Add optional TLS redirection

encrypted-dns.toml.in

@@ -149,3 +149,6 @@ key_cache_capacity = 10000
 ## Where to prooxy TLS connections to (e.g. DoH server)
 
 # upstream_addr = "127.0.0.1:4343"
+
+@TLS_PROXY_CONFIGURATION@
+

entrypoint.sh

@@ -17,11 +17,13 @@ init() {
         start
         exit $?
     fi
-    while getopts "h?N:E:" opt; do
+
+    while getopts "h?N:E:T:" opt; do
         case "$opt" in
         h | \?) usage ;;
         N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
         E) ext_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
+        T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
         esac
     done
     [ -z "$provider_name" ] && usage
@@ -40,6 +42,11 @@ init() {
         ;;
     esac
 
+    tls_proxy_configuration=""
+    if [ -n "$tls_proxy_upstream_address" ]; then
+        tls_proxy_configuration="upstream_addr = \"${tls_proxy_upstream_address}\""
+    fi
+
     echo "Provider name: [$provider_name]"
 
     echo "$provider_name" >"${KEYS_DIR}/provider_name"
@@ -48,6 +55,7 @@ init() {
     sed \
         -e "s/@PROVIDER_NAME@/${provider_name}/" \
         -e "s/@EXTERNAL_IPV4@/${ext_address}/" \
+        -e "s/@TLS_PROXY_CONFIGURATION@/${tls_proxy_configuration}/" \
         "$CONFIG_FILE_TEMPLATE" >"$CONFIG_FILE"
 
     /opt/encrypted-dns/sbin/encrypted-dns \
@@ -167,6 +175,8 @@ Commands
 * init -N <provider_name> -E <external ip>:<port>
 initialize the container for a server accessible at ip <external ip> on port
 <port>, for a provider named <provider_name>. This is required only once.
+If TLS connections to the same port have to be redirected to a HTTPS server
+(e.g. for DoH), add -T <https server ip>:<port>
 
 * start (default command): start the resolver and the dnscrypt server proxy.
 Ports 443/udp and 443/tcp have to be publicly exposed.