Apache uses setenvif to identify and release the CDN traffic according to the request header, intercept the DDoS traffic, pay attention to the security issues during CDN deployment, and bypass the CDN

Origin of this paper On “ Deployed CDN Still found true IP”, There are two themes ; One is how to deploy safely CDN, The second is how to discover the deployment CDN The truth after IP. A little bit “ stultify oneself ” It smells good. .

Author's server Ubuntu Deployed Tencent cloud CDN, And pass IP Use https Back to the source , It was unexpectedly found to be true IP Exposed loopholes ( Thanks to our team of researchers Safe little spider ) He found it was ssl The truth of the certificate disclosure IP, I haven't found out the specific reason myself .

Bypass CDN Get real IP This website
Can help you
https://censys.io/ipv4?q=uosblog.top
Obvious , Found out my truth IP( But it's not that important anymore )
How to defend ？CDN Security issues to pay attention to during deployment
Above , The author's server is through IP Back to source , If you disable IP visit ( Security cannot be guaranteed , An attacker can still modify hosts The file specifies the real name corresponding to a domain name IP, be based on IP Will be bypassed ) Cannot go back to the source , So identify CDN Flow for apache distinguish .

Back to the source HTTP Request header configuration , majority CDN All manufacturers have this function

apache To configure ：

SetEnvIf, Set environment variables according to client request properties , Support regular expression matching request headers
Detailed explanation >>https://developer.aliyun.com/article/451524

Match request header xcdn: Tencent, If it matches, let go

Order allow,deny
SetEnvIf ^xcdn* ^Tencent.* local_ref=0
Allow from env=local_ref

The intercepted will return 403：

About ssl Lead to reality IP Exposed problems , I found an article saying ： If do not have CDN, The server is configured https, Browser pass https visit , There's no problem with that .
however , Yes CDN Under the circumstances , The server is configured with https,CDN adopt https Back to the source , There is still no problem ; but , User pass https visit CDN;CDN Your certificate will reveal the source IP.