0, Preface
In fact, looking at my cluster monitoring panel, you can find that my servers (especially high-configuration servers) are all in mainland China, and overseas servers are all relatively low-configuration. I also mentioned in Server Security (2) Internal and External Network Defense, the method of using a server for forwarding.
This is why my server is almost never shut down: the IP that everyone can find is just a forwarding machine. If this server is put into a black hole, I can immediately switch to Cloudflare and another one to continue forwarding, and it is thanks to the service N+2 Multi-machine hot standby deployment, all services can be completed only by modifying DNS records after switching to Cloudflare; multi-point deployment services such as blogs and CDNs, switching can even be monitored by Dfull automatic completion.
At present, this solution is very mature, and I have promoted it within the team, but in this way:
- Run the container with Docker
- Let members use containers
- Host as the forwarder mentioned above
This has a problem: certificates need to be configured in both the container and the host, but the certificates in the container do not have to be valid and can be self-signed. The biggest problem is that if the domain name has not been filed, it will be directly blocked by the filing, and the use of HTTP will be redirected, and the connection will be reset directly if HSTS is enabled. When using Nginx reverse proxy, I don’t know why HTTPS/443 forwarding can be used directly without being blocked; when using Cloudflare to return to the origin, an Error 525 error is reported after several visits, and the connection cannot be completed.
Therefore, the best way is to customize the back-to-source port.
1. Non-standard port SSL
First refer to the article on this site:
Nginx non-standard port or subdomain to enable SSL
https://blog.tsinbei.com/archives/76/
The following uses the non-standard port 8443 as an example.
2. Custom back-to-origin port
Configure it in the console as follows:
Comment first then view it after your comment is approved. Join QQ Group to display all hidden texts.
After editing, click "Deploy" and refresh the browser cache to take effect.
When you need to add a domain name, you can edit this rule again.
3. Effect
Qingbei Club Ordinary Member Node Status Page
https://v1.tsinbei.cf
If this page works correctly, this method is still in effect.
4. Precautions
If it is found that HTTP access will be redirected to the filing page, HTTPS access is normal, this is because Cloudflare uses the same protocol to return to the origin by default, just enable mandatory HTTPS in the console.
Use Cloudflare's Custom Origin Rules to Bypass Non-ICP Blocking
Comments