1 前因
In fact, in previous articles, I have a more formulaic suggestion for building a website, which is as follows:
If you want to publish to the public Internet, you need to choose the most suitable publishing method according to the actual environment and the reverse proxy you use. You can refer to my previous articles:
1,Docker series uses Docker to build its own reverse proxy based on NPM
2,Linux panel series configure reverse proxy and use non-443 port for publishing
3.Home data center series uses domestic cloud hosting to get free cloudflare to achieve fast access to domestic sites from abroad
4.Home Data Center Series: Use cloudflare to build a website quickly with no public IP in your home broadband (general purpose)
The first and second methods are suitable for environments with public IP but no legal 443 port (home broadband, unregistered cloud host). You need to add a non-standard port after the URL (if you use cloudflare to build a website, you don't need to add a port, but you need to customize the source station port. You can refer to:Home data center series uses cloudflare's Origin Rules to solve the problem of having a public IP but no legal ports 80 and 443 when building a websiteThe third method is suitable for cloud hosts with a record, and the fourth method is suitable for all environments (including environments without public IP), which is also the method I recommend (regardless of whether your environment has a public IP or not, because this method does not require running https traffic directly on the public network).
From a purely technical perspective, there is nothing wrong with the above description, but why do I need to write a separate article to talk about the precautions for building a website with a public IP address for home broadband? The reason is that I encountered a strange thing yesterday. But before I talk about the business, I have to mention my previous heroic deeds, and I was notified by China Telecom. The content of the letter is as follows:
收到这个函件的原因应该是我挂PT导致每月产生了几十T的上传流量,估计一个人的流量顶1个小区。。所以导致被严重怀疑搞CDN的非法运营,当时上门来给我送函的人还故意冲进屋到各个屋子里逛了圈,可能是在找服务器。。不过大家放心,我现在已经改过自新,限制了上传速度,毕竟各大站都毕业了。。有了这个前科打底,所以我对自己的成分还是有点自知指明的,毕竟也算是有过黑历史的人,放在以前就相当于进过”牛棚”,成分不好。
Yesterday afternoon, I suddenly received a call from a telecom operator. They asked me directly whether I had published a website and asked me to close it immediately, otherwise the IP address would be blocked. . Damn, I have published so many websites. After all, it is called a home data center. . But why did they call me suddenly? According to my previous understanding, the public IP address of home broadband does not have ports 80 and 443. It should not be a problem to publish services using other ports. Moreover, my entire website is https, and I can't see my actual content. Why should I shut down the website?
But I have a dark history after all, so I was very nice and asked the telecom operator which website it was, thinking that if it was an unimportant site, I would just cooperate and shut it down. Then the operator asked me to add him on WeChat and sent me a screenshot of his chat history:
我一看那个域名和网址、还有小区地址、联系方式都和我没有一毛钱关系,当时就懵了,直接给运维人员说找错人了,别人查了一下也说的确找错人了。本来这事也就到此为止了,不过我回过头来想想又不对味,凭啥给我打电话,必须找到具体原因,难倒因为我是重点嫌疑人,凡事先找我??
所以我又给运维人员打电话,问为啥会找错人,必须给我一个说法,然后别人又把前面的聊天记录发给我看,原来前面发错的信息域名就是我的未备案域名了,估计是从很多监控到的未备案域名访问信息的列表里复制粘贴的时候复制错了,把我的复制粘贴上去了,原因算是找到了。
From the chat record above, there are two characteristics: one is that the domain name is not registered, and the other is the HTTP plain text access method. In fact, the telecommunications company used to turn a blind eye to this kind of access traffic. Now it is probably because the network supervision policy is getting stricter and stricter. After all, the overall environment is not good, and they are afraid that someone will do something bad.
2 后果
Based on the above facts and the increasingly strict Internet regulatory policies in the future, I have made the following adjustments to my suggestions for using home broadband with public IP addresses to build websites:
1. It is recommended to register domain names mainly used in China
In my previous articles, I only said that if you want to use domestic CDN, the domain name must be registered. This is mandatory. However, if you use a public IP as the source site in conjunction with cloudflare to build a website, registration is not a must. The premise of this statement is that China Telecom turns a blind eye to the inbound access traffic of http and https. However, it now seems that China Telecom has begun to take action on the inbound http traffic of unregistered domain names. It is probably only a matter of time before it takes action on the inbound https traffic. After all, if they can't see what you are doing, then you are most likely doing something bad. Therefore, in the future, domain names that are mainly used in China should be registered honestly, and get a good citizen certificate for self-defense.
2. https becomes a must
When the registered domain name is used with the domestic CDN as the source domain name, although there are http and https options, looking at the current situation, https has become a must, and the registered domain name + https will become a security guarantee for a period of time in the future. Otherwise, even if the domain name is registered, but you run plain text http, it will be easy for others to find faults with you. If it is https encrypted traffic, others may not bother to make any effort.
3. When using cloudflare to build a website, only tunnel is recommended
Although when the home broadband has a public IP, using cloudflare can directly use the public IP as the source address (see:Home data center series uses cloudflare's Origin Rules to solve the problem of having a public IP but no legal ports 80 and 443 when building a website), but in the future, regardless of whether the home broadband has a public IP or not, I will give priority to the tunnel method. After all, the traffic of this method will not be displayed as https inbound traffic, and safety comes first.
4. If you don’t want to file, you can only use cloudflare and optimize access speed
对于个人博客而言,如果采用的是wordpress,那么cloudflare的worker优化方案还是能一战的(可以参考本博客https://blog.tangwudi.com的访问速度),加上free计划就能提供的高性价比的流量清洗和安全防护功能,对于不愿意备案的朋友,还是一个很好的选择的。后续我会写一个cloudflare的系列教程,这个系列的日程都排了很久了,不过一想到要写好多我就犯懒。。能拖一天是一天吧。。。