Activate DNS-over-TLS server when certificates, keys and ports are configured.

This commit is contained in:
Eugene Bujak 2019-02-12 17:23:38 +03:00 committed by Eugene Bujak
parent 0aeca6bbf5
commit 229ef78085
3 changed files with 29 additions and 6 deletions

View File

@ -67,8 +67,8 @@ type tlsConfig struct {
ForceHTTPS bool `yaml:"force_https" json:"force_https,omitempty"` ForceHTTPS bool `yaml:"force_https" json:"force_https,omitempty"`
PortHTTPS int `yaml:"port_https" json:"port_https,omitempty"` PortHTTPS int `yaml:"port_https" json:"port_https,omitempty"`
PortDNSOverTLS int `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"` PortDNSOverTLS int `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"`
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"`
PrivateKey string `yaml:"private_key" json:"private_key"` dnsforward.TLSConfig `yaml:",inline" json:",inline"`
// only for API, no need to be stored in config // only for API, no need to be stored in config
StatusCertificate string `yaml:"status_cert" json:"status_cert,omitempty"` StatusCertificate string `yaml:"status_cert" json:"status_cert,omitempty"`

5
dns.go
View File

@ -51,6 +51,11 @@ func generateServerConfig() dnsforward.ServerConfig {
Filters: filters, Filters: filters,
} }
newconfig.TLSConfig = config.TLS.TLSConfig
if config.TLS.PortDNSOverTLS != 0 {
newconfig.TLSListenAddr = &net.TCPAddr{IP: net.ParseIP(config.DNS.BindHost), Port: config.TLS.PortDNSOverTLS}
}
for _, u := range config.DNS.UpstreamDNS { for _, u := range config.DNS.UpstreamDNS {
dnsUpstream, err := upstream.AddressToUpstream(u, config.DNS.BootstrapDNS, dnsforward.DefaultTimeout) dnsUpstream, err := upstream.AddressToUpstream(u, config.DNS.BootstrapDNS, dnsforward.DefaultTimeout)
if err != nil { if err != nil {

View File

@ -1,6 +1,7 @@
package dnsforward package dnsforward
import ( import (
"crypto/tls"
"errors" "errors"
"fmt" "fmt"
"net" "net"
@ -55,6 +56,7 @@ func NewServer(baseDir string) *Server {
} }
// FilteringConfig represents the DNS filtering configuration of AdGuard Home // FilteringConfig represents the DNS filtering configuration of AdGuard Home
// The zero FilteringConfig is empty and ready for use.
type FilteringConfig struct { type FilteringConfig struct {
ProtectionEnabled bool `yaml:"protection_enabled"` // whether or not use any of dnsfilter features ProtectionEnabled bool `yaml:"protection_enabled"` // whether or not use any of dnsfilter features
FilteringEnabled bool `yaml:"filtering_enabled"` // whether or not use filter lists FilteringEnabled bool `yaml:"filtering_enabled"` // whether or not use filter lists
@ -68,6 +70,12 @@ type FilteringConfig struct {
dnsfilter.Config `yaml:",inline"` dnsfilter.Config `yaml:",inline"`
} }
type TLSConfig struct {
TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"`
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"`
PrivateKey string `yaml:"private_key" json:"private_key"`
}
// ServerConfig represents server configuration. // ServerConfig represents server configuration.
// The zero ServerConfig is empty and ready for use. // The zero ServerConfig is empty and ready for use.
type ServerConfig struct { type ServerConfig struct {
@ -77,6 +85,7 @@ type ServerConfig struct {
Filters []dnsfilter.Filter // A list of filters to use Filters []dnsfilter.Filter // A list of filters to use
FilteringConfig FilteringConfig
TLSConfig
} }
// if any of ServerConfig values are zero, then default values from below are used // if any of ServerConfig values are zero, then default values from below are used
@ -154,6 +163,15 @@ func (s *Server) startInternal(config *ServerConfig) error {
Handler: s.handleDNSRequest, Handler: s.handleDNSRequest,
} }
if s.TLSListenAddr != nil && s.CertificateChain != "" && s.PrivateKey != "" {
proxyConfig.TLSListenAddr = s.TLSListenAddr
keypair, err := tls.X509KeyPair([]byte(s.CertificateChain), []byte(s.PrivateKey))
if err != nil {
return errorx.Decorate(err, "Failed to parse TLS keypair")
}
proxyConfig.TLSConfig = &tls.Config{Certificates: []tls.Certificate{keypair}}
}
if proxyConfig.UDPListenAddr == nil { if proxyConfig.UDPListenAddr == nil {
proxyConfig.UDPListenAddr = defaultValues.UDPListenAddr proxyConfig.UDPListenAddr = defaultValues.UDPListenAddr
} }