Browse Source

Implemented autocert

master
maze 1 year ago
parent
commit
7ab6835791
4 changed files with 64 additions and 10 deletions
  1. +39
    -1
      README.md
  2. +18
    -6
      cmd/doh/main.go
  3. +1
    -0
      go.mod
  4. +6
    -3
      server.go

+ 39
- 1
README.md View File

@ -1,3 +1,41 @@
# doh
Toy DNS over HTTPS server.
Toy DNS over HTTPS server.
This server implements IETF [RFC 8484](https://tools.ietf.org/html/rfc8484) as well as Cloudflare and Google's proprietary [DNS JSON](https://developers.cloudflare.com/1.1.1.1/dns-over-https/json-format/) query formats.
## Running
Your server needs a (valid) X.509 certificate to work efficiently, for example
use [LetsEncrypt](https://letsencrypt.org/).
## Running as unprivileged user
It is recommended to run as an unprivileged user, you need to use Linux capabilities
if you wish to run `doh` on a privileged port:
```console
$ sudo setcap cap_net_bind_service=+ep ./doh
$ ./doh -listen=:443
```
## Automatic TLS
Optionally you can use the auto TLS feature, which will request a TLS certificate
automatically:
```console
$ ./doh -listen=:443 -autotls /var/cache/doh -email john@example.org
```
## Querying
The default path for DNS-over-HTTPS requests is at `/dns-query`.
## Testing
`cURL` can be used to test your server:
```console
$ curl -v --doh-url https://dns.maze.network/dns-query icanhazip.com
```

+ 18
- 6
cmd/doh/main.go View File

@ -4,6 +4,8 @@ import (
"flag"
"strings"
"golang.org/x/crypto/acme/autocert"
"maze.io/doh"
)
@ -14,18 +16,28 @@ const (
func main() {
var (
listen = flag.String("listen", ":8053", "listen address")
upstream = flag.String("upstream", defaultUpstream, "upstream DNS servers")
insecure = flag.Bool("insecure", false, "skip TLS verification from upstream")
certFile = flag.String("cert", "", "X.509 certificate file")
keyFile = flag.String("key", "", "X.509 key file")
listen = flag.String("listen", ":8053", "listen address")
upstream = flag.String("upstream", defaultUpstream, "upstream DNS servers")
insecure = flag.Bool("insecure", false, "skip TLS verification from upstream")
autoTLS = flag.String("autotls", "", "auto TLS cache path, retrieves certificate from LetsEncrypt")
autoTLSDomains = flag.String("autotls-domains", "", "auto TLS domains whitelist (comma separated)")
email = flag.String("email", "", "auto TLS email address")
certFile = flag.String("cert", "", "X.509 certificate file")
keyFile = flag.String("key", "", "X.509 key file")
)
flag.Parse()
server := doh.NewServer()
server.Insecure = *insecure
server.Upstream = strings.Split(*upstream, ",")
if *certFile != "" {
if *autoTLS != "" {
server.AutoTLSManager.Cache = autocert.DirCache(*autoTLS)
server.AutoTLSManager.Email = *email
if *autoTLSDomains != "" {
server.AutoTLSManager.HostPolicy = autocert.HostWhitelist(*autoTLSDomains)
}
server.StartAutoTLS(*listen)
} else if *certFile != "" {
if *keyFile == "" {
*keyFile = *certFile
}


+ 1
- 0
go.mod View File

@ -7,5 +7,6 @@ require (
github.com/labstack/echo/v4 v4.1.15
github.com/miekg/dns v1.1.27
github.com/sirupsen/logrus v1.4.2
golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
)

+ 6
- 3
server.go View File

@ -20,7 +20,10 @@ import (
"github.com/labstack/echo/v4/middleware"
)
const queryTimeout = 5 * time.Second
const (
queryTimeout = 5 * time.Second
userAgent = "maze.io/doh 1.0"
)
type Server struct {
*echo.Echo
@ -83,8 +86,8 @@ func (server *Server) handleDNSQuery(c echo.Context) error {
header.Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS, POST")
header.Set("Access-Control-Allow-Origin", "*")
header.Set("Access-Control-Max-Age", "3600")
//header.Set("Server", USER_AGENT)
//header.Set("X-Powered-By", USER_AGENT)
header.Set("Server", userAgent)
header.Set("X-Powered-By", userAgent)
if r.Method == http.MethodOptions {
header.Set("Content-Length", "0")


Loading…
Cancel
Save