现在很多站长都知道在自己的网站上设置CDN 毕竟现在越来越有必要了 DDos/CC 在CDN的帮助下,攻击太泛滥了 它不仅可以加速网站,还可以很好地隐藏服务器的真实IP如果能很好地利用CDN WAF可以很好地提高网站的安全防御能力,如果接入免费CloudFlare,让你的网站成为一个不朽的小强不是梦(请参考[再次验证无高防御抵抗力 DDos/CC 攻击不是梦!。
】)想要CDN 要充分发挥提高安全性的作用,就必须充分利用CDN IP节点回源请求使所有访问请求通过CDN 目前,节点IP来回源请求是一个很好的方法明月在[共享两个服务器脚本以加强 CloudFlare 真实的安全保护 IP 不泄露】一篇文章专门分享了两个脚本来实现,然而,使用宝塔面板仍然不是很友好和方便。
今天,明月将与您分享如何在宝塔面板下限制CDNIP节点回源请求受宝塔面板默认防火墙Firewalld的限制,如果宝塔面板下的站点只限制CDNIP节点的回源要求,最简单有效的方法就是将CDN 将IP节点逐一添加到宝塔的[端口规则]中,需要限制哪个端口在哪个端口下添加,如下图所示:
修改所有IP指定IP在上图中,我们选择了443端口默认情况下,宝塔向所有IP开放443端口,因此我们必须将443端口规则修改为“指定IP”记住!添加CDN 节点IP地址段如上图所示,CloudFlareIPv4节点IP地址段被添加到443中,这意味着103.21.24.0/22地址段的IP可以回源请求443端口。
CloudFlare的具体节点IP可以在这里查看:www.cloudflare-cn.com/ips/剩下的我们只需要逐一添加CloudFlare的IPv4节点IP地址段,如果是80端口也是如此有些人会说这很麻烦,效率太低,不科学,所以我们可以使用宝塔[导出规则]和[导入规则]批量添加,具体步骤非常简单,首先[导出规则]下载一个叫做port.json文件的具体内容如下(仅供参考):。
{"id": 8, "protocol": "tcp", "ports": "888", "types": "accept", "address": "", "brief": "", "addtime": "2023-05-30 21:06:40"}
{"id": 7, "protocol": "tcp", "ports": "39000-40000", "types": "accept", "address": "", "brief": "", "addtime": "2023-05-30 21:06:40"}
{"id": 6, "protocol": "tcp", "ports": "33368", "types": "accept", "address": "", "brief": "", "addtime": "2023-05-30 21:06:40"}
{"id": 5, "protocol": "tcp", "ports": "443", "types": "accept", "address": "", "brief": "", "addtime": "2023-05-30 21:06:40"}
{"id": 4, "protocol": "tcp", "ports": "80", "types": "accept", "address": "", "brief": "", "addtime": "2023-05-30 21:06:40"}
{"id": 3, "protocol": "tcp", "ports": "22", "types": "accept", "address": "", "brief": "", "addtime": "2023-05-30 21:06:40"}
{"id": 2, "protocol": "tcp", "ports": "21", "types": "accept", "address": "", "brief": "", "addtime": "2023-05-30 21:06:40"}
{"id": 1, "protocol": "tcp", "ports": "20", "types": "accept", "address": "", "brief": "", "addtime": "2023-05-30 21:06:40"}
参考这个导出规则,我们可以制作一个IP节点,导入CloudFlare.json,具体内容如下:{"id": 24, "protocol": "tcp", "ports": "443", "types": "accept", "address": 198.41.128.0/17 "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 23, "protocol": "tcp", "ports": "443", "types": "accept", "address": "197.234.240.0/22" "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 22, "protocol": "tcp", "ports": "443", "types": "accept", "address": "190.93.240.0/20" "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 21, "protocol": "tcp", "ports": "443", "types": "accept", "address": "188.14.96.0/20" "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 21, "protocol": "tcp", "ports": "443", "types": "accept", "address": "173.245.48.0/20" "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 19, "protocol": "tcp", "ports": "443", "types": "accept", "address": "172.64.0.0/13", "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 18, "protocol": "tcp", "ports": "443", "types": "accept", "address": "162.158.0.0/15", "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 17, "protocol": "tcp", "ports": "443", "types": "accept", "address": 141.101.64.0/18 "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 16, "protocol": "tcp", "ports": "443", "types": "accept", "address": "131.0.72.0/22", "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 15, "protocol": "tcp", "ports": "443", "types": "accept", "address": 108.162.192.0/18 "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 14, "protocol": "tcp", "ports": "443", "types": "accept", "address": "104.16.0.0/13", "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 13, "protocol": "tcp", "ports": "443", "types": "accept", "address": "103.31.4.0/22", "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 12, "protocol": "tcp", "ports": "443", "types": "accept", "address": "36.170.50.26" "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 11, "protocol": "tcp", "ports": "443", "types": "accept", "address": 103.22.200.0/22" "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 10, "protocol": "tcp", "ports": "443", "types": "accept", "address": “103.21.24.0/22” "brief": "", "addtime": "2023-05-30 16:40:26"}
{"id": 9, "protocol": "tcp", "ports": "443", "types": "accept", "address": “103.21.24.0/22” "brief": "", "addtime": "2023-05-30 16:40:26"}
这种方法是最有效的,但你需要非常仔细地参考默认导出的规则,并根据实际情况制作它们建议您在宝塔面板中[导入规则]之前,使用纯文本编辑器EditPlus进行本地编辑和检查唯一的缺陷是需要添加到每个端口,以实现只限制CDNIP节点请求端口,不能宝塔这方面没有非常方便的方法,此外,操作后哪个端口限制,其他IP请求将被拒绝,所以必须仔细检查IP地址段,如果是80端口也考虑他们的IP请求哦,不要完成屏蔽自己,至于获取自己的IP地址段,可以在ipip中使用.net上查询到的,记住是IP地址段,不是单独的IP哦!。
来源:德斯软件资讯