Pull request: 2799 trusted proxies

Merge in DNS/adguard-home-wiki from 2799-proxies to master

Squashed commit of the following:

commit 530e19fd4ae77309100ac649e05662674d1f0457
Merge: 60098db ab8edf0
Author: Eugene Burkov <e.burkov@adguard.com>
Date:   Mon Jul 26 19:27:59 2021 +0300

    Merge branch 'master' into 2799-proxies

commit 60098db73043ecbd26a236719f8d2d773836d34b
Author: Eugene Burkov <e.burkov@adguard.com>
Date:   Mon Jul 26 18:48:12 2021 +0300

    Encryption: fix lists

commit c7e8ab9821507ee37b25653bd7ecb7c9953c1ff3
Author: Eugene Burkov <e.burkov@adguard.com>
Date:   Mon Jul 26 18:35:55 2021 +0300

    Encryption: spaces

commit cb54cabd6c7bcf6633fc9778679982ef8f68b200
Author: Eugene Burkov <e.burkov@adguard.com>
Date:   Mon Jul 26 18:22:21 2021 +0300

    Encryption:  imp & fmt

commit d45c2fab8ee32012f74b0ae01d04344d4c0fa7ce
Author: Eugene Burkov <e.burkov@adguard.com>
Date:   Mon Jul 26 15:54:04 2021 +0300

    all: trusted_proxies & using with reverse proxy
Eugene Burkov 2021-07-26 19:31:01 +03:00
parent ab8edf0458
commit 95020709e7
2 changed files with 230 additions and 76 deletions

@ -357,7 +357,10 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
- **Access settings**
- `allowed_clients` — IP addresses of allowed clients
- `disallowed_clients` — IP addresses of clients that should be blocked
- `blocked_hosts` — hosts that should be blocked
- `blocked_hosts` — Hosts that should be blocked
- `trusted_proxies` (**since v0.107.0**) The list of IP addresses and CIDR
networks to detect proxy servers' addresses from which AdGuard Home should
accept and handle DNS-over-HTTPS requests.
- **DNS cache settings**
- `cache_size` — DNS cache size (in bytes)
- `cache_ttl_min` — override TTL value (minimum) received from upstream server. This value can't larger than 3600 (1 hour).

@ -1,131 +1,282 @@
# AdGuard Home - Encryption
# AdGuard Home Encryption
We are proud to say that AdGuard Home supports all modern DNS encryption protocols **out-of-the-box**:
We are proud to say that AdGuard Home supports all modern DNS encryption
protocols **out-of-the-box**:
- [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS)
- [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
- [DNS-over-QUIC](https://tools.ietf.org/html/draft-ietf-dprive-dnsoquic-01)
* [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS)
* [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
* [DNS-over-QUIC](https://tools.ietf.org/html/draft-ietf-dprive-dnsoquic-01)
> AdGuard Home also supports [DNSCrypt](https://dnscrypt.info/) (both client-side and server-side). [Read this](DNSCrypt) to learn about configuring AdGuard Home as a DNSCrypt server.
> AdGuard Home also supports [DNSCrypt](https://dnscrypt.info/) (both
> client-side and server-side). [Read this](DNSCrypt) to learn about
> configuring AdGuard Home as a DNSCrypt server.
In this guide we will explain how to setup your own "Secure DNS" server with AdGuard Home.
In this guide we will explain how to setup your own "Secure DNS" server with
AdGuard Home.
1. [Install AdGuard Home on your server](#install)
2. [Register a domain name](#register)
3. [Get an SSL certificate](#certificate)
- [Install CertBot](#certbot)
- [Get a certificate using DNS challenge](#certbot-dnschallenge)
- [Alternative to CertBot: Lego](#lego)
4. [Configure AdGuard Home](#configure-home)
5. [Configure your devices](#configure-devices)
1. [Install AdGuard Home on your server](#install)
1. [Register a domain name](#register)
1. [Get an SSL certificate](#certificate)
* [Install CertBot](#certbot)
* [Get a certificate using DNS challenge](#certbot-dnschallenge)
* [Alternative to CertBot: Lego](#lego)
1. [Configure AdGuard Home](#configure-home)
1. [Using with reverse proxy](#reverse-proxy)
* [Nginx](#nginx)
* [Cloudflare CDN](#cf-cdn)
1. [Configure your devices](#configure-devices)
* [Android](#android)
* [iOS](#ios)
* [Windows](#windows)
* [MacOS](#macos)
* [Other implementations](#other-imps)
<a id="install"></a>
## Install AdGuard Home on your server
It does not make much sense to configure DNS encryption inside of your own local network. The purpose of securing your DNS traffic is to secure it from third-parties that might be analyzing or modifying it. For instance, from your ISP.
## <a href="#install" id="install" name="install">Install AdGuard Home on your server</a>
It means that you will need a server with a public dedicated IP address. There are plenty of cheap cloud servers providers: [DigitalOcean](https://digitalocean.com), [Vultr](https://vultr.com), [Linode](https://www.linode.com/), etc. Just choose one, create a cloud server there, and [install AdGuard Home](Getting-Started) on your server.
It does not make much sense to configure DNS encryption inside of your own local
network. The purpose of securing your DNS traffic is to secure it from
third-parties that might be analyzing or modifying it. For instance, from your
ISP.
<a id="register"></a>
It means that you will need a server with a public dedicated IP address. There
are plenty of cheap cloud servers providers: [DigitalOcean][digital-ocean],
[Vultr][vultr], [Linode][linode], etc. Just choose one, create a cloud server
there, and [install AdGuard Home](Getting-Started) on your server.
## Register a domain name
First of all, you need a domain name. If you have never registered one, here is a [simple instruction](https://www.pcworld.com/article/241722/web-apps/how-to-register-your-own-domain-name.html) that will help you with that.
<a id="certificate"></a>
[digital-ocean]: https://digitalocean.com
[vultr]: https://vultr.com
[linode]: https://www.linode.com
## Get an SSL certificate
Both `DNS-over-HTTPS` and `DNS-over-TLS` are based on [TLS encryption](https://en.wikipedia.org/wiki/Transport_Layer_Security) so in order to use them, you will need to acquire an SSL certificate.
An SSL certificate can be bought from a "Certificate Authority" (CA), a company trusted by browsers and operating systems to enroll SSL certificates for domains.
## <a href="#register" id="register" name="register">Register a domain name</a>
Alternatively, you can get the certificate for free from ["Let's Encrypt" CA](https://letsencrypt.org/), a free certificate authority developed by the Internet Security Research Group (ISRG).
First of all, you need a domain name. If you have never registered one, here is
a [simple instruction][domain-name-register] that will help you with that.
[domain-name-register]: https://www.pcworld.com/article/241722/web-apps/how-to-register-your-own-domain-name.html
## <a href="#certificate" id="certificate" name="certificate">Get an SSL certificate</a>
Both `DNS-over-HTTPS` and `DNS-over-TLS` are based on [TLS
encryption][tls-wikipedia] so in order to use them, you will need to acquire an
SSL certificate.
An SSL certificate can be bought from a "Certificate Authority" (CA), a company
trusted by browsers and operating systems to enroll SSL certificates for
domains.
Alternatively, you can get the certificate for free from ["Let's Encrypt"
CA][letsencrypt], a free certificate authority developed by the Internet
Security Research Group (ISRG).
In this guide I'll explain how to get a certificate from them.
<a id="certbot"></a>
### Install CertBot
### <a href="#certbot" id="certbot" name="certbot">Install CertBot</a>
Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt.
1. Go to [https://certbot.eff.org/](https://certbot.eff.org/) and choose "None of the above" software and your operating system.
2. Follow the installation instructions, and stop there - don't get to the "Get Started" section.
1. Go to [certbot.eff.org][certbot] and choose "None of the above"
software and your operating system.
1. Follow the installation instructions, and stop there don't get to the "Get
Started" section.
<a id="certbot-dnschallenge"></a>
### <a href="#certbot-dnschallenge" id="certbot-dnschallenge" name="certbot-dnschallenge">Get a certificate using DNS challenge</a>
### Get a certificate using DNS challenge
You have just got a domain name so I suppose using DNS challenge will be the easiest way to get a certificate.
You have just got a domain name so I suppose using DNS challenge will be the
easiest way to get a certificate.
Run this command and follow the certbot's instructions:
```bash
```sh
sudo certbot certonly --manual --preferred-challenges=dns
```
In the end you'll get two files:
- `fullchain.pem` -- your PEM-encoded SSL certificate
- `privkey.pem` -- your PEM-encoded private key
* `fullchain.pem` your PEM-encoded SSL certificate.
* `privkey.pem` your PEM-encoded private key.
Both will be necessary to configure AdGuard Home.
> You will need to use the very same procedure to renew the existing certificate.
> You will need to use the very same procedure to renew the existing
> certificate.
<a id="lego"></a>
### <a href="#lego" id="lego" name="lego">Alternative to CertBot: Lego</a>
### Alternative to CertBot: Lego
There's also a really nice and easy-to-use alternative to CertBot called
[lego][lego-source].
There's also a really nice and easy-to-use alternative to CertBot called [lego](https://go-acme.github.io/lego/).
1. Install it using [an appropriate method][lego-install].
1. Choose your DNS provider from [the list][lego-provider]
and follow the instruction to obtain a certificate.
1. Install it using [an appropriate method](https://go-acme.github.io/lego/installation/).
2. Choose your DNS provider from [the list](https://go-acme.github.io/lego/dns/) and follow the instruction to obtain a certificate.
<a id="configure-home"></a>
## Configure AdGuard Home
[tls-wikipedia]: https://en.wikipedia.org/wiki/Transport_Layer_Security
[letsencrypt]: https://letsencrypt.org
[certbot]: https://certbot.eff.org
[lego-source]: https://go-acme.github.io/lego
[lego-install]: https://go-acme.github.io/lego/installation
[lego-provider]: https://go-acme.github.io/lego/dns
1. Open AdGuard Home web interface and go to settings.
2. Scroll down to the "Encryption" settings
![](https://user-images.githubusercontent.com/5947035/53301027-2a0c2b80-385f-11e9-81f3-bcc63de4eef1.png)
3. Copy/paste the contents of the `fullchain.pem` file to "Certificates"
4. Copy/paste the contents of the `privkey.pem` file to "Private key"
5. Enter your domain name to "Server name"
6. Click "Save settings".
<a id="configure-devices"></a>
## Configure your devices
## <a href="#configure-home" id="configure-home" name="configure-home">Configure AdGuard Home</a>
### Android
1. Open AdGuard Home web interface and go to settings.
1. Scroll down to the "Encryption" settings.
- Android 9 supports `DNS-over-TLS` natively. To configure it, go to Settings → Network & internet → Advanced → Private DNS and enter your domain name there.
- [AdGuard for Android](https://adguard.com/en/adguard-android/overview.html) supports `DNS-over-HTTPS`, `DNS-over-TLS`, `DNSCrypt` and `DNS-over-QUIC`.
- [Intra](https://getintra.org/) adds `DNS-over-HTTPS` support to Android.
![][encryption-screenshot]
### iOS
3. Copy/paste the contents of the `fullchain.pem` file to "Certificates".
3. Copy/paste the contents of the `privkey.pem` file to "Private key".
3. Enter your domain name to "Server name".
3. Click "Save settings".
- iOS 14 and higher support `DNS-over-TLS` and `DNS-over-HTTPS` natively via configuration profiles. In order to make things easier, AdGuard Home can generate these configuration profiles for you. Just head to "Setup Guide" -> "DNS Privacy" and scroll to iOS.
- [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) supports `DNS-over-HTTPS`, `DNS-over-TLS`, `DNSCrypt` and `DNS-over-QUIC`.
- [DNSCloak](https://itunes.apple.com/app/id1452162351) supports `DNS-over-HTTPS` but in order to configure it to use your own server, you'll need to generate a [DNS Stamp](https://dnscrypt.info/stamps) for it.
### Windows
- Windows 10 Build 19628 and higher support `DNS-over-HTTPS` natively.
- [AdGuard for Windows](https://adguard.com/en/adguard-windows/overview.html) supports `DNS-over-HTTPS`, `DNS-over-TLS`, `DNSCrypt` and `DNS-over-QUIC`.
[encryption-screenshot]: https://user-images.githubusercontent.com/5947035/53301027-2a0c2b80-385f-11e9-81f3-bcc63de4eef1.png
### MacOS
- MacOS Big Sur and higher support `DNS-over-TLS` and `DNS-over-HTTPS` natively via configuration profiles. In order to make things easier, AdGuard Home can generate these configuration profiles for you. Just head to "Setup Guide" -> "DNS Privacy" and scroll to iOS.
### Other implementations
## <a href="#reverse-proxy" id="reverse-proxy" name="reverse-proxy">Using with reverse proxy</a>
- AdGuard Home itself can be a secure DNS client on any platform.
- [dnsproxy](https://github.com/AdguardTeam/dnsproxy) supports all known secure DNS protocols.
- [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy) supports `DNS-over-HTTPS`.
- [Mozilla Firefox](https://www.mozilla.org/firefox/) supports `DNS-over-HTTPS`.
We already have a [guide][reverse-proxy-faq] on configuring a reverse proxy
server for accessing AdGuard Home web UI.
You can find more implementations [here](https://dnscrypt.info/implementations) and [here](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients).
Since v0.107.0 AdGuard Home is able to restrict DNS-over-HTTPS requests which
came from the proxy server not included into "trusted" list. By default, it's
configured to accept requests from IPv4 and IPv6 loopback addresses.
To enable AdGuard Home to handle DNS-over-HTTPS requests from a reverse proxy
server, set the `trusted_proxies` setting in `AdGuardHome.yaml` to the IP
address of the proxy server. If you have several proxy servers, you can use a
CIDR instead of a simple IP address.
### <a href="#nginx" id="nginx" name="nginx">Nginx reverse proxy</a>
To configure AdGuard Home for accepting requests from Nginx reverse proxy
server, make sure that the reverse proxy server itself is configured correctly.
The `nginx.conf` file should contain the appropriate directives to add the
supported forwarding headers to the request which are `X-Real-IP` or
`X-Forwarded-For`. This may be achieved with `ngx_http_realip_module` which is
explained [here][ngx-http-realip-module]. In short, the module takes real IP
address of the client and writes it to the HTTP request's header. The AdGuard
Home will receive and interpret the value of this header as real client's
address. The address of the reverse proxy server will be received too and also
checked against the "trusted" proxies list.
For example, if the configuration of the reverse proxy server contains the
following directives:
```none
location /dns-query {
...
proxy_set_header X-Real-IP '1.2.3.4';
proxy_bind 192.168.1.2;
...
}
```
AdGuard Home will get the `192.168.1.2` as the address of your proxy server and
check it against the `trusted_proxies`. The `1.2.3.4` will be controlled by
access settings in case the proxy is "trusted".
### <a href="#cf-cdn" id="cf-cdn" name="cf-cdn">Cloudflare CDN</a>
The Cloudflare's content delivery network acts as the reverse proxy appending
its [own headers][cloudflare-headers] to the forwarded requests, which are
`CF-Connecting-IP` and `True-Client-IP`. These are also supported by AdGuard
Home so the reverse proxy servers' [addresses][cloudflare-addresses] may be
inserted into `trusted_proxies` list directly. An official Cloudflare's
reference on restoring the original visitor's IP may be found
[here][cloudflare-real-ip].
[reverse-proxy-faq]: https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#how-to-configure-a-reverse-proxy-server-for-adguard-home
[ngx-http-realip-module]: https://nginx.org/en/docs/http/ngx_http_realip_module.html
[cloudflare-headers]: https://support.cloudflare.com/hc/en-us/articles/200170986
[cloudflare-addresses]: https://www.cloudflare.com/ips
[cloudflare-real-ip]: https://support.cloudflare.com/hc/en-us/articles/200170786
## <a href="#configure-devices" id="configure-devices" name="configure-devices">Configure your devices</a>
### <a href="#android" id="android" name="android">Android</a>
* Android 9 supports `DNS-over-TLS` natively. To configure it, go to Settings
→ Network & internet → Advanced → Private DNS and enter your domain name
there.
* [AdGuard for Android][ag-for-android] supports `DNS-over-HTTPS`,
`DNS-over-TLS`, `DNSCrypt` and `DNS-over-QUIC`.
* [Intra][intra] adds `DNS-over-HTTPS` support to Android.
### <a href="#ios" id="ios" name="ios">iOS</a>
* iOS 14 and higher support `DNS-over-TLS` and `DNS-over-HTTPS` natively via
configuration profiles. In order to make things easier, AdGuard Home can
generate these configuration profiles for you. Just head to "Setup Guide" →
"DNS Privacy" and scroll to iOS.
* [AdGuard for iOS][ag-for-ios] supports `DNS-over-HTTPS`, `DNS-over-TLS`,
`DNSCrypt` and `DNS-over-QUIC`.
* [DNSCloak][dnscloak] supports `DNS-over-HTTPS` but in order to configure it
to use your own server, you'll need to generate a [DNS Stamp][stamps] for
it.
### <a href="#windows" id="windows" name="windows">Windows</a>
* Windows 10 Build 19628 and higher support `DNS-over-HTTPS` natively.
* [AdGuard for Windows][ag-for-windows] supports `DNS-over-HTTPS`,
`DNS-over-TLS`, `DNSCrypt` and `DNS-over-QUIC`.
### <a href="#macos" id="macos" name="macos">MacOS</a>
* MacOS Big Sur and higher support `DNS-over-TLS` and `DNS-over-HTTPS`
natively via configuration profiles. In order to make things easier, AdGuard
Home can generate these configuration profiles for you. Just head to "Setup
Guide" → "DNS Privacy" and scroll to iOS.
### <a href="#other-imps" id="other-imps" name="other-imps">Other implementations</a>
* AdGuard Home itself can be a secure DNS client on any platform.
* [dnsproxy][ag-dnsproxy] supports all known secure DNS protocols.
* [dnscrypt-proxy][dnscrypt-proxy] supports `DNS-over-HTTPS`.
* [Mozilla Firefox][firefox] supports `DNS-over-HTTPS`.
You can find more implementations [here][dnscrypt-imps1] and
[here][dnscrypt-imps2].
[ag-for-android]: https://adguard.com/en/adguard-android/overview.html
[intra]: https://getintra.org
[ag-for-ios]: https://adguard.com/en/adguard-ios/overview.html
[dnscloak]: https://itunes.apple.com/app/id1452162351
[stamps]: https://dnscrypt.info/stamps
[ag-for-windows]: https://adguard.com/en/adguard-windows/overview.html
[ag-dnsproxy]: https://github.com/AdguardTeam/dnsproxy
[dnscrypt-proxy]: https://github.com/jedisct1/dnscrypt-proxy
[firefox]: https://www.mozilla.org/firefox
[dnscrypt-imps1]: https://dnscrypt.info/implementations
[dnscrypt-imps2]: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients