SSL证书暴露源站ip的解决方法

别问人家不知道你的域名怎么知道的你的ip，问就是人家批量扫的，如果扫到了那就是简单的对应关系了。

同时也是很多站点，明明套上了cdn，依然能被打到源站IP的原因。

看到这个证书就能发现 [220.181.38.148] 对应的是 baidu.cn，那么反过来baidu.cn对应的源站IP之一就是220.181.38.148

这就中招了

解决方法1：

添加一个自签ip证书

首先给你的服务器添加一个站点

添加完成以后把你的ip默认站点绑定为你刚刚新添加的站点

接下来访问 https://myssl.com/create_test_cert.html 来自定义一个ssl证书，这里我把我弄好的放在这，需要的可以自取生成好了的

密钥(KEY)

-----BEGIN RSA PRIVATE KEY-----  MIIEowIBAAKCAQEAqeaBTP1WqVuSjS3b/1Io1VyW+y4EGYZUGNovQTLQaGMihFF7  3birFJDCtiut5puIVzICH3A1VZSh19vMaGus2f5Uydg0M1qV8whCmA7mSDlF+ZSo  SlRf1ntWU0oamfLRNAft07Cu1LZMaxW7SMIuutXu/bAImxqtHOygHKz8MMgqQz//  Bv6T+IU1tN4nafeaELKEZnVMMbBNTMIpYy8aKpe8MdBPT9fyyKEvfBb8r+XZSEFc  Cz5x7ZCinNm63iGHvUScAiTk5ugTJAGoOxwvWNLiwqLKJ7o6ClPuOAmvz9f98tHI  ktY09hh6gt6Q2dF+BAPQ51cvuXqALu2X5gxc7QIDAQABAoIBAGnMGfRBRXfMiCPV  zMre9IJ4V6Qt8WublD6tjwOAivqV0OaofwOAfTgfNMCPzohtjacOgvfkvbF/DpEG  U/EqK8bLcy0FruvTmtBt8loR3SBYWdSi13EBvXQn9YeD+7Cl3dQSo+xQd24J3uhH  7gnOsZ6ynVHoDlPXdrkuOD3jEl+lIQQx1kCjHBZCL9QqP511uOfWwZvAhKer+L9T  /ZEg6fxn1kug54YxIbYNSSaZKDuGWiENm67bRPQm+SUstS2tg8Pzfou89IDAajEF  kadX03zZLIVXqeHTX8Gd/gse+EyTHYEPbfVgSQy4IpCYokY7wqFTgqvJCrjc/myz  1hl1lMECgYEA4M3PYbO4sVn2UDWqgaZrYzB1MSzsnxeUv2+SzAn9eAje+mN731BQ  bKMLWSgIZ7rZTH1gEez8p1oGcfrsq5bRZ2AGN3FxXuXhc0+RQQ3YU1DCvw6hxGOa  CbW64BaXfPxwsHlSTuBDZ+TdD/IOjQ2c8VUFGZUWK3SvEBgxhmah63UCgYEAwXo9  WVkvpjbwhBNOXytuqpcGBqqMBf0ilv1Cp5nQpWxLwOS6t6Qj/2Vc1VzwA8VyL9Su  GPKdwRhgcQRzQu2EbxfoLIo0odubrUHt1UlvGaPxN7kljHM1hP8vyMhAKAoFCtRW  V+gBTZToKna/QrKWE4h6Yal5pVjBzplsknyrlJkCgYEAgo2Dnk3tOLHyJerEtr6b  JuOBa6mXUV00eWima/BxT0B3nhogWjQeQLj/YiuplfQhNhapsD9dCyNxEsiSoaPY  wJw3gANVv7LpFzpiNNGBjAEe2C37LD5bur/bY0A7gc5o81PBxSTggHmdGCGO6cO6  HT0u1QiL83i0Ijiqqk74QfECgYBwZIl0+PlULkAkCW8SnBFqqdbHUpWK+RT571+k  KxdosXOEN5s8CO8ccw6tp5KKLk35+Su1tGLuBDIqFTK742x2eMXX8eVHTWKvEEiQ  CVuv4mvDOhvU7ixd+TwSADo8yC1LsDQEVvNC1UjVOiw7G7FQ4YxuZVwUMG5NjRTk  N+YYqQKBgFUeXmYGRpLMCI1HXiQGu+d6IeVKxcDJ8cjZq1NHDPxItsmDdOhkPEY9  bcvsTU7Izg0fvnC+6xF587hRKNR1SC04+HTzIZoxwgzspqiOgtAgOxLiU3HZ2ItQ  gZ7Cn66y//ZPIWKK/E07g3MMyrF72RSNA+MSXxZwnDvIHnzl4gRa  -----END RSA PRIVATE KEY-----

证书(PEM格式)

-----BEGIN CERTIFICATE-----  MIIDyDCCArCgAwIBAgIQZ46RvqIBRD+3viHTPlXJLTANBgkqhkiG9w0BAQsFADBe  MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRl  c3QgUlNBIC0gRm9yIHRlc3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTAe  Fw0yMjAxMTAwNjA0MjBaFw0yNzAxMDkwNjA0MjBaMBkxCzAJBgNVBAYTAkNOMQow  CAYDVQQDEwEgMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqeaBTP1W  qVuSjS3b/1Io1VyW+y4EGYZUGNovQTLQaGMihFF73birFJDCtiut5puIVzICH3A1  VZSh19vMaGus2f5Uydg0M1qV8whCmA7mSDlF+ZSoSlRf1ntWU0oamfLRNAft07Cu  1LZMaxW7SMIuutXu/bAImxqtHOygHKz8MMgqQz//Bv6T+IU1tN4nafeaELKEZnVM  MbBNTMIpYy8aKpe8MdBPT9fyyKEvfBb8r+XZSEFcCz5x7ZCinNm63iGHvUScAiTk  5ugTJAGoOxwvWNLiwqLKJ7o6ClPuOAmvz9f98tHIktY09hh6gt6Q2dF+BAPQ51cv  uXqALu2X5gxc7QIDAQABo4HGMIHDMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU  BggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUKIEmBdE0Gj/Bcw+7k88V  HD8Dv38wYwYIKwYBBQUHAQEEVzBVMCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5t  eXNzbC5jb20wMAYIKwYBBQUHMAKGJGh0dHA6Ly9jYS5teXNzbC5jb20vbXlzc2x0  ZXN0cnNhLmNydDAMBgNVHREEBTADggEgMA0GCSqGSIb3DQEBCwUAA4IBAQABhU3D  U706jy/N+oRyJvC9xzZmvl1wGkDdhJzElfUS4IKJSft2qH0TJgXhPt41Hn1wkKhs  xGBNoPhLIuVooA7ZYzvJKrB44OOUTG9mTFxYCQqcRONXIOe4kd+ZwnCRd5hIwN6w  HelDY5Ymndg5h20/WuGh/TuFpltIiQCPFvVE2sTQuTGaDrGNcCL6iWBiSHAGVbbM  CiI7LkR+W9lP6PtcFu3F+9Z+TjQBggQ4Oaa1ES0pKlEG2w4/YXoyjmyxnbHXHldk  s3p1j/DWVKxh35kRyK/YD9pRChcNQcnfeODcYUE+HluwvzZMbkGvbNwlEoZdBS0B  wC7Sg8q4fegxTekf  -----END CERTIFICATE-----  -----BEGIN CERTIFICATE-----  MIIDuzCCAqOgAwIBAgIQSEIWDPfWTDKZcWNyL2O+fjANBgkqhkiG9w0BAQsFADBf  MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxLDAqBgNVBAsTI015U1NMIFRl  c3QgUm9vdCAtIEZvciB0ZXN0IHVzZSBvbmx5MRIwEAYDVQQDEwlNeVNTTC5jb20w  HhcNMTcxMTE2MDUzNTM1WhcNMjcxMTE2MDUzNTM1WjBeMQswCQYDVQQGEwJDTjEO  MAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRlc3QgUlNBIC0gRm9yIHRl  c3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTCCASIwDQYJKoZIhvcNAQEB  BQADggEPADCCAQoCggEBAMBOtZk0uzdG4dcIIdcAdSSYDbua0Bdd6N6s4hZaCOup  q7G7lwXkCyViTYAFa3wZ0BMQ4Bl9Q4j82R5IaoqG7WRIklwYnQh4gZ14uRde6Mr8  yzvPRbAXKVoVh4NPqpE6jWMTP38mh94bKc+ITAE5QBRhCTQ0ah2Hq846ZiDAj6sY  hMJuhUWegVGd0vh0rvtzvYNx7NGyxzoj6MxkDiYfFiuBhF2R9Tmq2UW9KCZkEBVL  Q/YKQuvZZKFqR7WUU8GpCwzUm1FZbKtaCyRRvzLa5otghU2teKS5SKVI+Tpxvasp  fu4eXBvveMgyWwDpKlzLCLgvoC9YNpbmdiVxNNkjwNsCAwEAAaN0MHIwDgYDVR0P  AQH/BAQDAgGGMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAfBgNV  HSMEGDAWgBSa8Z+5JRISiexzGLmXvMX4oAp+UzAdBgNVHQ4EFgQUKIEmBdE0Gj/B  cw+7k88VHD8Dv38wDQYJKoZIhvcNAQELBQADggEBAEl01ufit9rUeL5kZ31ox2vq  648azH/r/GR1S+mXci0Mg6RrDdLzUO7VSf0JULJf98oEPr9fpIZuRTyWcxiP4yh0  wVd35OIQBTToLrMOWYWuApU4/YLKvg4A86h577kuYeSsWyf5kk0ngXsL1AFMqjOk  Tc7p8PuW68S5/88Pe+Bq3sAaG3U5rousiTIpoN/osq+GyXisgv5jd2M4YBtl/NlD  ppZs5LAOjct+Aaofhc5rNysonKjkd44K2cgBkbpOMj0dbVNKyL2/2I0zyY1FU2Mk  URUHyMW5Qd5Q9g6Y4sDOIm6It9TF7EjpwMs42R30agcRYzuUsN72ZFBYFJwnBX8=  -----END CERTIFICATE-----

这个证书的效果如下图，是一个空证书

如果宝塔部署时出现错误，那就只能自己去申请和创建网站名对应的证书了。

解决方法2：

禁止直接访问IP

# 禁止IP直接访问网站  server {        listen       80 default_server;        listen       [::]:80 default_server;        server_name  _;        return 444;  }

解决方法3：

使用自签IP的SSL证书,返回444 

自签证书的目的不是为了访问，而是避开Nginx的这个缺陷。生成自签的IP SSL证书可以用开源的Mkcert(https://myssl.com/create_test_cert.html)工具。Mkcert使用起来稍微麻烦，或者用一个测试证书的在线网页工具：https://myssl.com/create_test_cert.html

在填写域名的位置填上IP地址，点生成按钮会自动测试证书展示在下面，各自保存为.pem文件和.key文件。然后在nginx里配置上“return 444”，类似配置大概：

{  listen 80 ;  listen 443 ssl http2 default_server;  server_name ip;      #HTTP_TO_HTTPS_END      ssl_certificate    xxxx.pem;      ssl_certificate_key   xxxx.pem;      ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;    return 444;      }

解决方法4：

仅允许指定cdn的IP访问

Nginx仅允许指定cdn的IP访问,避免放到公网上被任何人扫。以腾讯云CDN段为例，在Nginx网站配置文件里，添加如下：

location / {  allow   58.250.143.0/24;  allow   58.251.121.0/24;  allow   59.36.120.0/24;  allow   61.151.163.0/24;  allow   101.227.163.0/24;  allow   111.161.109.0/24;  allow   116.128.128.0/24;  allow   123.151.76.0/24;  allow   125.39.46.0/24;  allow   140.207.120.0/24;  allow   180.163.22.0/24;  allow   183.3.254.0/24;  allow   223.166.151.0/24;    deny    all;  }

查一下使用的CDN商家的文档，如果有新的IP段更新，也加到里面。如果是小商家没有文档可以使用站长工具查询。