评论
。在腾讯云 CDN 处直接新建泛域名地址即可,按照提示进行域名验证云云。
关于 SSL,使用 CDN 访问网站时,如果需要通过 https 的形式访问,是需要将证书部署到 CDN 侧的。由于商用的泛域名证书贵的离谱,所以这里我们使用宝塔申请的 Let's Encrypt
证书。
关于缓存,原则上说应该全程不缓存,实际上还是根据需要而定,CDN 侧只能通过目录/格式等条件进行特定的缓存,没办法根据二级域名进行回源。例如我们无法在 CDN 上区分来自 /static/
路径的请求是哪一个二级域发出的。
由于 Let's Encrypt
的证书只有三个月的有效期,所以势必需要每隔一段时间就要对证书进行一次更新。服务器这边可以通过宝塔的定时任务自动更新部署,但是 CDN 侧腾讯云并没有提供类似的功能。不过由它的云 API 得知,所有的控制台操作行为的背后都是基于 Api 进行的。
通过查询文档我们可以得知 UpdateDomainConfig 接口,就可以完成对证书的设定。
UpdateDomainConfig 用于修改内容分发网络加速域名配置信息。
注意:如果需要更新复杂类型的配置项,必须传递整个对象的所有属性,未传递的属性将使用默认值,建议通过查询接口获取配置属性后,直接修改后传递给本接口。Https 配置由于证书的特殊性,更新时不用传递证书和密钥字段。
然而事实上,更新/修改时,可以传递证书和密钥字段,此时证书不是以腾讯云托管证书的形式存在,而是自有证书。(本来我最初的思路是通过 SSL 接口将证书上传到托管证书里,CDN 这边通过 CertId
进行设置,但若是可以直接指定证书内容的话反而更简单。)
可以通过腾讯云的在线 Api 自动生成对应语言的代码,由于我对 Python 不熟,这里使用了 Node 版本。
const client = new CdnClient(clientConfig); |
剩下的思路就很简单了,我们只需要按照证书路径读取文件内容,设置个定时任务,每隔一个月执行一遍更新即可。需要注意的是,定时任务的命令需要写到绝对命令,类似如下:
/root/.nvm/versions/node/v14.17.3/bin/node /root/tencentcdn/index.js |
当所有指向到服务器的域名都套上一层 CDN 后,理所应当的,在 Nginx 的日志处记录不到真实的客户端 IP 地址,对于宝塔用户来说,只需要修改 Nginx 的主配置文件即可:
http |
如果你对宝塔做了反代,那么不建议通过宝塔进行 Nginx 的重启/停止操作,在终端中执行最好。
互联网上无时无刻存在着一些扫描器,这些大都是无人值守的程序,甚至没有刻意伪装 User-Agent ,下面是我收集的一些 UA 列表,可以在腾讯云 CDN 的访问控制中 UA 黑白名单配置 添加。
规则类型 | 规则内容 | 生效类型 | 生效规则 | 备注 |
---|---|---|---|---|
黑名单 | ` spider | bot | Spider | Bot` |
黑名单 | `nmap | NMAP | HTTrack | sqlmap |
黑名单 | `Python | python | curlCurl | *wget |
黑名单 | `MJ12bot | a Palo Alto` | 全部内容 | * |
黑名单 | *Go-http-client* | 全部内容 | * | 安全机器人 |
UA 是可以伪装的,我通过分析日志抓取了一些恶意访问 IP,由于都是国外的地址,所以直接狠一点,如果所处于的 IP 段是机房类型的,就直接按照大的 IP 段封禁。这个部分是依靠宝塔插件 系统防火墙 实现的,下面是导出的规则信息,可以直接复制后导入:
[{"id": 73, "types": "drop", "address": "83.41.123.192", "brief": "西班牙-使用扫描器", "addtime": "2021-07-31 06:50:55"}, {"id": 72, "types": "drop", "address": "109.248.6.168", "brief": "葡萄牙-使用扫描器", "addtime": "2021-07-31 06:59:11"}, {"id": 71, "types": "drop", "address": "161.189.134.11", "brief": "美国-使用扫描器", "addtime": "2021-07-31 06:59:29"}, {"id": 70, "types": "drop", "address": "162.27.59.135", "brief": "美国-恶意请求", "addtime": "2021-07-31 06:59:38"}, {"id": 69, "types": "drop", "address": "60.191.36.75", "brief": "浙江省杭州市-SQL注入", "addtime": "2021-07-31 06:42:31"}, {"id": 68, "types": "drop", "address": "42.194.196.141", "brief": "广东省广州市-腾讯云-恶意请求", "addtime": "2021-07-31 07:02:02"}, {"id": 67, "types": "drop", "address": "85.159.20.70", "brief": " 爱尔兰-恶意请求", "addtime": "2021-07-31 07:01:15"}, {"id": 66, "types": "drop", "address": "66.240.0.0/16", "brief": "美国-范围扩大", "addtime": "2021-07-31 07:19:32"}, {"id": 65, "types": "drop", "address": "142.93.33.80", "brief": "加拿大-恶意请求", "addtime": "2021-07-31 07:00:30"}, {"id": 64, "types": "drop", "address": "188.166.0.0/16", "brief": "DigitalOcean 数据中心", "addtime": "2021-07-31 07:14:50"}, {"id": 63, "types": "drop", "address": "143.198.0.0/16", "brief": "美国-范围扩大", "addtime": "2021-07-31 07:19:23"}, {"id": 62, "types": "drop", "address": "122.179.0.0/16", "brief": "印度-范围扩大", "addtime": "2021-07-31 07:18:43"}, {"id": 61, "types": "drop", "address": "36.150.0.0/16", "brief": "美国 Merit", "addtime": "2021-07-31 07:15:06"}, {"id": 60, "types": "drop", "address": "5.188.62.214", "brief": "俄罗斯-PIN数据中心-恶意请求", "addtime": "2021-07-31 07:08:52"}, {"id": 59, "types": "drop", "address": "147.135.0.0/16", "brief": "美国-OVH数据中心", "addtime": "2021-07-31 07:07:49"}, {"id": 58, "types": "drop", "address": "150.158.184.133", "brief": "上海市-腾讯云-恶意请求", "addtime": "2021-07-31 07:07:00"}, {"id": 56, "types": "drop", "address": "161.117.0.0/16", "brief": "新加坡-阿里云", "addtime": "2021-07-31 07:08:05"}, {"id": 55, "types": "drop", "address": "106.45.11.1", "brief": "宁夏银川市-电信-恶意请求", "addtime": "2021-07-31 07:03:19"}, {"id": 54, "types": "drop", "address": "101.251.193.60", "brief": "北京市-恶意请求", "addtime": "2021-07-31 07:02:51"}, {"id": 53, "types": "drop", "address": "128.1.0.0/16", "brief": "美国-Zenlayer-范围扩大", "addtime": "2021-07-31 07:14:25"}, {"id": 52, "types": "drop", "address": "222.77.111.187", "brief": "福建省泉州市-电信-恶意请求", "addtime": "2021-07-31 07:13:44"}, {"id": 51, "types": "drop", "address": "97.74.0.0/16", "brief": "Go Daddy", "addtime": "2021-07-28 10:42:51"}, {"id": 50, "types": "drop", "address": "41.224.0.0/16", "brief": "突尼斯-范围扩大", "addtime": "2021-07-31 07:18:21"}, {"id": 49, "types": "drop", "address": "49.37.0.0/16", "brief": "印度-范围扩大", "addtime": "2021-07-31 07:18:29"}, {"id": 48, "types": "drop", "address": "106.75.211.195", "brief": "北京市-BGP数据中心-恶意请求", "addtime": "2021-07-31 07:11:50"}, {"id": 47, "types": "drop", "address": "36.106.166.157", "brief": "天津市-电信-恶意请求", "addtime": "2021-07-31 07:12:12"}, {"id": 46, "types": "drop", "address": "61.219.11.151", "brief": "台湾省-中华电信-恶意请求", "addtime": "2021-07-31 07:12:29"}, {"id": 45, "types": "drop", "address": "92.118.160.53", "brief": "希腊-恶意请求", "addtime": "2021-07-31 07:09:52"}, {"id": 44, "types": "drop", "address": "39.130.79.206", "brief": "云南省昆明市-移动-恶意请求", "addtime": "2021-07-31 07:09:32"}, {"id": 42, "types": "drop", "address": "195.123.210.67", "brief": "拉脱维亚-恶意请求", "addtime": "2021-07-31 07:21:56"}, {"id": 41, "types": "drop", "address": "45.9.249.45", "brief": "欧盟-恶意请求", "addtime": "2021-07-31 07:21:32"}, {"id": 39, "types": "drop", "address": "152.32.129.15", "brief": "香港UCloud-恶意请求", "addtime": "2021-07-31 07:21:02"}, {"id": 38, "types": "drop", "address": "45.146.164.110", "brief": "俄罗斯-恶意请求", "addtime": "2021-07-31 07:22:29"}, {"id": 37, "types": "drop", "address": "125.64.94.136", "brief": "四川省德阳市-电信-恶意请求", "addtime": "2021-07-31 07:22:13"}, {"id": 36, "types": "drop", "address": "185.153.196.0/22", "brief": "摩尔多瓦-范围扩大", "addtime": "2021-07-31 07:17:56"}, {"id": 35, "types": "drop", "address": "20.92.0.0/16", "brief": "美国 DXC Technology", "addtime": "2021-07-24 08:38:33"}, {"id": 34, "types": "drop", "address": "106.245.0.0/16", "brief": "韩国 LG DACOM", "addtime": "2021-07-21 10:18:46"}, {"id": 33, "types": "drop", "address": "118.31.0.0/16", "brief": "浙江杭州阿里云", "addtime": "2021-07-21 10:17:06"}, {"id": 32, "types": "drop", "address": "20.0.0.0/8", "brief": "美国慧与科技 & 微软数据中心", "addtime": "2021-07-20 13:07:01"}, {"id": 31, "types": "drop", "address": "167.248.133.0/24", "brief": "Censys 扫描", "addtime": "2021-07-20 09:42:39"}, {"id": 30, "types": "drop", "address": "74.120.14.0/24", "brief": "Censys 扫描", "addtime": "2021-07-20 09:42:38"}, {"id": 29, "types": "drop", "address": "162.142.125.0/24", "brief": "Censys 扫描", "addtime": "2021-07-20 09:42:38"}, {"id": 28, "types": "drop", "address": "192.35.168.0/23", "brief": "Censys 扫描", "addtime": "2021-07-20 09:42:38"}, {"id": 27, "types": "drop", "address": "192.241.128.0/17", "brief": "美国 DigitalOcean 数据中心", "addtime": "2021-07-31 07:19:48"}, {"id": 25, "types": "drop", "address": "18.224.0.0/14", "brief": "Amazon 数据中心 224-227", "addtime": "2021-07-31 07:20:13"}, {"id": 24, "types": "drop", "address": "18.192.0.0/11", "brief": "Amazon 数据中心 192-223", "addtime": "2021-07-31 07:19:58"}, {"id": 23, "types": "drop", "address": "18.160.0.0/11", "brief": "Amazon 数据中心 160-191", "addtime": "2021-07-31 07:20:05"}, {"id": 20, "types": "drop", "address": "4.122.0.0/16", "brief": "美国德梅因 Microsoft 数据中心", "addtime": "2021-07-31 07:15:18"}, {"id": 17, "types": "drop", "address": "52.221.0.0/16", "brief": "新加坡 Amazon 数据中心", "addtime": "2021-07-31 07:15:35"}, {"id": 16, "types": "drop", "address": "128.14.0.0/16", "brief": "美国洛杉矶 Zenlayer 数据中心", "addtime": "2021-07-31 07:15:27"}] |
如你所见,这个封禁是激进的,甚至对 20/8 整个上千万个 IP 段进行了大规模屏蔽,不过由于他们位于 IDC 段中,而且还是国外 IP,所以影响也不大。(此处真的感叹由于互联网的发源地是美国,谁能想到一个拥有近千万个地址段就给了两家公司来用,甚至于他们除了这个范围外在其它范围内还有地址,再想想国内家用公网 IP 的稀缺,真的是,得展望 IPV6 呀)
关于微软数据中心,如果您需要 Github Action 服务器与你的主机进行通信,那么请取消微软 AZ 段的屏蔽,详细的 IP 列表可在此链接处查看: 关于 GitHub 的 IP 地址 ,另一方面,网站本身都是中文站,似乎对境外做解析并没什么意义,对于 Hexo 来说,可以把境外解析指向到 Github ,让他们霍霍 Github 的服务器去吧。
Hexo 是个静态站,即使它放进了服务器中,你能想到一堆机器人按照 Wordpress 的方式请求 Hexo 站吗?看到日志的时候简直是无语死了,内心 OS:扫你妹呀!
#静态网站天天扫,简直神经病,扫你妹啊 |
最最终,我们完成了泛域名相关的各类处理,证书的部署上也做到了自动完成~
自动化博客部署
Hexo 博客部署架构 说是自动化博客部署,其实是记录了下 枋柚梓的猫会发光 的部署过程,基本概括来说就是通过 Github Action 处理代码的提交,部署博客...
小站搬家记
从阿里云迁到腾讯云了,从服务器迁到轻量服务器了,从辽备迁到皖备了。心路历程可以参见这篇文章:小站的搬家经历。此处记录搬家历史。对于动态网站,搬家无非就是两件事,搬网站目录的所有文件和搬数据库,一...
评论