Shulou(Shulou.com)06/02 Report--

This article mainly explains in detail the use of Nginx to prevent IP addresses from being maliciously parsed, the content is clear, interested friends can learn, I believe it will be helpful after reading.

The purpose of using Nginx

To use Ali Cloud ECS CVM, first talk about the background of the author's use of Nginx.

After initializing the ECS, a public network IP is generated. The default access IP address automatically accesses port 80. In this case, the service started on port 80 can be accessed directly through the ip address.

If the domain name is resolved to the current ip, the port 80 service can be accessed directly through the domain name.

Then there is a problem: anyone can resolve a domain name to an ip address, that is, services on their own ECS can be accessed through other domain names. As for the purpose, this kind of attack is too aboveboard, and it should be to raise a domain name and sell it (guess, big enough to communicate).

There are many ways to avoid this attack, and the most convenient and quick way to configure Nginx is to refer to the answers on the Internet.

The general idea is as follows: the web service starts on non-port 80 (which cannot be accessed directly through the IP address), and Nginx configures a layer of forward proxy to forward the domain name to the domain name + port.

Result: after resolution, you can access it directly using your own domain name, which is essentially forwarded to the ip address + port. Other domain names are not configured for port forwarding, so they will be blocked.

There are many scenarios that use Nginx, such as reverse proxy, load balancing, and so on, and preventing malicious parsing is just one of them.

Maybe more technical experience related to Nginx may be expanded in the future, but the code is just a tool, and the technology will not be valuable until the real problem is solved, otherwise it is like empty talk and meaningless.

I saw an article about two developers discussing technology choices. One of them chose the unpopular Lua, while the other wondered why he didn't choose the hot technology, better performance, and better development experience. However, her answer is: it will solve our problems.

I fell into deep thought. I also followed the wave of micro-service architecture in 2019. I learned a lot of new technologies and nouns. However, it is difficult to have the opportunity to apply it to the actual project development, high concurrency, micro-service is a kind of technology, or a kind of ostentatious capital, to solve the practical problem in the project or the employment problem. Learn innocence, but before learning, I will think, I will use it, or be bound by it.

Just so many beeps, here are the common commands of Nginx in Linux environment and the configuration file I copied (nginx.conf).

List of commonly used commands

Yum install nginx// installation nginx (centos) / / Boot systemctl enable nginxsystemctl disable nginx// View nginx status systemctl status nginx// start, stop, restart systemctl start nginxsystemctl stop nginxsystemctl restart nginx// reload configuration systemctl reload nginx// configuration file default location / etc/nginx main configuration file nginx.conf

Prevent malicious parsing of configuration

Server {listen 80 default_server; server_name _; access_log off; return 444;} # For more information on configuration, see:# * Official English Documentation: http://nginx.org/en/docs/# * Official Russian Documentation: http://nginx.org/ru/docs/user nginx;worker_processes auto;error_log / var/log/nginx/error.log;pid / run/nginx.pid;# Load dynamic modules. See / usr/share/doc/nginx/README.dynamic.include / usr/share/nginx/modules/*.conf;events {worker_connections 1024;} http {log_format main'$remote_addr-$remote_user [$time_local] "$request"'$status $body_bytes_sent "$http_referer"'"$http_user_agent"$http_x_forwarded_for"; access_log / var/log/nginx/access.log main; sendfile on Tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include / etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the / etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. Include / etc/nginx/conf.d/*.conf; server {listen 80 default_server; server_name _; access_log off; return 444;} server {listen 80; server_name www.zkrun.top; location / {proxy_pass http://www.zkrun.top:8080;} error_page 404 / 404.html Location = / 40x.html {} error_page 500 502 503 504 / 50x.htl; location = / 50x.html {}} # Settings for a TLS enabled server.## server {# listen 443 ssl http2 default_server;# listen [:]: 443 ssl http2 default_server;# server_name _; # root / usr/share/nginx/html;## ssl_certificate "/ etc/pki/nginx/server.crt" # ssl_certificate_key "/ etc/pki/nginx/private/server.key"; # ssl_session_cache shared:SSL:1m;# ssl_session_timeout 10m / 404.html # ssl_ciphers Higg / error_page / 404.html / ssl_prefer_server_ciphers on;## # Load configuration files for the default server block.# include / 404.html # location = / 40x.html {#} # error_page 500502503504 / 50x.htmlscape # location = / 50x.html {#} #} after reading the above content, do you have a further understanding of the detailed explanation of how to use Nginx to prevent malicious resolution of IP addresses? if you want to learn more, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.