If you are running a website behind a CDN, the orignal IP of your hosts can still be leaked through SSL handshake.

For example, if you simple visit in browser:
https://[host_ip]

You will probably see the certificate which has domain names. So if someone is running a scanner against data center ip addresses, they will be able to associate the domain names and the orignal IP.

However there is a simple way to fix this. In NGINX, there is config to disable ssl handshake:
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

We can add a simple server block in NGINX config file before your actuall server block

server {
    listen               443 ssl;
    ssl_reject_handshake on;
}

###Your actual domain name
server {
    listen               443 ssl;
    server_name example.com;
    ...
}
/ Tech

One Comment

Leave a Reply

Your email address will not be published.

Happy New Year 2022!
My Personal BBS is up and live