Antecedents
In fact, in previous articles, I have a more formulaic suggestion for building a website, which is as follows:
If you want to publish to the public Internet, you need to choose the most suitable publishing method according to the actual environment and the reverse proxy you use. You can refer to my previous articles:
1,Docker series uses Docker to build its own reverse proxy based on NPM
2,Linux panel series configure reverse proxy and use non-443 port for publishing
3.Home data center series uses domestic cloud hosting to get free cloudflare to achieve fast access to domestic sites from abroad
4.Home Data Center Series: Use cloudflare to build a website quickly with no public IP in your home broadband (general purpose)
The first and second methods are suitable for environments with public IP but no legal 443 port (home broadband, unregistered cloud host). You need to add a non-standard port after the URL (if you use cloudflare to build a website, you don't need to add a port, but you need to customize the source station port. You can refer to:Home data center series uses cloudflare's Origin Rules to solve the problem of having a public IP but no legal ports 80 and 443 when building a websiteThe third method is suitable for cloud hosts with a record, and the fourth method is suitable for all environments (including environments without public IP), which is also the method I recommend (regardless of whether your environment has a public IP or not, because this method does not require running https traffic directly on the public network).
From a purely technical perspective, there is nothing wrong with the above description, but why do I need to write a separate article to talk about the precautions for building a website with a public IP address for home broadband? The reason is that I encountered a strange thing yesterday. But before I talk about the business, I have to mention my previous heroic deeds, and I was notified by China Telecom. The content of the letter is as follows:
收到这个函件的原因应该是我挂PT导致每月产生了几十T的上传流量,估计一个人的流量顶1个小区。。所以导致被严重怀疑搞CDN的非法运营,当时上门来给我送函的人还故意冲进屋到各个屋子里逛了圈,可能是在找服务器。。不过大家放心,我现在已经改过自新,限制了上传速度,毕竟各大站都毕业了。。有了这个前科打底,所以我对自己的成分还是有点自知指明的,毕竟也算是有过黑历史的人,放在以前就相当于进过”牛棚”,成分不好。
Yesterday afternoon, I suddenly received a call from a telecom operator. They asked me directly whether I had published a website and asked me to close it immediately, otherwise the IP address would be blocked. . Damn, I have published so many websites. After all, it is called a home data center. . But why did they call me suddenly? According to my previous understanding, the public IP address of home broadband does not have ports 80 and 443. It should not be a problem to publish services using other ports. Moreover, my entire website is https, and I can't see my actual content. Why should I shut down the website?
But I have a dark history after all, so I was very nice and asked the telecom operator which website it was, thinking that if it was an unimportant site, I would just cooperate and shut it down. Then the operator asked me to add him on WeChat and sent me a screenshot of his chat history:
When I saw that the domain name, website, community address, and contact information had nothing to do with me, I was confused and told the operation and maintenance staff that they had found the wrong person. Others checked and said that they had found the wrong person. Originally, the matter would have ended there, but when I thought about it, it didn't make sense. Why did they call me? They had to find out the specific reason. Was it because I was the key suspect that they had to find me first? ? So I called the operation and maintenance staff again and asked why they had found the wrong person. They had to give me an explanation. Then they sent me the previous chat records. It turned out that the domain name of the wrong information was my unregistered domain name. It was probably copied and pasted from the list of unregistered domain name access information monitored by many people. My copy was pasted up, and the reason was found.
From the chat record above, there are two characteristics: one is that the domain name is not registered, and the other is the HTTP plain text access method. In fact, the telecommunications company used to turn a blind eye to this kind of access traffic. Now it is probably because the network supervision policy is getting stricter and stricter. After all, the overall environment is not good, and they are afraid that someone will do something bad.
as a result of
Based on the above facts and the increasingly strict Internet regulatory policies in the future, I have made the following adjustments to my suggestions for using home broadband with public IP addresses to build websites:
1. It is recommended to register domain names mainly used in China
In my previous articles, I only said that if you want to use domestic CDN, the domain name must be registered. This is mandatory. However, if you use a public IP as the source site in conjunction with cloudflare to build a website, registration is not a must. The premise of this statement is that China Telecom turns a blind eye to the inbound access traffic of http and https. However, it now seems that China Telecom has begun to take action on the inbound http traffic of unregistered domain names. It is probably only a matter of time before it takes action on the inbound https traffic. After all, if they can't see what you are doing, then you are most likely doing something bad. Therefore, in the future, domain names that are mainly used in China should be registered honestly, and get a good citizen certificate for self-defense.
2. https becomes a must
When the registered domain name is used with the domestic CDN as the source domain name, although there are http and https options, looking at the current situation, https has become a must, and the registered domain name + https will become a security guarantee for a period of time in the future. Otherwise, even if the domain name is registered, but you run plain text http, it will be easy for others to find faults with you. If it is https encrypted traffic, others may not bother to make any effort.
3. When using cloudflare to build a website, only tunnel is recommended
Although when the home broadband has a public IP, using cloudflare can directly use the public IP as the source address (see:Home data center series uses cloudflare's Origin Rules to solve the problem of having a public IP but no legal ports 80 and 443 when building a website), but in the future, regardless of whether the home broadband has a public IP or not, I will give priority to the tunnel method. After all, the traffic of this method will not be displayed as https inbound traffic, and safety comes first.
4. If you don’t want to file, you can only use cloudflare and optimize access speed
For personal blogs, Cloudflare's Worker optimization solution is still a good choice. You can refer to the access speed of this blog (domain ending with .com). The free plan can provide cost-effective traffic cleaning and security protection functions. For friends who don't want to register, it is still a good choice. I will write a series of Cloudflare tutorials later. This series has been scheduled for a long time, but I get lazy when I think about writing a lot. I'll put it off for a day. . .
