Freeshell 和 blog 上有些未备案的第三方域名引起了注意,我们现在把 proxy.freeshell.ustc.edu.cn 和 p.blog.ustc.edu.cn CNAME 到了国外的反向代理服务器 revproxy-sg.ustclug.org。该国外服务器反向代理回科大。这个改动不会对正常访问造成影响,可能会增加一些响应延迟和降低一些下载速度。如果访问存在问题,请联系我们:lug AT ustc.edu.cn。
《Freeshell/Blog 自定义未备案域名解析到国外》上有8条评论
评论已关闭。
这么做好像没有什么用处,第三方域名只需设置一个到 202.38.95.147 的A记录就行了。可能还需要修改blog/freeshell主机上相关的nginx配置,将第三方域名的反向代理服务器移到海外去。
另外,自从servers.ustclug.org被解析到国外以后,出现连接不稳定的情况,需要多次刷新才能正常显示
电信114.114.114.114查询Sservers.ustclug.org可以查到CNAME -> p.blog.ustc.edu.cn -> revproxy-sg.ustclug.org:
revproxy-sg.ustclug.org. 600 IN AAAA 2400:6180:0:d0::27b:2001
revproxy-sg.ustclug.org. 600 IN A 128.199.232.134
ustclug.org. 600 IN NS dns.lug.ustc.edu.cn.
ustclug.org. 600 IN NS dns-m.lug.ustc.edu.cn.
A记录的IP128.199.232.134是英国的。
使用LUG DNS查询结果相同。
电信网络测试结果(未配置任何v6地址和隧道):
swp@swp-server: ~$ curl -vv https://servers.ustclug.org
* Rebuilt URL to: https://servers.ustclug.org/
* Hostname was NOT found in DNS cache
* Trying 128.199.232.134…
* Trying 2400:6180:0:d0::27b:2001…
* Immediate connect fail for 2400:6180:0:d0::27b:2001: 网络不可达
* Connected to servers.ustclug.org (128.199.232.134) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Operation timed out after 1 milliseconds with 0 out of 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 1 milliseconds with 0 out of 0 bytes received
看起来像G·F·W拦截证书,其80端口同样不可达,但是G·F·W基本上封掉了所有的80端口,省级骨干路由连国内未备案的IP的HTTP协议都杀,无论是否有域名。
ping结果(100次):
1 swp@swp-server: ~$ ping servers.ustclug.org -c 100
PING revproxy-sg.ustclug.org (128.199.232.134) 56(84) bytes of data.
64 bytes from revproxy-sg.ustclug.org (128.199.232.134): icmp_seq=1 ttl=128 time=120 ms
64 bytes from revproxy-sg.ustclug.org (128.199.232.134): icmp_seq=3 ttl=128 time=121 ms
……
64 bytes from revproxy-sg.ustclug.org (128.199.232.134): icmp_seq=98 ttl=128 time=114 ms
64 bytes from revproxy-sg.ustclug.org (128.199.232.134): icmp_seq=100 ttl=128 time=169 ms
— revproxy-sg.ustclug.org ping statistics —
100 packets transmitted, 69 received, 31% packet loss, time 99216ms
rtt min/avg/max/mdev = 105.494/121.064/206.846/18.125 ms
128.199.232.134 是 DigitalOcean 新加坡数据中心的。
如果电信把国外的 80 端口都封了,那也太丧心病狂了,microsoft.com 都上不去?从学校网络访问 servers.ustclug.org 正常,DNSPod 监控服务测出来也是访问正常。
省内可以访问同运营商同省的非备案IP的80端口,跨省或者跨运营商(电信、联通)不可以,443端口可以访问。
国际的IP不是很清楚。
解析到科大的很多域名都没备案,从各地也能正常访问。是不是 80 端口的备案检查是在靠近服务器端的省骨干网里检查的,而科大的接入线路是特殊处理的?
servers.ustclug.org域名访问困难啊,还是改回来成servers.blog.ustc.edu.cn吧。
ping通,但是curl 80 443 均被RESET!
^_^ swp@swp-server: /var/log/nginx$ curl -vv servers.ustclug.org
* Rebuilt URL to: servers.ustclug.org/
* Hostname was NOT found in DNS cache
* Trying 128.199.232.134...
* connect to 128.199.232.134 port 80 failed: 拒绝连接
* Trying 2400:6180:0:d0::27b:2001...
* Immediate connect fail for 2400:6180:0:d0::27b:2001: 网络不可达
* Failed to connect to servers.ustclug.org port 80: 拒绝连接
* Closing connection 0
curl: (7) Failed to connect to servers.ustclug.org port 80: 拒绝连接
1 swp@swp-server: /var/log/nginx$ curl -vv https://servers.ustclug.org
* Rebuilt URL to: https://servers.ustclug.org/
* Hostname was NOT found in DNS cache
* Trying 128.199.232.134...
* connect to 128.199.232.134 port 443 failed: 拒绝连接
* Trying 2400:6180:0:d0::27b:2001...
* Immediate connect fail for 2400:6180:0:d0::27b:2001: 网络不可达
* Failed to connect to servers.ustclug.org port 443: 拒绝连接
* Closing connection 0
curl: (7) Failed to connect to servers.ustclug.org port 443: 拒绝连接