我最近在周围的圆周率上设置了一个小孔,非常棒。当一个域被阻止时,它会根据其默认配置BLOCKINGMODE=NULL返回ip地址0.0.0.0。
我面临的问题是,当我从我的服务器浏览网页时,它会不断尝试连接到我的nginx网站,并用404填充日志。
我认为解决方案是更新我的nginx配置,使其指向我的私有ip,而不是0.0.0.0。我以为它会像更新listen 443 ssl;一样简单至listen 192.168.1.10:443 ssl;
不幸的是,在我做出改变后,我所有的子域都随机指向其中一个。例如a.mysite.com、b.mysite.com和c.mysite.com都指向a.mysite.com
我的大多数网站都将docker实例转发到443,还有一些只是提供本地文件。
我最初在pihole论坛上问过,他们给我指明了正确的方向,但我不确定如何使用我的私人ip而不是0.0.0.0来让nginx工作。https://discourse.pi-hole.net/t/blockingmode-null-vs-nodata/53016/7
简单的解决方案是让我的nginx配置保持独立,并将pihole从BLOCKINGMODE=NULL更新为BLOCKINGMODE=NXDOMAIN或BLOCKINGMODE=NODATA,但根据他们的帮助文档;与NULL阻塞类似,但实验表明,与NULL阻塞相比,客户端可能更频繁地尝试解析被阻塞的域"https://docs.pi-hole.net/ftldns/blockingmode/
感谢阅读!
mrplow@dan-server:~$ dig ads.facebook.com
; <<>> DiG 9.16.15-Ubuntu <<>> ads.facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37291
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ads.facebook.com. IN A
;; ANSWER SECTION:
ads.facebook.com. 2 IN A 0.0.0.0
;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jan 27 14:50:46 PST 2022
;; MSG SIZE rcvd: 61
mrplow@dan-server:~$ date && curl ads.facebook.com && tail -n 1 /var/log/nginx/access.log
Thu 27 Jan 2022 03:00:19 PM PST
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
127.0.0.1 - - [27/Jan/2022:15:00:19 -0800] "GET / HTTP/1.1" 404 162 "-" "curl/7.74.0"
nginx conf文件示例
server {
server_name a.mysite.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://127.0.0.1:9117;
}
ssl_dhparam /etc/ssl/certs/a.mysite.pem;
listen 443 ssl; # managed by Certbot
# listen 192.168.1.10:443 ssl;
ssl_certificate /etc/letsencrypt/live/a.mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/a.mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = a.mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name a.mysite.com;
listen 80;
# listen 192.168.1.10:80;
return 404; # managed by Certbot
}
想明白了。
我在监听指令中包含私有ip是正确的。但是,我还需要更新我的所有server_name指令,以包括私有ip地址。
在我更新了所有的nginx配置后,它不再监听0.0.0.0,当我卷曲一个被阻止的站点时,它现在给出了正确的curl: (7) Failed to connect to ads.facebook.com port 80: Connection refused响应。
工作示例:
server {
server_name a.mysite.com 192.168.1.10;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://127.0.0.1:9117;
}
ssl_dhparam /etc/ssl/certs/a.mysite.pem;
listen 192.168.1.10:443 ssl;
ssl_certificate /etc/letsencrypt/live/a.mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/a.mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = a.mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name a.mysite.com 192.168.1.10;
listen 192.168.1.10:80;
return 404; # managed by Certbot
}