1. Background

In fact, in previous articles, I have a more formulaic suggestion for building a website, which is as follows:

If you want to publish to the public Internet, you need to choose the most suitable publishing method according to the actual environment and the reverse proxy you use. You can refer to my previous articles:
1,Docker series uses Docker to build its own reverse proxy based on NPM
2,Linux panel series configure reverse proxy and use non-443 port for publishing
3.Home data center series uses domestic cloud hosting to get free cloudflare to achieve fast access to domestic sites from abroad
4.Home Data Center Series: Use cloudflare to build a website quickly with no public IP in your home broadband (general purpose)

The first and second methods are suitable for environments with public IP but no legal 443 port (home broadband, unregistered cloud host). You need to add a non-standard port after the URL (if you use cloudflare to build a website, you don't need to add a port, but you need to customize the source station port. You can refer to:Home data center series uses cloudflare's Origin Rules to solve the problem of having a public IP but no legal ports 80 and 443 when building a websiteThe third method is suitable for cloud hosts with a record, and the fourth method is suitable for all environments (including environments without public IP), which is also the method I recommend (regardless of whether your environment has a public IP or not, because this method does not require running https traffic directly on the public network).

From a purely technical perspective, there is nothing wrong with the above description, but why do I need to write a separate article to talk about the precautions for building a website with a public IP address for home broadband? The reason is that I encountered a strange thing yesterday. But before I talk about the business, I have to mention my previous heroic deeds, and I was notified by China Telecom. The content of the letter is as follows:

The reason I received this letter is probably because my PT (Private Tracker) account generated tens of terabytes of upload traffic each month, roughly equivalent to the traffic of an entire neighborhood. This led to serious suspicion that I was illegally operating a CDN. The person who delivered the letter even deliberately rushed into my house and wandered around the various rooms, probably looking for servers. But don't worry, I've already reformed and limited my upload speed, since I've graduated from all the major websites. Having this past record, I'm somewhat aware of my own background; after all, I have a dark history, which in the past would have been equivalent to being sent to a "cow shed" (a derogatory term for someone with a bad class background).

Yesterday afternoon, I suddenly received a call from a telecom operator. They asked me directly whether I had published a website and asked me to close it immediately, otherwise the IP address would be blocked. . Damn, I have published so many websites. After all, it is called a home data center. . But why did they call me suddenly? According to my previous understanding, the public IP address of home broadband does not have ports 80 and 443. It should not be a problem to publish services using other ports. Moreover, my entire website is https, and I can't see my actual content. Why should I shut down the website?

But I have a dark history after all, so I was very nice and asked the telecom operator which website it was, thinking that if it was an unimportant site, I would just cooperate and shut it down. Then the operator asked me to add him on WeChat and sent me a screenshot of his chat history:

When I saw the domain name, website address, neighborhood address, and contact information, none of them had anything to do with me. I was completely baffled. I immediately told the maintenance staff that they had the wrong person, and after checking, they confirmed it was indeed the wrong person. The matter should have ended there, but then I thought about it again and something didn't seem right. Why were they calling me? I needed to find out the specific reason. Was it because I was a prime suspect, and they were contacting me first for everything?
So I called the operations and maintenance personnel again to ask why they had contacted the wrong person and demanded an explanation. Then they sent me the previous chat history, and it turned out that the domain name sent to the wrong person was actually my unregistered domain name. It was probably copied and pasted from a list of many monitored unregistered domain access information, and they copied and pasted mine instead. So I finally found the reason.

From the chat record above, there are two characteristics: one is that the domain name is not registered, and the other is the HTTP plain text access method. In fact, the telecommunications company used to turn a blind eye to this kind of access traffic. Now it is probably because the network supervision policy is getting stricter and stricter. After all, the overall environment is not good, and they are afraid that someone will do something bad.

2. Consequences

Based on the above facts and the increasingly strict Internet regulatory policies in the future, I have made the following adjustments to my suggestions for using home broadband with public IP addresses to build websites:

1. It is recommended to register domain names mainly used in China

In my previous articles, I only said that if you want to use domestic CDN, the domain name must be registered. This is mandatory. However, if you use a public IP as the source site in conjunction with cloudflare to build a website, registration is not a must. The premise of this statement is that China Telecom turns a blind eye to the inbound access traffic of http and https. However, it now seems that China Telecom has begun to take action on the inbound http traffic of unregistered domain names. It is probably only a matter of time before it takes action on the inbound https traffic. After all, if they can't see what you are doing, then you are most likely doing something bad. Therefore, in the future, domain names that are mainly used in China should be registered honestly, and get a good citizen certificate for self-defense.

2. https becomes a must

When the registered domain name is used with the domestic CDN as the source domain name, although there are http and https options, looking at the current situation, https has become a must, and the registered domain name + https will become a security guarantee for a period of time in the future. Otherwise, even if the domain name is registered, but you run plain text http, it will be easy for others to find faults with you. If it is https encrypted traffic, others may not bother to make any effort.

3. When using cloudflare to build a website, only tunnel is recommended

Although when the home broadband has a public IP, using cloudflare can directly use the public IP as the source address (see:Home data center series uses cloudflare's Origin Rules to solve the problem of having a public IP but no legal ports 80 and 443 when building a website), but in the future, regardless of whether the home broadband has a public IP or not, I will give priority to the tunnel method. After all, the traffic of this method will not be displayed as https inbound traffic, and safety comes first.

4. If you don’t want to file, you can only use cloudflare and optimize access speed

For personal blogs using WordPress, Cloudflare's worker optimization solutions are still quite effective (see this blog for reference).https://blog.tangwudi.comWith its fast access speeds and the cost-effective traffic scrubbing and security features offered by the free plan, it's a great option for those who don't want to register their data. I'll be writing a series of Cloudflare tutorials later; this series has been scheduled for a long time, but the thought of writing so much makes me lazy... I'll just procrastinate as long as I can.