Recently, I have been frequently complained about website speed garbage. I am also desperate for such an explosive speed in foreign countries. Isn’t the baby’s hard work changing the theme just to speed up? After all… it’s just a symptom, not a root cause. This time I made up my mind to migrate back to my broken machine. Anyway, the traffic is small, and the student chickens can carry it. The only problem is: no, yes, backup, record.

Why do you need to file?

This problem is very serious, whether you will create it or not! On domestic machines, Big Brother will focus on checking the content flowing through port 80. After all, it is transmitted in plain text, and it is easy to find out what shameful things you have done, but it will be different if you turn on https, unless Big Brother digs up the computer Look at your hard drive, otherwise bad things cannot be found by passive monitoring! Therefore, every http access will be checked to see if the domain name to which the destination URL belongs (that is, the Host header in the header) has been filed.

If there is no record, port 80 cannot be used. If you don’t add https when entering the URL, it will be blocked and it will be displayed as not xx, and the firewall will also be +1s. The domain name verification of many services also requires http access, all gg, and all domestic services need to be bound. The acceleration services for fixed domain names that are paid for are free and all of them cannot be used. Hey, search engines won’t talk to you either, because your port 80 has been 403 Forbidden ah.

I have always sighed that all the hosts of Alibaba Cloud will be subject to such monitoring. In fact, this system can still achieve second-level recognition under such a high concurrency (the first request will turn into a 403 return after a few to ten seconds of access) Unregistered webpage), it is quite difficult and super awesome! But alas, technology, technology is not guilty.

Why not record?

Question: Then Big Brother asked you to file for the record, wouldn’t it be illegal if you weren’t prepared?

Answer: It should be. Although I have used my method for the time being, there is no big brother to track it down, but in case the PV is too high and triggers an alarm one day, I will file for the record. What I am most afraid of is the invasion of my personal privacy by some strange species. After all, the circle is too small, not to mention that I need some basic qualities in this line of work.

In fact, it’s obsessive-compulsive disorder plus laziness, where are there so many excuses.

principle

We want to realize that http can also be accessed, so why not change the way of thinking and let access to http automatically jump to https, after all, it is fashionable. The first thing I thought of was the 301 cache, but not all browsers support the 301 cache, and it is very unstable, and it will be cleared by any housekeeper who cleans up the garbage. So there is only one way of HSTS. HSTS not only forces the browser to use a secure connection within a given time, but also forces the browser to verify the validity of the SSL certificate, preventing MITM by the way, which is great.

Readers may ask, why not just find a foreign host and redirect? I also thought about it, but http abroad and https domestic are completely impossible. After all, they are all resolved to one IP, and DNS does not know the port you want to connect to. The only option is to use a foreign host (the address is for manual typing) to redirect to another domestic address (for copying and pasting URLs) with 301, and add https and HSTS to the header. Now, we will use SSL in the future.

step

Enable SSL+HSTS

There are tutorials for nginx to open ssl on the Internet, remember listen 443 must have later ssl;, ssl on; This sentence can not be added, some tutorials are not right about this. As for enabling the HSTS standard, insert it into the server block. 31536000 is one year in seconds.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Set up DNS via CF

What CloudFlare means is not only to use it as our DNS server, but also to let CF be our reverse proxy. existhttps://www.cloudflare.com/a/dns/your.domain When setting up DNS records, click on that little cloud.

Enable 301 redirection in cloudflare

CF’s jump is hidden inPage Rules Inside, you can specify directly, when url match http://*.your.domain/* when, Always Use HTTPS, it will automatically set 301 redirects for you. Of course, the rules here are only valid for hosts that pass through CF.

Register letsencrypt free SSL certificate manually

This step is more troublesome. When registering, because our running chicken and registration chicken are no longer in the same cage, we need to use certbot auth --manual Register manually. After entering the domain name, a string of challenges will pop up, let us put it in the designated directory of the website, here is the effect of our first two steps. Let the http access force jump to https, then put the challenge under the set nginx directory, click next, and an SSL certificate available for the public network will be generated in the directory it prompts. Of course, there will be trouble every three months in the future. After all, no one wants to use junk WoSign.

Copy a valid certificate to nginx

When using nginx, remember to copy the key and fullchain.pem instead of cert.pem, go to the nginx directory, replace the certificate randomly obtained in the first step, and reload it.

Toggle DNS to skip CF

on that page just nowhttps://www.cloudflare.com/a/dns/your.domain Click on the little orange cloud just now in the corresponding record. Let the arrow go around the cloud and wait for the DNS cache to refresh. Oh, by the way, it’s not a local cache, but it has to wait for the entire network to refresh. After the test, I found that the Automatic TTL of CF is about 300, which translates to about five minutes, but I also found that the local stupid DNS will change it to 900, which is 15 minutes… I just don’t understand how a server can be so lazy …and then waited for fifteen minutes in such thoughts. After bypassing CF, you can set a short TTL by yourself, which is convenient for switching back and forth during debugging, and the record update will be quite fast.