c3RBc2lhIFJTQSBEVjEXMBUGA1UECgwOVHJ1c3RB c2lhIEluYy4xCzAJBgNVBAYTAlVTMCAXDTIzMTExODEwMDAwMFoYDzIwOTkxMjMx MTAwMDAwWjB6MQswCQYDVQQGEwJVUzEPMA0GA1UECAwG5YyX5LqsMQ8wDQYDVQQH DAbljJfkuqwxDzANBgNVBAoMBuS4reWkrjESMBAGA1UECwwJ5aSW5Lqk6YOoMSQw IgYDVQQDDBvojYnms6XpqazmiavkvaDniLnlubLlmJsuY28wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCsaPnKq4uCcgF64tA0dxydma3+UXKvA5PjeKly LeI43ji5dAGmUqJqw2bQ19lECeW/eKDwyVLSq38XfGuC50ZuA5vuCwKBNahBvCWf aJ97S1m/ImqNKvUwg+/qUuUHmTAgnT22U3LLgEZwHtTfsorrBEXPWLilo2FQCakJ 1cde/0LLlp5TGVVCCT+lp1Y2OSD7yv7EdSv80qQ2DG7XBf2bMGcVjnbxFkUlJYu8 0ADutWsA02FMkZm+IbkVYMuNfInEmnKRVio9LBknwBjl5QdeixycZimGuTIDAZKl c2BzWX1oRKz6zC7im9BCotLISAdqs3q+/QtXUydIWJcd6wLzAgMBAAGjNjA0MCQG A1UdEQQdMBuCGWNhb25pbWFzYW9uaWRpZWdhbm1hLmZ1Y2swDAYDVR0TAQH/BAIw ADANBgkqhkiG9w0BAQ0FAAOCAQEANSqrGsy1jlH974poxoa/mzcAoHLQBBG498my dB2z1XXiwRogUgLn4yZ1g0HH6owS+cz4XzT7j+mX2/gGlf/06xfe9uVEHfDTJpAb Tu5zDuAJEceFTHjX9IwhNKnuvHjhf6xLzRR+4QU+QivRCjlYnPNDVpBxIMl30UyE ueOfb7yyZcAUDApAxA3UrOesv+H7NkK4oZ0aX4C5YrvZ0YQ38w1M1QeFCXEuU5XK Wl7vY9qGTUxxX/IFMO7phGTu66rTyPXgQ/dRwzMz7bPniAN9mxSRPQHo/30t/Bn8 
u7IAWeaT/a36+FcwoDweagJwa2CwG+6y/MHp/ti5lSP/6qp7pg== 
-----END CERTIFICATE-----

4.上面保存后,点击配置文件修改配置

图片[4]-网络安全之宝塔面板防止SSL证书泄露源站IP-九七博客
一般80-443端口都是有的,如果没有就自行添加
    listen 80 default_server;
    listen 443 ssl http2  default_server;
    server_name www.com;
上面部分配置文件基本上都是有的,不用更改
    return 444;(这行代码默认是没有的,咱们手动加上)
(如果不想直接返回444,还可以改成502、404等其他的错误响应。)

到这里就设置完毕啦,去测试下还能不能查到你的源IP吧

© 版权声明
THE END
喜欢就支持一下吧
点赞12 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称表情代码图片

    暂无评论内容