- A+
背景
APP站外分享到微信,由于内容包含诱导信息,遭遇微信系统自动检测,或者用户恶意举报,导致页面被封禁。网站一旦被封禁,按照正常渠道申诉,估计也要1-2个月的时间,严重影响用户体验。
防封方案
分享的页面用一个域名(分享页 Host A),用户点击zsdk(微信分享图片和描述),跳转到第二个域名(落地页 Host B)。Host A准备几个备案的域名(封禁几率小),不要加入到Host B组里。Host B购买一大堆域名,不需要进行备案。Host A直接解析到国内网站,Host B解析到海外,反向代理到国内。
注意事项
1、APP分享页域名不能写死,需要去后台调用接口,后台程序定期检测Host A,如果域名被封禁,就替换未封禁的域名。
2、Host B的域名通过脚本检测,被封几率大,一旦封禁,替换其他域名。
3、国外服务器建议购买香港地区,不需要备案,国内访问速度快,美国的距离远,速度慢。
Host B 反向代理配置
proxy_set_header 需要修改 Host为国内网站域名;
proxy_pass 反向代理到阿里云SLB
[root@h5-proxy conf.d]# cat h5proxy.conf server { listen 80; server_name hostb1.h5.com hostb2.h5.com hostb3.h5.com; location / { proxy_pass_header Server; #proxy_set_header Host $http_host; proxy_set_header Host www.test.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_pass https://192.168.1.1; } access_log /var/log/h5.log main; }
分享页(Host A) ingress配置
判断User-Agent是来自微信的,跳转到Host B,其他客户端请求不做处理。
apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/server-snippet: | if ($http_user_agent ~ 'MicroMessenger') { rewrite ^/(.*) http://hostb.h5.com/$1 permanent; } nginx.ingress.kubernetes.io/service-weight: "" creationTimestamp: 2019-06-18T11:38:29Z generation: 8 name: share-h5 namespace: rc spec: rules: - host: test.show.com http: paths: - backend: serviceName: fgateway servicePort: 80 path: / - host: test.show.com http: paths: - backend: serviceName: show-pay servicePort: 80 path: /h8 - host: test.show.com http: paths: - backend: serviceName: show-h5 servicePort: 80 path: /h5 - host: test.show.com http: paths: - backend: serviceName: show-h5
落地页(Host B) ingress配置
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: share-b namespace: rc spec: rules: - host: hostb.test.com http: paths: - backend: serviceName: show-h5 servicePort: 80 path: /h5 - host: hostb.test.com http: paths: - backend: serviceName: show-h5 servicePort: 80 path: /special - host: hostb.test.com http: paths: - backend: serviceName: fpay servicePort: 80 path: /h8 - host: hostb.test.com http: paths: - backend: serviceName: fgateway servicePort: 80 path: /
落地页(Host B) 防封检测脚本
检测rewrite的域名,如果封禁替换
[root@master-01 ~]# cat /data/scripts/SCM.sh #!/bin/bash namespace="xjs" list_url=`cat /data/scripts/scm.txt` use_url=`grep rewrite /root/h5.ingress|awk -F '/' '{print $4}'` Tigger(){ for url in $list_url do curl -s http://www.payss.net/cha?url=http://$url |grep '"status":1' if [ $? -eq 0 ];then sed -i "s/${use_url}/$url/g" /root/h5.ingress /usr/bin/kubectl apply -f /root/h5.ingress echo $(date +%Y-%m-%d_%H:%M:%S) "${use_url} 被替换成 $url" >>/var/log/scm.log break else echo $(date +%Y-%m-%d_%H:%M:%S) "$url is down">>/var/log/scm.log fi done } curl -s http://www.payss.net/cha?url=http://${use_url} |grep '"status":1' if [ $? -ne 0 ];then Tigger else echo "OK" fi sleep 3
添加定时任务,每十分钟执行一次脚本
*/10 * * * * /data/scripts/SCM.sh 2&1>/null