- A+
背景
APP站外分享到微信,由于内容包含诱导信息,遭遇微信系统自动检测,或者用户恶意举报,导致页面被封禁。网站一旦被封禁,按照正常渠道申诉,估计也要1-2个月的时间,严重影响用户体验。
防封方案
分享的页面用一个域名(分享页 Host A),用户点击zsdk(微信分享图片和描述),跳转到第二个域名(落地页 Host B)。Host A准备几个备案的域名(封禁几率小),不要加入到Host B组里。Host B购买一大堆域名,不需要进行备案。Host A直接解析到国内网站,Host B解析到海外,反向代理到国内。
注意事项
1、APP分享页域名不能写死,需要去后台调用接口,后台程序定期检测Host A,如果域名被封禁,就替换未封禁的域名。
2、Host B的域名通过脚本检测,被封几率大,一旦封禁,替换其他域名。
3、国外服务器建议购买香港地区,不需要备案,国内访问速度快,美国的距离远,速度慢。
Host B 反向代理配置
proxy_set_header 需要修改 Host为国内网站域名;
proxy_pass 反向代理到阿里云SLB
[root@h5-proxy conf.d]# cat h5proxy.conf
server {
listen 80;
server_name hostb1.h5.com hostb2.h5.com hostb3.h5.com;
location / {
proxy_pass_header Server;
#proxy_set_header Host $http_host;
proxy_set_header Host www.test.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass https://192.168.1.1;
}
access_log /var/log/h5.log main;
}
分享页(Host A) ingress配置
判断User-Agent是来自微信的,跳转到Host B,其他客户端请求不做处理。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/server-snippet: |
if ($http_user_agent ~ 'MicroMessenger') {
rewrite ^/(.*) http://hostb.h5.com/$1 permanent;
}
nginx.ingress.kubernetes.io/service-weight: ""
creationTimestamp: 2019-06-18T11:38:29Z
generation: 8
name: share-h5
namespace: rc
spec:
rules:
- host: test.show.com
http:
paths:
- backend:
serviceName: fgateway
servicePort: 80
path: /
- host: test.show.com
http:
paths:
- backend:
serviceName: show-pay
servicePort: 80
path: /h8
- host: test.show.com
http:
paths:
- backend:
serviceName: show-h5
servicePort: 80
path: /h5
- host: test.show.com
http:
paths:
- backend:
serviceName: show-h5
落地页(Host B) ingress配置
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: share-b namespace: rc spec: rules: - host: hostb.test.com http: paths: - backend: serviceName: show-h5 servicePort: 80 path: /h5 - host: hostb.test.com http: paths: - backend: serviceName: show-h5 servicePort: 80 path: /special - host: hostb.test.com http: paths: - backend: serviceName: fpay servicePort: 80 path: /h8 - host: hostb.test.com http: paths: - backend: serviceName: fgateway servicePort: 80 path: /
落地页(Host B) 防封检测脚本
检测rewrite的域名,如果封禁替换
[root@master-01 ~]# cat /data/scripts/SCM.sh
#!/bin/bash
namespace="xjs"
list_url=`cat /data/scripts/scm.txt`
use_url=`grep rewrite /root/h5.ingress|awk -F '/' '{print $4}'`
Tigger(){
for url in $list_url
do
curl -s http://www.payss.net/cha?url=http://$url |grep '"status":1'
if [ $? -eq 0 ];then
sed -i "s/${use_url}/$url/g" /root/h5.ingress
/usr/bin/kubectl apply -f /root/h5.ingress
echo $(date +%Y-%m-%d_%H:%M:%S) "${use_url} 被替换成 $url" >>/var/log/scm.log
break
else
echo $(date +%Y-%m-%d_%H:%M:%S) "$url is down">>/var/log/scm.log
fi
done
}
curl -s http://www.payss.net/cha?url=http://${use_url} |grep '"status":1'
if [ $? -ne 0 ];then
Tigger
else
echo "OK"
fi
sleep 3
添加定时任务,每十分钟执行一次脚本
*/10 * * * * /data/scripts/SCM.sh 2&1>/null
