mirror of
https://github.com/dnscrypt/dnscrypt-server-docker
synced 2024-11-22 19:42:03 +01:00
Add support for Anonymized DNS
This commit is contained in:
Frank Denis
parent
f0ccbe88c4
commit
498fdb782d
@ -37,7 +37,7 @@ ENV RUSTFLAGS "-C link-arg=-s"
|
||||
RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
|
||||
curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain nightly && \
|
||||
export PATH="$HOME/.cargo/bin:$PATH" && \
|
||||
echo "Compiling encrypted-dns version 0.2.10" && \
|
||||
echo "Compiling encrypted-dns version 0.3.1" && \
|
||||
cargo install encrypted-dns && \
|
||||
mkdir -p /opt/encrypted-dns/sbin && \
|
||||
mv ~/.cargo/bin/encrypted-dns /opt/encrypted-dns/sbin/ && \
|
||||
|
||||
14
README.md
14
README.md
@ -13,6 +13,8 @@ to get your resolver up and running.
|
||||
Table of Contents
|
||||
=================
|
||||
|
||||
- [DNSCrypt server Docker image](#dnscrypt-server-docker-image)
|
||||
- [Table of Contents](#table-of-contents)
|
||||
- [Quickstart](#quickstart)
|
||||
- [Installation](#installation)
|
||||
- [Customizing Unbound](#customizing-unbound)
|
||||
@ -20,6 +22,8 @@ Table of Contents
|
||||
- [Troubleshooting](#troubleshooting)
|
||||
- [Details](#details)
|
||||
- [Kubernetes](#kubernetes)
|
||||
- [Anonymized DNS](#anonymized-dns)
|
||||
- [TLS (including HTTPS and DoH) forwarding](#tls-including-https-and-doh-forwarding)
|
||||
- [Join the network](#join-the-network)
|
||||
|
||||
Quickstart
|
||||
@ -135,6 +139,16 @@ in minutes.
|
||||
To get your public key just view the logs for the `dnscrypt-init` job. The public
|
||||
IP for your server is merely the `dnscrypt` service address.
|
||||
|
||||
Anonymized DNS
|
||||
==============
|
||||
|
||||
The server can be configured as a relay for the Anonymized DNSCrypt protocol by adding the `-A` switch to the `init` command.
|
||||
|
||||
TLS (including HTTPS and DoH) forwarding
|
||||
========================================
|
||||
|
||||
If the DNS server is listening to port `443`, but you still want to have a web (or DoH) service accessible on that port, add the `-T` switch followed by the backend server IP and port to the `init` command (for example: `-T 10.0.0.1:4443`).
|
||||
|
||||
Join the network
|
||||
================
|
||||
|
||||
|
||||
@ -161,3 +161,37 @@ key_cache_capacity = 10000
|
||||
[filtering]
|
||||
|
||||
@DOMAIN_BLACKLIST_CONFIGURATION@
|
||||
|
||||
|
||||
|
||||
#########################
|
||||
# Metrics #
|
||||
#########################
|
||||
|
||||
# [metrics]
|
||||
|
||||
# type = "prometheus"
|
||||
# listen_addr = "0.0.0.0:9100"
|
||||
# path = "/metrics"
|
||||
|
||||
|
||||
|
||||
################################
|
||||
# Anonymized DNS #
|
||||
################################
|
||||
|
||||
[anonymized_dns]
|
||||
|
||||
# Enable relaying support for Anonymized DNS
|
||||
|
||||
enabled = @ANONDNS_ENABLED@
|
||||
|
||||
|
||||
# Allowed upstream ports
|
||||
|
||||
allowed_ports = [ 443 ]
|
||||
|
||||
|
||||
# Blacklisted upstream IP addresses
|
||||
|
||||
blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ]
|
||||
@ -22,28 +22,32 @@ init() {
|
||||
exit $?
|
||||
fi
|
||||
|
||||
while getopts "h?N:E:T:" opt; do
|
||||
anondns_enabled="false"
|
||||
anondns_blacklisted_ips=""
|
||||
|
||||
while getopts "h?N:E:T:A" opt; do
|
||||
case "$opt" in
|
||||
h | \?) usage ;;
|
||||
N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
||||
E) ext_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
||||
T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
||||
h | \?) usage ;;
|
||||
N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
||||
E) ext_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
||||
T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
||||
A) anondns_enabled="true" ;;
|
||||
esac
|
||||
done
|
||||
[ -z "$provider_name" ] && usage
|
||||
case "$provider_name" in
|
||||
.*) usage ;;
|
||||
2.dnscrypt-cert.*) ;;
|
||||
*) provider_name="2.dnscrypt-cert.${provider_name}" ;;
|
||||
.*) usage ;;
|
||||
2.dnscrypt-cert.*) ;;
|
||||
*) provider_name="2.dnscrypt-cert.${provider_name}" ;;
|
||||
esac
|
||||
|
||||
[ -z "$ext_address" ] && usage
|
||||
case "$ext_address" in
|
||||
.*) usage ;;
|
||||
0.*)
|
||||
echo "Do not use 0.0.0.0, use an actual external IP address" >&2
|
||||
exit 1
|
||||
;;
|
||||
.*) usage ;;
|
||||
0.*)
|
||||
echo "Do not use 0.0.0.0, use an actual external IP address" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
tls_proxy_configuration=""
|
||||
@ -59,7 +63,7 @@ init() {
|
||||
|
||||
echo "Provider name: [$provider_name]"
|
||||
|
||||
echo "$provider_name" > "${KEYS_DIR}/provider_name"
|
||||
echo "$provider_name" >"${KEYS_DIR}/provider_name"
|
||||
chmod 644 "${KEYS_DIR}/provider_name"
|
||||
|
||||
sed \
|
||||
@ -67,7 +71,9 @@ init() {
|
||||
-e "s#@EXTERNAL_IPV4@#${ext_address}#" \
|
||||
-e "s#@TLS_PROXY_CONFIGURATION@#${tls_proxy_configuration}#" \
|
||||
-e "s#@DOMAIN_BLACKLIST_CONFIGURATION@#${domain_blacklist_configuration}#" \
|
||||
"$CONFIG_FILE_TEMPLATE" > "$CONFIG_FILE"
|
||||
-e "s#@ANONDNS_ENABLEDN@#${anondns_enabled}#" \
|
||||
-e "s#@ANONDNS_BLACKLISTED_IPS@#${anondns_blacklisted_ips}#" \
|
||||
"$CONFIG_FILE_TEMPLATE" >"$CONFIG_FILE"
|
||||
|
||||
mkdir -p -m 700 "${STATE_DIR}"
|
||||
chown _encrypted-dns:_encrypted-dns "${STATE_DIR}"
|
||||
@ -77,7 +83,7 @@ init() {
|
||||
/opt/encrypted-dns/sbin/encrypted-dns \
|
||||
--config "$CONFIG_FILE" \
|
||||
--import-from-dnscrypt-wrapper "${KEYS_DIR}/secret.key" \
|
||||
--dry-run > /dev/null || exit 1
|
||||
--dry-run >/dev/null || exit 1
|
||||
mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated"
|
||||
fi
|
||||
|
||||
@ -107,22 +113,22 @@ legacy_compat() {
|
||||
if [ -f "${LEGACY_KEYS_DIR}/provider-info.txt" ] && [ -f "${LEGACY_KEYS_DIR}/provider_name" ]; then
|
||||
echo "Using [${LEGACY_KEYS_DIR}] for keys" >&2
|
||||
mkdir -p "${KEYS_DIR}"
|
||||
mv -f "${KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt.migrated" 2> /dev/null || :
|
||||
ln -s "${LEGACY_KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt" 2> /dev/null || :
|
||||
mv -f "${KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name.migrated" 2> /dev/null || :
|
||||
ln -s "${LEGACY_KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name" 2> /dev/null || :
|
||||
mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated" 2> /dev/null || :
|
||||
ln -s "${LEGACY_KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key" 2> /dev/null || :
|
||||
mv -f "${KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt.migrated" 2>/dev/null || :
|
||||
ln -s "${LEGACY_KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt" 2>/dev/null || :
|
||||
mv -f "${KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name.migrated" 2>/dev/null || :
|
||||
ln -s "${LEGACY_KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name" 2>/dev/null || :
|
||||
mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated" 2>/dev/null || :
|
||||
ln -s "${LEGACY_KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key" 2>/dev/null || :
|
||||
mkdir -p -m 700 "${LEGACY_STATE_DIR}"
|
||||
chown _encrypted-dns:_encrypted-dns "${LEGACY_STATE_DIR}"
|
||||
mv -f "$STATE_DIR" "${STATE_DIR}.migrated" 2> /dev/null || :
|
||||
ln -s "$LEGACY_STATE_DIR" "${STATE_DIR}" 2> /dev/null || :
|
||||
mv -f "$STATE_DIR" "${STATE_DIR}.migrated" 2>/dev/null || :
|
||||
ln -s "$LEGACY_STATE_DIR" "${STATE_DIR}" 2>/dev/null || :
|
||||
fi
|
||||
if [ -f "${LEGACY_LISTS_DIR}/blacklist.txt" ]; then
|
||||
echo "Using [${LEGACY_LISTS_DIR}] for lists" >&2
|
||||
mkdir -p "${LISTS_DIR}"
|
||||
mv -f "${LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt.migrated" 2> /dev/null || :
|
||||
ln -s "${LEGACY_LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt" 2> /dev/null || :
|
||||
mv -f "${LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt.migrated" 2>/dev/null || :
|
||||
ln -s "${LEGACY_LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt" 2>/dev/null || :
|
||||
fi
|
||||
}
|
||||
|
||||
@ -155,13 +161,13 @@ start() {
|
||||
/opt/encrypted-dns/sbin/encrypted-dns \
|
||||
--config "$CONFIG_FILE" \
|
||||
--import-from-dnscrypt-wrapper "${KEYS_DIR}/secret.key" \
|
||||
--dry-run > /dev/null || exit 1
|
||||
--dry-run >/dev/null || exit 1
|
||||
mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated"
|
||||
fi
|
||||
/opt/encrypted-dns/sbin/encrypted-dns \
|
||||
--config "$CONFIG_FILE" --dry-run |
|
||||
tee "${KEYS_DIR}/provider-info.txt"
|
||||
exec /etc/runit/2 < /dev/null > /dev/null 2> /dev/null
|
||||
exec /etc/runit/2 </dev/null >/dev/null 2>/dev/null
|
||||
}
|
||||
|
||||
shell() {
|
||||
@ -169,16 +175,19 @@ shell() {
|
||||
}
|
||||
|
||||
usage() {
|
||||
cat << EOT
|
||||
cat <<EOT
|
||||
Commands
|
||||
========
|
||||
|
||||
* init -N <provider_name> -E <external ip>:<port>
|
||||
initialize the container for a server accessible at ip <external ip> on port
|
||||
<port>, for a provider named <provider_name>. This is required only once.
|
||||
|
||||
If TLS connections to the same port have to be redirected to a HTTPS server
|
||||
(e.g. for DoH), add -T <https server ip>:<port>
|
||||
|
||||
To enable Anonymized DNS relaying, add -A.
|
||||
|
||||
* start (default command): start the resolver and the dnscrypt server proxy.
|
||||
Ports 443/udp and 443/tcp have to be publicly exposed.
|
||||
|
||||
@ -193,12 +202,12 @@ EOT
|
||||
}
|
||||
|
||||
case "$action" in
|
||||
start) start ;;
|
||||
init)
|
||||
shift
|
||||
init "$@"
|
||||
;;
|
||||
provider-info) provider_info ;;
|
||||
shell) shell ;;
|
||||
*) usage ;;
|
||||
start) start ;;
|
||||
init)
|
||||
shift
|
||||
init "$@"
|
||||
;;
|
||||
provider-info) provider_info ;;
|
||||
shell) shell ;;
|
||||
*) usage ;;
|
||||
esac
|
||||
|
||||
Loading…
Reference in New Issue
Block a user