之前源站一直被censys这种流氓扫描器扫到,即使套了CDN也依然会被扫描,Nginx改下配置后,censys已经查不到源站信息了

主要修改点:

在 http 块中、include /www/server/panel/vhost/nginx/*.conf; 之前,添加了 default_server 用于拦截所有通过 IP 或未匹配域名的 80/443 请求;
使用 return 444; 直接关闭连接,防止泄露任何信息(包括 SSL 证书);
包含默认 SSL 证书路径。

Nginx配置文件:

user  www www;worker_processes auto;error_log  /www/wwwlogs/nginx_error.log  crit;pid        /www/server/nginx/logs/nginx.pid;worker_rlimit_nofile 51200;stream {    log_format tcp_format '$time_local|$remote_addr|$protocol|$status|$bytes_sent|$bytes_received|$session_time|$upstream_addr|$upstream_bytes_sent|$upstream_bytes_received|$upstream_connect_time';      access_log /www/wwwlogs/tcp-access.log tcp_format;    error_log /www/wwwlogs/tcp-error.log;    include /www/server/panel/vhost/nginx/tcp/*.conf;}events {    use epoll;    worker_connections 51200;    multi_accept on;}http {    include       mime.types;    #include luawaf.conf;    include proxy.conf;    lua_package_path "/www/server/nginx/lib/lua/?.lua;;";    default_type  application/octet-stream;    server_names_hash_bucket_size 512;    client_header_buffer_size 32k;    large_client_header_buffers 4 32k;    client_max_body_size 50m;    sendfile   on;    tcp_nopush on;    keepalive_timeout 60;    tcp_nodelay on;    fastcgi_connect_timeout 300;    fastcgi_send_timeout 300;    fastcgi_read_timeout 300;    fastcgi_buffer_size 64k;    fastcgi_buffers 4 64k;    fastcgi_busy_buffers_size 128k;    fastcgi_temp_file_write_size 256k;    fastcgi_intercept_errors on;    gzip on;    gzip_min_length  1k;    gzip_buffers     4 16k;    gzip_http_version 1.1;    gzip_comp_level 5;    gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/json image/jpeg image/gif image/png font/ttf font/otf image/svg+xml application/xml+rss text/x-js;    gzip_vary on;    gzip_proxied   expired no-cache no-store private auth;    gzip_disable   "MSIE [1-6]\.";    limit_conn_zone $binary_remote_addr zone=perip:10m;    limit_conn_zone $server_name zone=perserver:10m;    server_tokens off;    access_log off;    # ========== 安全加固:禁止 IP 直接访问 80/443 ==========    server {        listen 80 default_server;        listen [::]:80 default_server;        listen 443 ssl http2 default_server;        listen [::]:443 ssl http2 default_server;        # 使用默认占位证书(避免 Nginx 启动报错)        ssl_certificate /www/server/panel/vhost/cert/default/fullchain.pem;        ssl_certificate_key /www/server/panel/vhost/cert/default/privkey.pem;        # 关键:直接关闭连接,不返回任何响应        return 444;    }    # =====================================================    server {        listen 888;        server_name phpmyadmin;        index index.html index.htm index.php;        root  /www/server/phpmyadmin;        allow 127.0.0.1;        allow ::1;        deny all;        #error_page   404   /404.html;        include enable-php.conf;        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {            expires      30d;        }        location ~ .*\.(js|css)?$ {            expires      12h;        }        location ~ /\. {            deny all;        }        access_log  /www/wwwlogs/access.log;    }    include /www/server/panel/vhost/nginx/*.conf;}

使用前请执行以下操作:
创建默认 SSL 证书目录和文件(如不存在):

mkdir -p /www/server/panel/vhost/cert/default/openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \  -keyout /www/server/panel/vhost/cert/default/privkey.pem \  -out /www/server/panel/vhost/cert/default/fullchain.pem \  -subj "/CN=invalid.local"

测试并重载 Nginx:

nginx -tnginx -s reload

验证效果:
浏览器访问 http://你的服务器IP → 应无响应或连接被重置
使用 curl -v https://你的服务器IP → 应无法获取证书或返回空