banner
指南不是个艺术家

Nan's Log

Home图集朋友归档

Baota + Leichi Configuration Tutorial

#雷池435
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a guide for installing and configuring a WAF (Web Application Firewall) called "Lei Chi" on a Linux server with the Baota environment. The guide provides instructions for installing Lei Chi using a script or a tool called "Mu Yun Zhu Shou". It also includes steps for configuring dynamic passwords, resolving login issues, modifying settings, deploying WAF reverse proxy, and configuring whitelist for user agents and IP addresses. The guide also addresses common issues and provides troubleshooting tips.

Introduction#

Assuming you have already deployed the Baota environment, I won't go into detail.

System Requirements#

Operating System: Linux
Architecture: x86_64
Software Dependencies: Docker version 20.10.6 or above
Software Dependencies: Docker Compose version 2.0.0 or above
Minimum Environment: 1 core CPU / 1 GB RAM / 10 GB disk

Installing Leichi with Script#

Please enter the following command in your server terminal to install. You will need to manually confirm twice during the process, so please pay attention.

bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/setup.sh)"

Installing Leichi with Muyun Assistant#

Open Muyun Assistant and click on "Bind Host".

image

Choose according to the location of your server, then click "Copy".

image

After waiting for a minute, refresh the page and click on the hostname.

image

Click on "App Market", find Leichi, and click "Install".

image

If you don't understand, there is a video tutorial on Bilibili that you can watch here.

Configuring Dynamic Password#

Follow the on-screen instructions to scan the QR code using an authentication software that supports TOTP, then enter the dynamic password to log in. You can choose either Microsoft Authenticator or Tencent Authenticator.

Unable to Log In#

In a Linux system, you can calibrate the time using the ntpdate command. Please note that the following operations require root privileges.

  1. Open the terminal and log in as root.
  2. Enter the following command to install ntpdate (if not already installed):
sudo apt-get install ntpdate
  1. Calibrate the time using the following command:
sudo ntpdate time.nist.gov

This will calibrate your system time using the time from the time.nist.gov server. You can replace time.nist.gov with other available NTP servers.

  1. Once completed, your system time will be calibrated to the accurate time.

Please note that time calibration may take some time to complete, depending on network latency and server access performance. It is recommended to calibrate the time at regular intervals to ensure the accuracy of your system time.

Modifying Configuration#

Open the Baota panel and click on "Settings".

image

Here's a pitfall, pay attention: If you are using Typecho, make sure to configure SSL for the origin site, otherwise you won't be able to log in! If the origin site is not configured with SSL: select the configuration file and change the original 80 to 8080 or another port. If the origin site is configured with SSL: select the configuration file and change the original 443 to 8443 or another port.

image

Deploying WAF Reverse Proxy#

Open the Leichi backend, click on "Protection Site", and add a site.

image

Enter the domain name, certificate, and other information. If you don't have a certificate, you can apply for one first.

image

IP Exposure and Malicious Resolution#

If you search for your blog/CMS name on a search engine and find other domain names, it is possible that you have been maliciously resolved. In this case, we can create a site with your external IP, port 443, and a self-signed SSL certificate! The origin site can be resolved arbitrarily, such as resolving to 127.0.0.1:80, which will display the default Baota page.

image

IP Exposure and Cache Issues#

Attention! If your blog is using a plugin to cache blog/CMS content, try clearing the cache and accessing HTTPS://IP to refresh. Then open your domain name. If the webpage displays correctly, you can skip this step. If the display is abnormal and CSS and other files cannot be loaded, it may be caused by malicious bot scanning. The operation is the same as the malicious resolution method above: create a site with your external IP, port 443, and a self-signed SSL certificate! The origin site can be resolved arbitrarily, such as resolving to 127.0.0.1:80, which will display the default Baota page.

image

Configuring User-Agent Whitelist#

Open the Leichi WAF, click on "Add a Whitelist". If you don't know how to configure, you can refer to the following:

image

Configuring Mobile Browser User-Agent#

Here, we will take the Via browser as an example. For iOS, you can choose the Alook browser. Click on "Settings" - "General" - "Browser Identity". Click on the plus sign, enter the UA you want, such as IKUN.

Configuring Desktop Browser User-Agent#

Install this plugin.

image

Then enter your preferred user-agent. It is recommended to set it in your blog so that it is applied every time you open it. It is not recommended to choose "all".

image

Configuring IP Whitelist#

This must be configured, or you can configure the UA whitelist mentioned above. Otherwise, it is easy to misjudge when modifying the website later.

image

You can use the following websites to find your IP:

ip.skk.moe
ip138.com
ip.sb

Select "Fuzzy Match" in the configuration. For example, if your IP is 114.114.114.114, you can configure it as 114.114.114.* or 114.114.*.*.

image

Setting Human Verification for Key Directories#

If your blog/CMS or other programs require visitor registration and login operations, you can set up a human verification to prevent mass scanning and brute force attacks by bots.
image

Configuring CDN Real IP#

Simply add it: X-Forwarded-For. Of course, the configuration for Alibaba Cloud CDN is different, you can search for it on Baidu.
image

Allowing Only CDN to Access the Origin Site#

If you are using a CDN, you can configure it to only allow access from CDN IP addresses, effectively blocking attacks on the origin site. This can help reduce your outstanding amount when your website is under a DDoS attack (just kidding).
image

Frequently Asked Questions#

Q: After deployment, I can't access the panel. A: Please check if the firewall is allowing access. Q: When deploying a site, it shows that the port is in use. A: Please check if all sites have changed the original 443 port to another port. Q: After enabling CDN, the panel displays incorrect data. A: Please refer to the above instructions for modification. If the modification is not effective, please contact your CDN provider for support.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.