老话重提。2022年都快过完了还有人做假证书防止IP泄漏

你号没了

https://lilynana.eu.org/thread-1058244-1-1.html
这个主题帖看不到原楼主的内容了。
采集站里面看是以下内容

1. 2022年都快过完了还有人做假证书防止IP泄漏的？？？
   
2. Nginx从2020年发布的1.19.4版本开始就内置了更好的方式啊,
   
3. Syntax: ssl_reject_handshake on | off;
   
4. Default: ssl_reject_handshake off;
   
5. Context: http, server
   
6. This directive appeared in version 1.19.4.
   
7. If enabled, SSL handshakes in the server block will be rejected.
   
8. For example, in the following configuration, SSL handshakes with server names other than example.com are rejected:
   
9. server {
   
10. listen 443 ssl default_server;
    
11. ssl_reject_handshake on;
    
12. }
    
13. server {
    
14. listen 443 ssl;
    
15. server_name example.com;
    
16. ssl_certificate example.com.crt;
    
17. ssl_certificate_key example.com.key;
    
18. }

复制代码

nginx怎么配置啊

1. listen 443 ssl default_server;
   
2. ssl_reject_handshake on;
   
3. }

复制代码

加上这个off开关就可以了吗

loveqianool

谁用假的呀，当然是上真证书。

akamai

用自带源的话，debian 12 ubuntu 23.04以后才是 1.19.4以后版本。rh系不清楚。
自己编译，动态模块每次更新都要重新折腾。

inkneko

ubuntu22.04 ngx 1.18

inkneko

还有一堆人用centos7。用假证书还可以问候一下偷邻居证书的马

iks

要加个 ssl handshake timeout 不然容易 idle 连接

你号没了

iks 发表于 2023-11-16 09:24
要加个 ssl handshake timeout 不然容易 idle 连接

好的。感谢大佬指点

1. server {
   
2.     listen 443 ssl default_server;
   
3.     ssl_reject_handshake on;
   
4.     ssl_handshake_timeout 5s;  # 设置为 5 秒钟
   
5. }

复制代码

你号没了

Starting nginx... nginx: [emerg] "ssl_handshake_timeout" directive is not allowed here in /usr/local/nginx/conf/nginx.conf:76

iks

你号没了 发表于 2023-11-16 09:29
Starting nginx... nginx: [emerg] "ssl_handshake_timeout" directive is not allowed here in /usr/local ...

草，我给的 key 不一定对，google 一下 8

你号没了

iks 发表于 2023-11-16 09:44
草，我给的 key 不一定对，google 一下 8

  问gpt一会说放http模块  一会说放server     

nginx version: nginx/1.22.0

1. user  www www;
   
2. 
   
3. worker_processes auto;
   
4. worker_cpu_affinity auto;
   
5. 
   
6. error_log  /home/wwwlogs/nginx_error.log  crit;
   
7. 
   
8. pid        /usr/local/nginx/logs/nginx.pid;
   
9. 
   
10. #Specifies the value for maximum file descriptors that can be opened by this process.
    
11. worker_rlimit_nofile 51200;
    
12. 
    
13. events
    
14. {
    
15.     use epoll;
    
16.     worker_connections 51200;
    
17.     multi_accept off;
    
18.     accept_mutex off;
    
19. }
    
20. 
    
21. http
    
22. {
    
23.     include       mime.types;
    
24.     default_type  application/octet-stream;
    
25. 
    
26.     server_names_hash_bucket_size 128;
    
27.     client_header_buffer_size 32k;
    
28.     large_client_header_buffers 4 32k;
    
29.     client_max_body_size 50m;
    
30. 
    
31.     sendfile on;
    
32.     sendfile_max_chunk 512k;
    
33.     tcp_nopush on;
    
34. 
    
35.     keepalive_timeout 60;
    
36. 
    
37.     tcp_nodelay on;
    
38. 
    
39.     fastcgi_connect_timeout 300;
    
40.     fastcgi_send_timeout 300;
    
41.     fastcgi_read_timeout 300;
    
42.     fastcgi_buffer_size 64k;
    
43.     fastcgi_buffers 4 64k;
    
44.     fastcgi_busy_buffers_size 128k;
    
45.     fastcgi_temp_file_write_size 256k;
    
46. 
    
47.     gzip on;
    
48.     gzip_min_length  1k;
    
49.     gzip_buffers     4 16k;
    
50.     gzip_http_version 1.1;
    
51.     gzip_comp_level 2;
    
52.     gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
    
53.     gzip_vary on;
    
54.     gzip_proxied   expired no-cache no-store private auth;
    
55.     gzip_disable   "MSIE [1-6]\.";
    
56. 
    
57.     #limit_conn_zone $binary_remote_addr zone=perip:10m;
    
58.     ##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
    
59. 
    
60.     server_tokens off;
    
61.     access_log off;
    
62. 
    
63.     server
    
64.     {
    
65.         listen 80 default_server reuseport;
    
66.         #listen [::]:80 default_server ipv6only=on;
    
67.         server_name _;
    
68.         return 444;
    
69.         access_log off;
    
70.     }
    
71. 
    
72.     server
    
73.     {
    
74.         listen 443 ssl http2;
    
75.         server_name _;
    
76.         ssl_reject_handshake on;
    
77.         ssl_handshake_timeout 5s;
    
78.         access_log off;
    
79.     }
    
80. 
    
81.     include vhost/*.conf;
    
82. }
    

复制代码

Starting nginx... nginx: [emerg] "ssl_handshake_timeout" directive is not allowed here in /usr/local/nginx/conf/nginx.conf:77