Pull request 168: 5799-healthcheck-access

Merge in GO/adguard-home-wiki from 5799-healthcheck-access to master

Squashed commit of the following:

commit 339fc0b7d1e1920d5a1393a0b45d3e5383aeb22c
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Thu May 18 18:53:20 2023 +0300

    Configuration: fix links

commit 758f60eff4dbec362370ba8ce9f5f612f61f1a5d
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Thu May 18 18:44:31 2023 +0300

    all: imp healthcheck docs

Configuration.md

@@ -450,10 +450,29 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
       requests and log the values sent by the clients in the query log.  Please
       note that ECS option will be added automatically for clients with public
       IP addresses only.
-  - **Access settings**
+  - **Access settings:**
-    - `allowed_clients` — IP addresses of allowed clients
+    - `allowed_clients`: The list of CIDRs, IP addresses or ClientIDs of allowed
-    - `disallowed_clients` — IP addresses of clients that should be blocked
+      DNS clients.  If this list has entries, AdGuard Home will accept requests
-    - `blocked_hosts` — Hosts that should be blocked
+      only from these clients.
+      
+      See also the note in the [Docker wiki page][docker-conf] about using this
+      property within a container.
+
+    - `disallowed_clients`: The list of CIDRs, IP addresses, or ClientIDs of
+      disallowed DNS clients.  If this list has entries, AdGuard Home will drop
+      requests from these clients. Note that this field is ignored if there are
+      entries in `allowed_clients`.
+      
+      See also the note in the [Docker wiki page][docker-conf] about using this
+      property within a container.
+
+    - `blocked_hosts`: The list of domain names, wildcards or filtering rules to
+      match requests that shouldn't be processed at all.  These wiil be ignored
+      by statistics and query log as well.
+      
+      See also the note in the [Docker wiki page][docker-conf] about using this
+      property within a container.
+
     - `trusted_proxies` (**since v0.107.0**) – The list of IP addresses and CIDR
       prefixes of trusted HTTP proxy servers.  If a DNS-over-HTTPS request comes
       from one of these addresses or networks, AdGuard Home uses the provided
@@ -629,6 +648,7 @@ Removing an entry from settings file will reset it to the default value. Deletin
 
 [DHCP]: https://github.com/AdguardTeam/AdGuardHome/wiki/DHCP
 [DNSCrypt]: https://github.com/AdguardTeam/AdGuardHome/wiki/DNSCrypt
+[docker-conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Docker#configuration
 [`dnscrypt`]: https://github.com/ameshkov/dnscrypt
 [DDR]: https://www.ietf.org/archive/id/draft-ietf-add-ddr-06.html
 [tls-names]: https://pkg.go.dev/crypto/tls#pkg-constants

Docker.md

@@ -162,7 +162,10 @@ mechanism.  The implementation uses special reserved domain name
 `healthcheck.adguardhome.test.`, expecting it to resolve into NODATA answer.  It
 imposes restrictions on usage of this particular name, so specifying it within
 the `blocked_hosts` array under the `dns` section of configuration file will
-certainly break the healthcheck.
+certainly break the healthcheck.  For the same reason the `allowed_clients`
+**should** contain and `disallowed_clients` **should not** contain the
+`127.0.0.1` (`localhost`) address, which is used as a source of healthcheck
+requests.
 
 [YAML]: https://yaml.org
 [conf]: https://github.com/AdguardTeam/Adguardhome/wiki/Configuration