I accidentally found a batch of websites today，Such as http://b6x.net/ Now when you click on this website, it will display "www.logcg.com refused to connect.”，When I clicked on it for the first time, I was stunned...he actually copied my entire website? !
This is a series of three-digit domain name websites，Are similar operations。
and many more，I found something wrong，First of all, there is a white box on the outside of this website that my blog does not have... that is，This may be an anti-generation (reverse proxy)。
If you still don’t know what anti-generation is，look at thisOn the forward proxy reverse proxy transparent proxy
So I checked this domain name，Located in Alibaba Cloud，Contact information is protected by the domain name of the service provider who originally purchased the domain name，The resolved ip address is the cdn address，Of no use。I try to block with a domain name，As a result, people still showed it well...
During this process，I found out a little more：If it is a reverse proxy，The domain name links in the website should be relayed by the agent，And in this website，The link to my blog has not been modified in any way，Is my original domain name。
View the source code of the page to discover，In fact, this website has only one line of code：
<iframe width="100%" height="100%" frameborder="0" align="center" allowfullscreen="true" allow="autoplay" id="iframe" src="https://www.logcg.com/"></iframe>
That is，When you open this website，It loads R0uter's blog in its own page......
of course，This seems harmless，But there are many potential security issues，For example, he can do transparent clickjacking and so on... Besides, I don’t know the webmaster of this domain name。To avoid this，Need to modify nginx configuration，Add an http header add_header X-Frame-Options "SAMEORIGIN";
of course，You have other options，such as DENY Is to reject all behaviors that are embedded in other web pages；SAMEORIGIN Is a convenient option，What if you want to embed your own? As long as it is the same domain source，You can allow，No one else；ALLOW-FROM URI This option is the basic whitelist function，Who wrote，Who can embed without being rejected。
Here we use SAMEORIGIN，The add_header X-Frame-Options "SAMEORIGIN"; Write it in your server configuration，Restart Service。
For example, there are 3 items in my place after modification：
add_header Strict-Transport-Security max-age=15768000;
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options "SAMEORIGIN";
Then refresh that http://b6x.net/ ，It's already blank。
- Check the website，Clickjacking found：X-Frame-Options is not configured，Solution
- Secure Nginx from Clickjacking with X-FRAME-OPTIONS
Reproduced Please keep the source and description link：https://www.logcg.com/archives/3507.html