一、开启 ssl_reject_handshake 插件
新增一个server块
server
{
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
#新添加的443端口块,如果使用了错误的 Hostname,SSL 握手会被拒绝
server {
listen 443 ssl default_server;
#如果有IPv6地址需加入下面这行,否则不用下面这行
listen [::]:443 ssl default_server;
ssl_reject_handshake on;
return 444;
}
二、IP白名单
tag:cloudflare
img:https://cdn.kakarot.cc/cloudflare.png
- 检查是否安装了iptables
service iptables status
-
如果没有安装iptables防火墙工具,请先安装
-
安装iptables
yum install -y iptables
- 升级iptables
yum update iptables
- 安装iptables-services
yum install -y iptables-services
- 查看默认防火墙状态
firewall-cmd --state
- 停止firewall
systemctl stop firewalld.service
- 禁止firewall开机启动
systemctl disable firewalld.service
- 禁用firewalld服务
systemctl mask firewalld
- 查看iptables现有规则
iptables -L -n
- 先允许所有
iptables -P INPUT ACCEPT
- 清空所有默认规则
iptables -F
- 清空所有自定义规则
iptables -X
- 所有计数器归0
iptables -Z
- 禁止来自IPv4的所有HTTP/S访问请求
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 443 -j DROP
- 对Cloudflare CDN IPv4地址开放HTTP/S入站访问
for i in `c[url](https://www.xianyuboke.com/tag/url/) https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -s $i -p tcp --dport 80 -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -s $i -p tcp --dport 443 -j ACCEPT; done
- 禁止来自IPv6的所有HTTP/S访问请求
ip6tables -I INPUT -p tcp --dport 80 -j DROP
ip6tables -I INPUT -p tcp --dport 443 -j DROP
- 对Cloudflare CDN IPv6地址开放HTTP/S入站访问
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -s $i -p tcp --dport 80 -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -s $i -p tcp --dport 443 -j ACCEPT; done
- 保存iptables配置
iptables-save
ip6tables-save
- 保存规则(路径:/etc/sysconfig/iptables和ip6tables)
service iptables save
service ip6tables save
- 开启iptables服务
systemctl enable iptables.service
systemctl enable ip6tables.service
- 自动载入规则
chkconfig iptables on
chkconfig ip6tables on
- 开启服务
systemctl start iptables.service
systemctl start ip6tables.service
- 查看状态
systemctl status iptables.service
systemctl status ip6tables.service
- 重启iptables
systemctl restart iptables.service
systemctl restart ip6tables.service
评论区