By wslll in Cloud Service

基于腾讯云EO:将非443端口的HTTPS访问转换为443公网访问

通过部署设置腾讯云EdgeOne下一代CDN绕过443端口无法访问的问题

基于腾讯云EO:将非443端口的HTTPS访问转换为443公网访问
Photo by Đức Trịnh / Unsplash

At present, most home broadband IP addresses in China belong to metro network IPs, not independent public IPs, and the difficulty of applying for dynamic public IP is relatively large in most regions. Even if you apply for a public IP address, the commonly used ports 80, 443, and 8080 are all closed and unavailable.

My home NAS server bound to my public IP is not used for any public services, only for personal access, and some commonly used services can be used normally without ports 80 and 443, and because they are not used frequently, the security is also higher. However, occasionally you need to test or build some personal applications, and it is still very inconvenient to use a non-443 port. This article introduces one of my commonly used methods of using CDN to implement port 443 to access the blocked home dynamic public IP address on port 443.

The method introduced today applies to domain names that have been filed and have been resolved by the DNS service provider. Let's also say you have a server with a dynamic public IP.

Use Tencent Cloud EdgeOne acceleration service

EdgeOne (EO) is an edge security acceleration network released by Tencent Cloud that is similar to Cloudflare's services, and is gradually replacing some of Tencent Cloud's content delivery services (CDNs), such as dynamic ECDN.

Tencent Cloud EO supports different editions, corresponding to different sizes of calls and traffic, and for personal use, the personal version is fully sufficient, and the daily interaction price is between 40-70 and can be purchased for one year.

When you use EO to implement port 443 to access a 443 server, your domain name needs to be a domain name that has completed the MIIT filing in China. At the same time, only HTTP services can be accelerated here.

(1) Configure dynamic DDNS resolution for domain names

We need to use two domain names, let's say one is a.example.com and the other is b.example.com.

Here we assume that the a.example.com is the domain name that you need to access on public port 443, then we use the b.example.com address to configure DDNS dynamic resolution.

Dynamic resolution is configured to prevent dynamic IP address changes, and the configuration method can be found in my article:

At the same time, on our server side, you need to configure b.example.com domain name as the external access address of your hosting service. For example, if you use nginx to reverse proxy a local docker service, you will need to use b.example.com domain name as your domain name for that nginx service. Under normal circumstances, using https://b.example.com:9443 at this time can access your server's related services over HTTPS.

(2) Add an origin server group to EO

Open the origin server configuration of EO, add an origin server group, fill in the dynamically resolved b.example.com as the origin server in the origin server information, and set the back-to-origin host to b.example.com.

image-clfa.png

(3) Add domain name settings to EO

Let's open EO's domain name management, add the domain name, here we add a.example.com as the acceleration domain name, and select the origin server group as the origin server type, and select the origin server group we just created. Subsequently, we changed the back-to-origin port to the one exposed by our server. For example, if our server exposes 9443 as an https service, then we can change the HTTPS of the back-to-origin port to 9443.

image-wgdq.png

(4) Resolve CNAME in DNS and set up SSL certificate

After completing the previous settings, EO will give you a CNAME resolution address, and you need to go to the DNS service provider to set the resolution of your domain name a.example.com to CNAME and resolve it to the specified Tencent Cloud EO address.

Then set up your SSL certificate in the EO settings panel, wait for the deployment to complete, and then you can directly access the origin server related services through the https://a.example.com.

(5) Additional security settings

At this time, we can access the origin server service through https://b.example.com:9443 and https://a.example.com.

If you don't want https://b.example.com:9443 to be directly accessed, you can add a back-to-origin header through EO's custom header information method, and then set it in the server nginx to allow only access requests with specific header information, that is, only requests from EO access https://b.example.com:9443.

In this way, the origin server service can only be accessed through https://a.example.com access.

image-kloi.png