+ DNS: "port_dns_over_quic" setting
This commit is contained in:
parent
07b6cc24b7
commit
d53e32259a
|
@ -743,6 +743,7 @@ Response:
|
|||
"server_name":"...",
|
||||
"port_https":443,
|
||||
"port_dns_over_tls":853,
|
||||
"port_dns_over_quic":784,
|
||||
"certificate_chain":"...",
|
||||
"private_key":"...",
|
||||
"certificate_path":"...",
|
||||
|
@ -774,6 +775,7 @@ Request:
|
|||
"force_https":false,
|
||||
"port_https":443,
|
||||
"port_dns_over_tls":853,
|
||||
"port_dns_over_quic":784,
|
||||
"certificate_chain":"...",
|
||||
"private_key":"...",
|
||||
"certificate_path":"...", // if set, certificate_chain must be empty
|
||||
|
|
|
@ -92,6 +92,7 @@ type FilteringConfig struct {
|
|||
// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
|
||||
type TLSConfig struct {
|
||||
TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"`
|
||||
QUICListenAddr *net.UDPAddr `yaml:"-" json:"-"`
|
||||
StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate
|
||||
|
||||
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
|
||||
|
@ -153,6 +154,10 @@ func (s *Server) createProxyConfig() (proxy.Config, error) {
|
|||
MaxGoroutines: int(s.conf.MaxGoroutines),
|
||||
}
|
||||
|
||||
if s.conf.QUICListenAddr != nil {
|
||||
proxyConfig.QUICListenAddr = []*net.UDPAddr{s.conf.QUICListenAddr}
|
||||
}
|
||||
|
||||
if s.conf.CacheSize != 0 {
|
||||
proxyConfig.CacheEnabled = true
|
||||
proxyConfig.CacheSizeBytes = int(s.conf.CacheSize)
|
||||
|
|
|
@ -270,7 +270,7 @@ func ValidateUpstreams(upstreams []string) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
var protocols = []string{"tls://", "https://", "tcp://", "sdns://"}
|
||||
var protocols = []string{"tls://", "https://", "tcp://", "sdns://", "quic://"}
|
||||
|
||||
func validateUpstream(u string) (bool, error) {
|
||||
// Check if user tries to specify upstream for domain
|
||||
|
|
|
@ -97,6 +97,7 @@ type tlsConfigSettings struct {
|
|||
ForceHTTPS bool `yaml:"force_https" json:"force_https,omitempty"` // ForceHTTPS: if true, forces HTTP->HTTPS redirect
|
||||
PortHTTPS int `yaml:"port_https" json:"port_https,omitempty"` // HTTPS port. If 0, HTTPS will be disabled
|
||||
PortDNSOverTLS int `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"` // DNS-over-TLS port. If 0, DOT will be disabled
|
||||
PortDNSOverQUIC uint16 `yaml:"port_dns_over_quic" json:"port_dns_over_quic,omitempty"` // DNS-over-QUIC port. If 0, DoQ will be disabled
|
||||
|
||||
// Allow DOH queries via unencrypted HTTP (e.g. for reverse proxying)
|
||||
AllowUnencryptedDOH bool `yaml:"allow_unencrypted_doh" json:"allow_unencrypted_doh"`
|
||||
|
@ -126,6 +127,7 @@ var config = configuration{
|
|||
TLS: tlsConfigSettings{
|
||||
PortHTTPS: 443,
|
||||
PortDNSOverTLS: 853, // needs to be passed through to dnsproxy
|
||||
PortDNSOverQUIC: 784,
|
||||
},
|
||||
logSettings: logSettings{
|
||||
LogCompress: false,
|
||||
|
|
|
@ -99,7 +99,9 @@ func getVersionResp(info update.VersionInfo) []byte {
|
|||
Context.tls.WriteDiskConfig(&tlsConf)
|
||||
|
||||
if runtime.GOOS != "windows" &&
|
||||
((tlsConf.Enabled && (tlsConf.PortHTTPS < 1024 || tlsConf.PortDNSOverTLS < 1024)) ||
|
||||
((tlsConf.Enabled && (tlsConf.PortHTTPS < 1024 ||
|
||||
tlsConf.PortDNSOverTLS < 1024 ||
|
||||
tlsConf.PortDNSOverQUIC < 1024)) ||
|
||||
config.BindPort < 1024 ||
|
||||
config.DNS.Port < 1024) {
|
||||
// On UNIX, if we're running under a regular user,
|
||||
|
|
13
home/dns.go
13
home/dns.go
|
@ -172,12 +172,20 @@ func generateServerConfig() dnsforward.ServerConfig {
|
|||
Context.tls.WriteDiskConfig(&tlsConf)
|
||||
if tlsConf.Enabled {
|
||||
newconfig.TLSConfig = tlsConf.TLSConfig
|
||||
|
||||
if tlsConf.PortDNSOverTLS != 0 {
|
||||
newconfig.TLSListenAddr = &net.TCPAddr{
|
||||
IP: net.ParseIP(config.DNS.BindHost),
|
||||
Port: tlsConf.PortDNSOverTLS,
|
||||
}
|
||||
}
|
||||
|
||||
if tlsConf.PortDNSOverQUIC != 0 {
|
||||
newconfig.QUICListenAddr = &net.UDPAddr{
|
||||
IP: net.ParseIP(config.DNS.BindHost),
|
||||
Port: int(tlsConf.PortDNSOverQUIC),
|
||||
}
|
||||
}
|
||||
}
|
||||
newconfig.TLSv12Roots = Context.tlsRoots
|
||||
newconfig.TLSCiphers = Context.tlsCiphers
|
||||
|
@ -225,6 +233,11 @@ func getDNSAddresses() []string {
|
|||
addr := fmt.Sprintf("tls://%s:%d", tlsConf.ServerName, tlsConf.PortDNSOverTLS)
|
||||
dnsAddresses = append(dnsAddresses, addr)
|
||||
}
|
||||
|
||||
if tlsConf.PortDNSOverQUIC != 0 {
|
||||
addr := fmt.Sprintf("quic://%s:%d", tlsConf.ServerName, tlsConf.PortDNSOverQUIC)
|
||||
dnsAddresses = append(dnsAddresses, addr)
|
||||
}
|
||||
}
|
||||
|
||||
return dnsAddresses
|
||||
|
|
|
@ -45,6 +45,7 @@ func tlsCreate(conf tlsConfigSettings) *TLSMod {
|
|||
ServerName: conf.ServerName,
|
||||
PortHTTPS: conf.PortHTTPS,
|
||||
PortDNSOverTLS: conf.PortDNSOverTLS,
|
||||
PortDNSOverQUIC: conf.PortDNSOverQUIC,
|
||||
AllowUnencryptedDOH: conf.AllowUnencryptedDOH,
|
||||
}}
|
||||
}
|
||||
|
@ -267,6 +268,7 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
|||
t.conf.ForceHTTPS = data.ForceHTTPS
|
||||
t.conf.PortHTTPS = data.PortHTTPS
|
||||
t.conf.PortDNSOverTLS = data.PortDNSOverTLS
|
||||
t.conf.PortDNSOverQUIC = data.PortDNSOverQUIC
|
||||
t.conf.CertificateChain = data.CertificateChain
|
||||
t.conf.CertificatePath = data.CertificatePath
|
||||
t.conf.CertificateChainData = data.CertificateChainData
|
||||
|
|
|
@ -1563,6 +1563,11 @@ components:
|
|||
format: int32
|
||||
example: 853
|
||||
description: DNS-over-TLS port. If 0, DOT will be disabled.
|
||||
port_dns_over_quic:
|
||||
type: integer
|
||||
format: int32
|
||||
example: 784
|
||||
description: DNS-over-QUIC port. If 0, DOQ will be disabled.
|
||||
certificate_chain:
|
||||
type: string
|
||||
description: Base64 string with PEM-encoded certificates chain
|
||||
|
|
Loading…
Reference in New Issue