How to use Nginx to prevent IP addresses from being maliciously resolved

Purpose of using Nginx

Using Alibaba Cloud ECS cloud server, let’s first talk about the author’s background in using Nginx.

After initializing ECS, a public IP address will be generated. The default access IP address automatically accesses port 80. At this time, you can directly access the service started on port 80 through the IP address.

If you resolve the domain name to the current IP address, you can directly access the service on port 80 through the domain name.

Then, a problem arises: anyone can resolve the domain name to the IP address, which means that the services on your ECS can be accessed through other domain names. As for the purpose, this method of attack is too blatant. They probably want to raise domain names and then sell them (guessing, those with big imaginations please share your thoughts).

There are many ways to avoid this attack. Referring to the answers on the Internet, configuring Nginx is the most convenient and quickest.

The general idea is as follows: the web service is started with a non-80 port (cannot be accessed directly through the IP address), and Nginx configures a forward proxy to forward the domain name to the domain name + port.

Result: After resolution, you can directly access it using your own domain name, which is essentially forwarded to the IP address + port. Other domain names are not configured with port forwarding, so they will be blocked.

There are many scenarios for using Nginx, such as reverse proxy, load balancing, etc., and preventing malicious parsing is just one of them.

Perhaps in the future we may expand on more Nginx-related technical experience, but code is just a tool. Technology will only generate value when it solves real problems. Otherwise, it is just talk on paper and meaningless.

I have seen an article before, which talked about two developers discussing technology selection. One of them chose the unpopular Lua, and the other was puzzled as to why they did not choose a popular technology with better performance and better development experience. However, her answer was: As long as it can solve our problem.

I fell into deep thought. I also followed the wave of microservice architecture that emerged in 2019. I learned a lot of new technologies and terms, and felt very fulfilled. However, it is difficult to apply it to actual project development. High concurrency and microservices are either a technology or a capital for showing off. They solve practical problems in the project or employment problems. There is nothing wrong with learning, but before I learn I will think whether I will use it or be bound by it.

That’s all for now. Here are some common commands for Nginx in Linux and the configuration file I copied (nginx.conf)

List of common commands

yum install nginx //Install nginx (centos)

//Start automatically at boot time systemctl enable nginx
systemctl disable nginx

//Check the nginx status systemctl status nginx

//Start, stop, restart systemctl start nginx
systemctl stop nginx
systemctl restart nginx

//Reload the configuration systemctl reload nginx

//The default location of the configuration file /etc/nginx main configuration file nginx.conf

Prevent malicious parsing of configuration

 server {
      listen 80 default_server;
      server_name _;
      access_log off;
      return 444;
    }

# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
  worker_connections 1024;
}

http {
  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
           '$status $body_bytes_sent "$http_referer" '
           '"$http_user_agent" "$http_x_forwarded_for"';

  access_log /var/log/nginx/access.log main;

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  # Load modular configuration files from the /etc/nginx/conf.d directory.
  # See http://nginx.org/en/docs/ngx_core_module.html#include
  # for more information.
  include /etc/nginx/conf.d/*.conf;
    server {
      listen 80 default_server;
      server_name _;
      access_log off;
      return 444;
    }
  server {
    listen 80;
    server_name www.zkrun.top;
    location / {
        proxy_pass http://www.zkrun.top:8080;
    }

    error_page 404 /404.html;
      location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
      location = /50x.html {
    }
  }

# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}

Summarize

This is the end of this article on how to use Nginx to prevent IP addresses from being maliciously resolved. For more information about how to use Nginx to prevent IP addresses from being maliciously resolved, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!