2026.1.21-23
研究背景 Background
关于博客和其他端口服务的安全问题,最初想着反代就好了,但最近看别的博客说这样有个很大的问题就是会暴露ip,加上之前也记得看过一些评论说只反代是远远不够的,于是现在开始系统研究一下博客网页和其他服务的安全措施。
Initially, I thought using a reverse proxy would suffice for securing my blog and other port services. However, I recently came across several posts pointing out a major issue—doing so can still expose the IP address. Additionally, I recall reading comments before emphasizing that relying solely on a reverse proxy is far from enough. Therefore, I have now started to systematically study security measures for blogs, web pages, and other services.
流程和排版 Workflow & Typesetting
这是第一个技术贴,但已经是第n次折腾技术问题了,为了便于自己和他人今后查阅学习,所以制定规范进行工作流和文章排版的整理。工作流如下:想法经过决定要实现后开始行文;先思考并阐述背景,确定研究折腾范围;然后随着研究深入整合参考资料,用zotero等缓存并归档资料,每个时间版本一次完整归档,在文章中贴出链接,方便自己查找和他人申请资料传递;研究过程和写论文差不多,找资料、问ai,只不过资料不是通过图书馆资料库,而是搜索引擎、B站知乎、他人博客或专业网站等;组织排版就按照这篇文章的来,H2是时间版次,H3是目录包括研究背景、参考资料、技术总结、细节,符合网站总体内容格式化规范。
This is the first technical post, though it’s already the nth time I’ve tinkered with technical issues. To make it easier for myself and others to review and learn in the future, I’ve established guidelines for organizing the workflow and article formatting. The workflow is as follows: Once an idea is decided upon and ready to be implemented, I begin drafting. I start by reflecting on and explaining the background, then define the scope of research or experimentation. As the study progresses, I integrate reference materials, using tools like Zotero to cache and archive resources. Each temporal version is fully archived, with links included in the article for easy personal reference and for others to request resource sharing. The research process is similar to writing a paper—gathering materials, consulting AI—except that the sources are not from library databases but from search engines, platforms like Bilibili and Zhihu, other blogs, or professional websites. For organization and formatting, I follow the structure of this article: H2 headings indicate temporal versions, while H3 headings serve as the table of contents, covering the research background, references, technical summary, details—all aligning with the overall content formatting guidelines of the website.
参考资料 References
- 防止 SSL 证书泄露源站 IP|白鱼小栈
- 记录一次个人站点被DDoS攻击的经历 | LiuShen’s Blog
- 【nginx】nginx 配置避免 IP 访问时证书暴露域名 | 慕雪的寒舍
- NGINX 配置避免 IP 访问时证书暴露域名 – ZingLix Blog
- 小白教程1Panel设置nginx反向代理之前端路径设置(1)_1panel 反向代理-CSDN博客
- 使用Nginx设置反向代理后无法识别css,js等等问题解决办法-腾讯云开发者社区-腾讯云
- Kimi
- Nginx入门必须懂3大功能配置 – Web服务器/反向代理/负载均衡_哔哩哔哩_bilibili
- 【GeekHour】30分钟Nginx入门教程_哔哩哔哩_bilibili
技术总结 Technical Summary
经过十几小时的折腾和研究,研究好了在没有CDN情况下的安全措施,CDN的完整措施等域名审核后再研究。
- 服务器层面:设置双因素验证,设置防火墙只开放服务器必要端口,越少越好,网站等服务端口会被search.censys.io这样的网站扫到;有较大改动后保存镜像、快照;
- 1panel面板方面:设置随机密码妥善保管,更改默认端口,设置安全入口并设置Let’s Encrypt证书开启ssl访问,未认证设置444关闭连接隐藏服务;
- 1panel网站设置方面:所有网站反代服务设置HTTPS访问和HTTP自动跳转,限制并发数和流量减少被打损失,适当开启防盗链,其他按照推荐的默认设置;防止IP扫描后ssl泄露域名和ip关系,在openresty设置/其他/打开拒绝默认 SSL 握手,在反代配置文件中增加默认服务使IP访问直接拒绝握手(见操作细节);非网站的服务尝试增加前端访问路径(wordpress增加访问路径后bug太多故放弃)减少域名暴露,注意区分服务是否可以设置子域名,无法设置子域名的服务可以参考操作细节配置访问路径反代;
- WordPress方面:用 WPS隐藏登录 插件更改管理员入口,用 Limit Login Attempts Reloaded 插件阻止恶意登录,并用 Easy WP SMTP 插件配置SMTP邮件通知,用 Disable XML-RPC 插件禁用不安全功能,用 WPvivid备份插件 设置定期备份并定期下载到本地备份;
- 应对操作失误和攻击的补救措施:设置面板过载邮箱提醒知道被打,设置DDNS方便被打后申请更改IP;管理好服务器镜像、快照、网站及其他服务docker的单独备份;平时顺手更新软件补丁。
After over ten hours of tinkering and research, I have figured out the security measures without a CDN. Comprehensive measures involving a CDN will be studied after domain name review.
- Server Level: Enable two-factor authentication. Configure the firewall to only open necessary server ports—the fewer, the better, as service ports for websites can be scanned by sites like
search.censys.io. Save images/snapshots after making significant changes. - 1Panel: Set a strong random password and store it securely. Change the default port. Set up a secure entry point and configure a Let’s Encrypt certificate to enable SSL access. Set unauthorized access to return status code 444 to close connections and hide the service.
- 1Panel Website Settings: Configure all website reverse proxy services for HTTPS access with automatic HTTP redirects. Limit concurrent connections and traffic to mitigate potential attack damage. Enable hotlink protection appropriately. Other settings follow recommended defaults. To prevent SSL from revealing the relationship between the domain and IP after IP scanning, go to OpenResty Settings / Others and enable “Reject Default SSL Handshake”. Add a default server in the reverse proxy configuration to directly reject handshakes for IP access (see Operational Details). For non-website services, try adding a front-end access path to reduce domain exposure (abandoned for WordPress due to too many bugs after adding a path). Pay attention to whether a service supports subdomains. For services that cannot use subdomains, refer to the operational details for configuring path-based reverse proxy.
- WordPress: Use the WPS Hide Login plugin to change the admin entry point. Use the Limit Login Attempts Reloaded plugin to block malicious login attempts. Configure SMTP email notifications using the Easy WP SMTP plugin. Disable insecure features with the Disable XML-RPC plugin. Set up regular backups with the WPvivid Backup Plugin and periodically download backups locally.
- Remedial Measures for Operational Errors and Attacks: Set up panel notification for overloaded with SMTP and DDNS to facilitate ip changes if attacked. Properly manage server images, snapshots, and separate backups for websites and other service dockers. Regularly apply software patches when possible.
细节 Details
反向代理配置IP访问直接拒绝握手代码,端口改为对应服务的。
Reverse Proxy Configuration: Code to Reject Handshakes for Direct IP Access. Change the port to the corresponding service port.
server {
listen your_port/你的服务端口 default_server;
server_name _;
ssl_reject_handshake on;
}反向代理配置前端访问路径,可以设置子域名的服务配置如下,配置为AI生成可能有缺陷或过度配置,访问路径和端口(包括括号)要更改。
Reverse Proxy Configuration: Front-end Access Path for Services Supporting Subdomains. The following configuration is AI-generated and may have flaws or over-configuration. Remember to change the access path and port (including parentheses).
location ^~ /(your_path/你的服务访问路径)/ {
# 传递真实IP和协议信息
# Pass real IP and protocol info
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
# 处理Range请求(用于下载)
# Handle Range requests (for downloads)
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
# 关闭重定向
# Disable redirect handling
proxy_redirect off;
# 关键:代理到容器的/(your_path/你的服务访问路径)/路径(注意末尾斜杠)
# Key: Proxy to the container's /your_path/ (mind the trailing slash)
proxy_pass http://127.0.0.1:(your_port/你的服务端口)/(your_path/你的服务访问路径)/;
# 上传文件大小限制
# Upload file size limit
client_max_body_size 20000m;
# WebSocket支持(如果需要)
# WebSocket support (if needed)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}反向代理配置前端访问路径,无法设置子域名的服务配置如下,配置为AI生成可能有缺陷或过度配置,访问路径和端口(包含括号)要一起更改。
Reverse Proxy Configuration: Front-end Access Path for Services NOT Supporting Subdomains. The following configuration is AI-generated and may have flaws or over-configuration. Remember to change the access path and port (including parentheses).
location ^~ /(your_path/你的服务访问路径)/ {
# 不支持子路径,使用路径重写
# Service does not support sub-paths, use path rewrite
rewrite ^/(your_path/你的服务访问路径)/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:(your_port/你的服务端口)/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 关键:重写响应中的路径
# Key: Rewrite paths in responses
proxy_redirect / /(your_path/你的服务访问路径)/;
sub_filter 'href="/' 'href="/(your_path/你的服务访问路径)/';
sub_filter 'src="/' 'src="/(your_path/你的服务访问路径)/';
sub_filter 'action="/' 'action="/(your_path/你的服务访问路径)/';
sub_filter_once off;
}