域前置

准备工作

在 VPS 上安装必要的组件：

apt-get install nginx apache2 python3-certbot-apache

编辑 apache 的配置文件，通过以下命令确认端口 80 配置了VHOST：

apachectl -t -D DUMP_VHOSTS

使用 certbot 工具申请 LetsEncrypt 证书

certbot certonly -d <域名> --apache --register-unsafely-without-email --agree-to

root@ts:/etc/apache2/sites-available# certbot certonly -d azuresky.live --apache --register-unsafely-without-email --agree-to
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for azuresky.live
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/azuresky.live/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/azuresky.live/privkey.pem
   Your cert will expire on 2023-12-31. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

域前置理论

使用Azure CDN实现域前置

Register-AzResourceProvider -ProviderNamespace Microsoft.Cdn

ajax.microsoft.com
ajax.aspnetcdn.com
do.skype.com
msdn.microsoft.com
az416426.vo.msecnd.net
officeimg.vo.msecnd.net

编辑 /etc/nginx/nginx.cnf 文件，增加侧写中的 URI，以及设置基于 UA 的筛选：

        server {
                listen 443 ssl;
                listen [::]:443 ssl;
                server_name localhost;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                ssl_certificate /etc/letsencrypt/live/azuresky.live/fullchain.pem;
                ssl_certificate_key /etc/letsencrypt/live/azuresky.live/privkey.pem;
                location ~ ^/(index.html|content.php|api/azure|static/index.html|jquery-3.3.1.slim.min.js|jquery-3.3.2.slim.min.js|jquery-3.3.1.min.js|jquery-3.3.2.min.js) {
                         if ($http_user_agent != "dlerinfra") {  
                         return 403;
                         }
                        proxy_pass https://localhost:10443;
                }
        }
}

使用 ProcessHacker 查看 Beacon 的网络通信，我们发现 Beacon 与 152.199.4.33，72.21.81.200，13.107.213.36，72.21.81.200 等 IP 通信。

实际上，这些 IP 分别是支持域前置的微软域名，因此我们实现了流量的隐藏。