+ DNS: "port_dns_over_quic" setting
This commit is contained in:
parent
07b6cc24b7
commit
d53e32259a
|
@ -743,6 +743,7 @@ Response:
|
||||||
"server_name":"...",
|
"server_name":"...",
|
||||||
"port_https":443,
|
"port_https":443,
|
||||||
"port_dns_over_tls":853,
|
"port_dns_over_tls":853,
|
||||||
|
"port_dns_over_quic":784,
|
||||||
"certificate_chain":"...",
|
"certificate_chain":"...",
|
||||||
"private_key":"...",
|
"private_key":"...",
|
||||||
"certificate_path":"...",
|
"certificate_path":"...",
|
||||||
|
@ -774,6 +775,7 @@ Request:
|
||||||
"force_https":false,
|
"force_https":false,
|
||||||
"port_https":443,
|
"port_https":443,
|
||||||
"port_dns_over_tls":853,
|
"port_dns_over_tls":853,
|
||||||
|
"port_dns_over_quic":784,
|
||||||
"certificate_chain":"...",
|
"certificate_chain":"...",
|
||||||
"private_key":"...",
|
"private_key":"...",
|
||||||
"certificate_path":"...", // if set, certificate_chain must be empty
|
"certificate_path":"...", // if set, certificate_chain must be empty
|
||||||
|
|
|
@ -92,6 +92,7 @@ type FilteringConfig struct {
|
||||||
// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
|
// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
|
||||||
type TLSConfig struct {
|
type TLSConfig struct {
|
||||||
TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"`
|
TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"`
|
||||||
|
QUICListenAddr *net.UDPAddr `yaml:"-" json:"-"`
|
||||||
StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate
|
StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate
|
||||||
|
|
||||||
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
|
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
|
||||||
|
@ -153,6 +154,10 @@ func (s *Server) createProxyConfig() (proxy.Config, error) {
|
||||||
MaxGoroutines: int(s.conf.MaxGoroutines),
|
MaxGoroutines: int(s.conf.MaxGoroutines),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if s.conf.QUICListenAddr != nil {
|
||||||
|
proxyConfig.QUICListenAddr = []*net.UDPAddr{s.conf.QUICListenAddr}
|
||||||
|
}
|
||||||
|
|
||||||
if s.conf.CacheSize != 0 {
|
if s.conf.CacheSize != 0 {
|
||||||
proxyConfig.CacheEnabled = true
|
proxyConfig.CacheEnabled = true
|
||||||
proxyConfig.CacheSizeBytes = int(s.conf.CacheSize)
|
proxyConfig.CacheSizeBytes = int(s.conf.CacheSize)
|
||||||
|
|
|
@ -270,7 +270,7 @@ func ValidateUpstreams(upstreams []string) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
var protocols = []string{"tls://", "https://", "tcp://", "sdns://"}
|
var protocols = []string{"tls://", "https://", "tcp://", "sdns://", "quic://"}
|
||||||
|
|
||||||
func validateUpstream(u string) (bool, error) {
|
func validateUpstream(u string) (bool, error) {
|
||||||
// Check if user tries to specify upstream for domain
|
// Check if user tries to specify upstream for domain
|
||||||
|
|
|
@ -97,6 +97,7 @@ type tlsConfigSettings struct {
|
||||||
ForceHTTPS bool `yaml:"force_https" json:"force_https,omitempty"` // ForceHTTPS: if true, forces HTTP->HTTPS redirect
|
ForceHTTPS bool `yaml:"force_https" json:"force_https,omitempty"` // ForceHTTPS: if true, forces HTTP->HTTPS redirect
|
||||||
PortHTTPS int `yaml:"port_https" json:"port_https,omitempty"` // HTTPS port. If 0, HTTPS will be disabled
|
PortHTTPS int `yaml:"port_https" json:"port_https,omitempty"` // HTTPS port. If 0, HTTPS will be disabled
|
||||||
PortDNSOverTLS int `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"` // DNS-over-TLS port. If 0, DOT will be disabled
|
PortDNSOverTLS int `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"` // DNS-over-TLS port. If 0, DOT will be disabled
|
||||||
|
PortDNSOverQUIC uint16 `yaml:"port_dns_over_quic" json:"port_dns_over_quic,omitempty"` // DNS-over-QUIC port. If 0, DoQ will be disabled
|
||||||
|
|
||||||
// Allow DOH queries via unencrypted HTTP (e.g. for reverse proxying)
|
// Allow DOH queries via unencrypted HTTP (e.g. for reverse proxying)
|
||||||
AllowUnencryptedDOH bool `yaml:"allow_unencrypted_doh" json:"allow_unencrypted_doh"`
|
AllowUnencryptedDOH bool `yaml:"allow_unencrypted_doh" json:"allow_unencrypted_doh"`
|
||||||
|
@ -126,6 +127,7 @@ var config = configuration{
|
||||||
TLS: tlsConfigSettings{
|
TLS: tlsConfigSettings{
|
||||||
PortHTTPS: 443,
|
PortHTTPS: 443,
|
||||||
PortDNSOverTLS: 853, // needs to be passed through to dnsproxy
|
PortDNSOverTLS: 853, // needs to be passed through to dnsproxy
|
||||||
|
PortDNSOverQUIC: 784,
|
||||||
},
|
},
|
||||||
logSettings: logSettings{
|
logSettings: logSettings{
|
||||||
LogCompress: false,
|
LogCompress: false,
|
||||||
|
|
|
@ -99,7 +99,9 @@ func getVersionResp(info update.VersionInfo) []byte {
|
||||||
Context.tls.WriteDiskConfig(&tlsConf)
|
Context.tls.WriteDiskConfig(&tlsConf)
|
||||||
|
|
||||||
if runtime.GOOS != "windows" &&
|
if runtime.GOOS != "windows" &&
|
||||||
((tlsConf.Enabled && (tlsConf.PortHTTPS < 1024 || tlsConf.PortDNSOverTLS < 1024)) ||
|
((tlsConf.Enabled && (tlsConf.PortHTTPS < 1024 ||
|
||||||
|
tlsConf.PortDNSOverTLS < 1024 ||
|
||||||
|
tlsConf.PortDNSOverQUIC < 1024)) ||
|
||||||
config.BindPort < 1024 ||
|
config.BindPort < 1024 ||
|
||||||
config.DNS.Port < 1024) {
|
config.DNS.Port < 1024) {
|
||||||
// On UNIX, if we're running under a regular user,
|
// On UNIX, if we're running under a regular user,
|
||||||
|
|
13
home/dns.go
13
home/dns.go
|
@ -172,12 +172,20 @@ func generateServerConfig() dnsforward.ServerConfig {
|
||||||
Context.tls.WriteDiskConfig(&tlsConf)
|
Context.tls.WriteDiskConfig(&tlsConf)
|
||||||
if tlsConf.Enabled {
|
if tlsConf.Enabled {
|
||||||
newconfig.TLSConfig = tlsConf.TLSConfig
|
newconfig.TLSConfig = tlsConf.TLSConfig
|
||||||
|
|
||||||
if tlsConf.PortDNSOverTLS != 0 {
|
if tlsConf.PortDNSOverTLS != 0 {
|
||||||
newconfig.TLSListenAddr = &net.TCPAddr{
|
newconfig.TLSListenAddr = &net.TCPAddr{
|
||||||
IP: net.ParseIP(config.DNS.BindHost),
|
IP: net.ParseIP(config.DNS.BindHost),
|
||||||
Port: tlsConf.PortDNSOverTLS,
|
Port: tlsConf.PortDNSOverTLS,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if tlsConf.PortDNSOverQUIC != 0 {
|
||||||
|
newconfig.QUICListenAddr = &net.UDPAddr{
|
||||||
|
IP: net.ParseIP(config.DNS.BindHost),
|
||||||
|
Port: int(tlsConf.PortDNSOverQUIC),
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
newconfig.TLSv12Roots = Context.tlsRoots
|
newconfig.TLSv12Roots = Context.tlsRoots
|
||||||
newconfig.TLSCiphers = Context.tlsCiphers
|
newconfig.TLSCiphers = Context.tlsCiphers
|
||||||
|
@ -225,6 +233,11 @@ func getDNSAddresses() []string {
|
||||||
addr := fmt.Sprintf("tls://%s:%d", tlsConf.ServerName, tlsConf.PortDNSOverTLS)
|
addr := fmt.Sprintf("tls://%s:%d", tlsConf.ServerName, tlsConf.PortDNSOverTLS)
|
||||||
dnsAddresses = append(dnsAddresses, addr)
|
dnsAddresses = append(dnsAddresses, addr)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if tlsConf.PortDNSOverQUIC != 0 {
|
||||||
|
addr := fmt.Sprintf("quic://%s:%d", tlsConf.ServerName, tlsConf.PortDNSOverQUIC)
|
||||||
|
dnsAddresses = append(dnsAddresses, addr)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return dnsAddresses
|
return dnsAddresses
|
||||||
|
|
|
@ -45,6 +45,7 @@ func tlsCreate(conf tlsConfigSettings) *TLSMod {
|
||||||
ServerName: conf.ServerName,
|
ServerName: conf.ServerName,
|
||||||
PortHTTPS: conf.PortHTTPS,
|
PortHTTPS: conf.PortHTTPS,
|
||||||
PortDNSOverTLS: conf.PortDNSOverTLS,
|
PortDNSOverTLS: conf.PortDNSOverTLS,
|
||||||
|
PortDNSOverQUIC: conf.PortDNSOverQUIC,
|
||||||
AllowUnencryptedDOH: conf.AllowUnencryptedDOH,
|
AllowUnencryptedDOH: conf.AllowUnencryptedDOH,
|
||||||
}}
|
}}
|
||||||
}
|
}
|
||||||
|
@ -267,6 +268,7 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
||||||
t.conf.ForceHTTPS = data.ForceHTTPS
|
t.conf.ForceHTTPS = data.ForceHTTPS
|
||||||
t.conf.PortHTTPS = data.PortHTTPS
|
t.conf.PortHTTPS = data.PortHTTPS
|
||||||
t.conf.PortDNSOverTLS = data.PortDNSOverTLS
|
t.conf.PortDNSOverTLS = data.PortDNSOverTLS
|
||||||
|
t.conf.PortDNSOverQUIC = data.PortDNSOverQUIC
|
||||||
t.conf.CertificateChain = data.CertificateChain
|
t.conf.CertificateChain = data.CertificateChain
|
||||||
t.conf.CertificatePath = data.CertificatePath
|
t.conf.CertificatePath = data.CertificatePath
|
||||||
t.conf.CertificateChainData = data.CertificateChainData
|
t.conf.CertificateChainData = data.CertificateChainData
|
||||||
|
|
|
@ -1563,6 +1563,11 @@ components:
|
||||||
format: int32
|
format: int32
|
||||||
example: 853
|
example: 853
|
||||||
description: DNS-over-TLS port. If 0, DOT will be disabled.
|
description: DNS-over-TLS port. If 0, DOT will be disabled.
|
||||||
|
port_dns_over_quic:
|
||||||
|
type: integer
|
||||||
|
format: int32
|
||||||
|
example: 784
|
||||||
|
description: DNS-over-QUIC port. If 0, DOQ will be disabled.
|
||||||
certificate_chain:
|
certificate_chain:
|
||||||
type: string
|
type: string
|
||||||
description: Base64 string with PEM-encoded certificates chain
|
description: Base64 string with PEM-encoded certificates chain
|
||||||
|
|
Loading…
Reference in New Issue