环境:
域名具有 Cloudflare 等抗 DDoS 保护 但是我们有通过 IP 地址和域名进行的攻击https://static.IP.clients.your-server.de(似乎是 Hetzner 默认提供的)
这是对 404 页面的攻击 - 因为我们没有服务:
version: '3.3'
services:
traefik:
image: traefik:v2.10.6
ports:
- 80:80
- 443:443
deploy:
placement:
constraints:
- node.labels.traefik-public.traefik-public-certificates == true
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
- traefik.http.routers.traefik-public-http.rule=Host(`${DOMAIN?Variable not set}`)
- traefik.http.routers.traefik-public-http.entrypoints=http
- traefik.http.routers.traefik-public-http.middlewares=https-redirect
- traefik.http.routers.traefik-public-https.rule=Host(`${DOMAIN?Variable not set}`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
- traefik.http.routers.traefik-public-https.service=api@internal
- traefik.http.routers.traefik-public-https.tls.certresolver=le
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
volumes:
# Add Docker as a mounted volume, so that Traefik can read the labels of other services
- /var/run/docker.sock:/var/run/docker.sock:ro
# Mount the volume to store the certificates
- traefik-public-certificates:/certificates
command:
# Enable Docker in Traefik, so that it reads labels from Docker services
- --providers.docker
# Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
- --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
# Do not expose all Docker services, only the ones explicitly exposed
- --providers.docker.exposedbydefault=false
# Enable Docker Swarm mode
- --providers.docker.swarmmode
# Create an entrypoint "http" listening on port 80
- --entrypoints.http.address=:80
# Create an entrypoint "https" listening on port 443
- --entrypoints.https.address=:443
# Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
- --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
# Store the Let's Encrypt certificates in the mounted volume
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
# Use the TLS Challenge for Let's Encrypt
- --certificatesresolvers.le.acme.tlschallenge=true
# Enable the access log, with HTTP requests
- --accesslog
# Enable the Traefik log, for configurations and errors
- --log
# Enable the Dashboard and API
- --api
networks:
# Use the public network created to be shared between Traefik and
# any other service that needs to be publicly available with HTTPS
- traefik-public
volumes:
# Create a volume to store the certificates, there is a constraint to make sure
# Traefik is always deployed to the same Docker node with the same volume containing
# the HTTPS certificates
traefik-public-certificates:
networks:
# Use the previously created public network "traefik-public", shared with other
# services that need to be publicly available via this Traefik
traefik-public:
external: true
我们无法隐藏我们的真实服务器IP - 所以我们受到IP攻击。
是否可以只接受domain.com和***.domain.com的请求?
我们不需要 IP 请求出现 404 错误 - 因为 DDoS 也可能出现 404 错误
像 Traefik 这样的负载均衡器应该只路由到为给定域或子域配置的 Web 服务器。听起来你的 DNS 可能混乱了。检查负载均衡器后面是否有 IP 条目,并删除它们以支持负载均衡器本身。
这是通过您的域名提供商或委托 DNS 服务完成的,具体取决于您的设置。
如果负载均衡器配置正确,那么它应该忽略对静态 IP 上的资源的请求。
另一件事是,一些托管提供商将提供单独的域名命名方案,例如 11-11-11-11.internal.hosting.dns,其中 11-11-11-11 是 IP。托管平台应根据您的要求提供禁用或向公众隐藏此功能的选项。如果没有,那么您需要从您未包含的 Web 服务器配置中过滤掉它。
此外,我在您的 swarm 配置中看到了 traefik-public 网络。这可能是实际面向公众的入口点,也可能是应该重构以仅在内部公开内部 api 的东西。需要更多有关您的设置的信息才能确定。