Don’t let the SSL certificate expose your web server IP

Time:2021-9-22

We usually use CDN to cover the server IP to speed up and defend the website or back-end programs. However, nginx has a small defect in its design. It will disclose the original IP address of the website because of the SSL certificate
Don’t let the SSL certificate expose your web server IP. Don’t let the SSL certificate expose your web server IP

principle
Deploy the website with nginx. Under the default or incorrect configuration, the website opens SSL and directly accesses the 443 port of the IP, i.e. IP: 443. Nginx will return the SSL certificate of the default site, which can indirectly enable others to scan the domain name corresponding to the IP.

The principle is to send a client hello to port 443 of the IP. The server Hello replied by the other party has an SSL certificate, and the common name in the SSL certificate has domain name information. In this way, you will know the domain name to resolve this IP. Therefore, more accurately, the 443 port of IP may expose the domain name.

Move a little bigger, scan the IP segments of the computer room in batches, and count the multi value mapping table of the corresponding domain name IP. In the future, if you want to check the source IP corresponding to a domain name, it’s enough to check this table. This is what black products like to do.

At the same time, it is also the reason why many sites can still be hit to the source IP when they are clearly covered with CDN.

terms of settlement
Prohibit direct access to IP

Prohibit IP direct access to websites

server {

  listen       80 default_server;
  listen       [::]:80 default_server;
  server_name  _;
  return 444;

}
SSL certificate of self signed IP, return 444
The purpose of self signed certificates is not to access, but to avoid the defect of nginx. The self signed IP SSL certificate can be generated using the open source mkcert(https://myssl.com/create_test…Tools. Mkcert is a little cumbersome to use, or use an online web tool to test certificates:https://myssl.com/create_test…
Don’t let the SSL certificate expose your web server IP. Don’t let the SSL certificate expose your web server IP
Fill in the IP address where the domain name is filled in, and click the generate button to automatically display the test certificate below, which is saved as a. PEM file and a. Key file respectively. Then configure “return 444” in nginx. Similar configurations are as follows:

{
listen 80 ;
listen 443 ssl http2 default_server;
server_name ip;

#HTTP_TO_HTTPS_END

ssl_certificate    xxxx.pem;
ssl_certificate_key   xxxx.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

return 444;

}
Purchase SSL certificate of legal IP site
Spend a little money to buy a legal IP SSL certificate and configure it in nginx. IP certificates are generally about one or two hundred.

Add money and the world is within reach.

Only IP access to the specified CDN is allowed
Nginx only allows IP access to the specified CDN to avoid being scanned by anyone on the public network. Take the CDN segment of Tencent cloud as an example, add the following in the configuration file of nginx website:

location / {
allow 58.250.143.0/24;
allow 58.251.121.0/24;
allow 59.36.120.0/24;
allow 61.151.163.0/24;
allow 101.227.163.0/24;
allow 111.161.109.0/24;
allow 116.128.128.0/24;
allow 123.151.76.0/24;
allow 125.39.46.0/24;
allow 140.207.120.0/24;
allow 180.163.22.0/24;
allow 183.3.254.0/24;
allow 223.166.151.0/24;
deny all;
}
Check the documentation of the CDN merchant used. If there is a new IP segment update, it will also be added to it.