mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2024-11-29 02:18:51 +03:00
Pull request: 2799 trusted proxy
Merge in DNS/adguard-home from 2799-trusted-proxy to master Updates #2799. Squashed commit of the following: commit 708a06b30116126a575767ea70865a6de90de774 Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Jul 23 18:56:16 2021 +0300 all: add trusted proxy mechanism
This commit is contained in:
parent
8e8f14aefb
commit
2f661df88c
6 changed files with 17 additions and 1 deletions
|
@ -42,6 +42,8 @@ and this project adheres to
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
|
- Proxied DNS-over-HTTPS queries are now only accepted from proxy servers on the
|
||||||
|
`trusted_proxies` list ([#2799]).
|
||||||
- Clients who are blocked by access settings now receive a `REFUSED` response
|
- Clients who are blocked by access settings now receive a `REFUSED` response
|
||||||
when a protocol other than DNS-over-UDP and DNSCrypt is used.
|
when a protocol other than DNS-over-UDP and DNSCrypt is used.
|
||||||
- `querylog_interval` setting is now formatted in hours.
|
- `querylog_interval` setting is now formatted in hours.
|
||||||
|
@ -60,6 +62,7 @@ and this project adheres to
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
- Wrong IP address for proxied DNS-over-HTTPS queries ([#2799]).
|
||||||
- Domain name letter case mismatches in DNS rewrites ([#3351]).
|
- Domain name letter case mismatches in DNS rewrites ([#3351]).
|
||||||
- Conflicts between IPv4 and IPv6 DNS rewrites ([#3343]).
|
- Conflicts between IPv4 and IPv6 DNS rewrites ([#3343]).
|
||||||
- Letter case mismatches in `CNAME` filtering ([#3335]).
|
- Letter case mismatches in `CNAME` filtering ([#3335]).
|
||||||
|
@ -89,6 +92,7 @@ and this project adheres to
|
||||||
[#2504]: https://github.com/AdguardTeam/AdGuardHome/issues/2504
|
[#2504]: https://github.com/AdguardTeam/AdGuardHome/issues/2504
|
||||||
[#2624]: https://github.com/AdguardTeam/AdGuardHome/issues/2624
|
[#2624]: https://github.com/AdguardTeam/AdGuardHome/issues/2624
|
||||||
[#2763]: https://github.com/AdguardTeam/AdGuardHome/issues/2763
|
[#2763]: https://github.com/AdguardTeam/AdGuardHome/issues/2763
|
||||||
|
[#2799]: https://github.com/AdguardTeam/AdGuardHome/issues/2799
|
||||||
[#3012]: https://github.com/AdguardTeam/AdGuardHome/issues/3012
|
[#3012]: https://github.com/AdguardTeam/AdGuardHome/issues/3012
|
||||||
[#3013]: https://github.com/AdguardTeam/AdGuardHome/issues/3013
|
[#3013]: https://github.com/AdguardTeam/AdGuardHome/issues/3013
|
||||||
[#3136]: https://github.com/AdguardTeam/AdGuardHome/issues/3136
|
[#3136]: https://github.com/AdguardTeam/AdGuardHome/issues/3136
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -3,7 +3,7 @@ module github.com/AdguardTeam/AdGuardHome
|
||||||
go 1.16
|
go 1.16
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/AdguardTeam/dnsproxy v0.38.3
|
github.com/AdguardTeam/dnsproxy v0.39.0
|
||||||
github.com/AdguardTeam/golibs v0.8.0
|
github.com/AdguardTeam/golibs v0.8.0
|
||||||
github.com/AdguardTeam/urlfilter v0.14.6
|
github.com/AdguardTeam/urlfilter v0.14.6
|
||||||
github.com/NYTimes/gziphandler v1.1.1
|
github.com/NYTimes/gziphandler v1.1.1
|
||||||
|
|
3
go.sum
3
go.sum
|
@ -11,6 +11,8 @@ github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf h1:gc042VRSIRSUzZ
|
||||||
github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI=
|
github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI=
|
||||||
github.com/AdguardTeam/dnsproxy v0.38.3 h1:DvycTEOn2wuHmY+HE5XL4EnCV2EVbpREpbgZB06IJ0I=
|
github.com/AdguardTeam/dnsproxy v0.38.3 h1:DvycTEOn2wuHmY+HE5XL4EnCV2EVbpREpbgZB06IJ0I=
|
||||||
github.com/AdguardTeam/dnsproxy v0.38.3/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0=
|
github.com/AdguardTeam/dnsproxy v0.38.3/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0=
|
||||||
|
github.com/AdguardTeam/dnsproxy v0.39.0 h1:5/PN2mpUeCTWtvqXUbSPTMJSOad4lJscPzm+C2f4jB4=
|
||||||
|
github.com/AdguardTeam/dnsproxy v0.39.0/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0=
|
||||||
github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
|
github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
|
||||||
github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
|
github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
|
||||||
github.com/AdguardTeam/golibs v0.8.0 h1:rHo+yIgT2fivFG0yW2Cwk/DPc2+t/Aw6QvzPpiIFre0=
|
github.com/AdguardTeam/golibs v0.8.0 h1:rHo+yIgT2fivFG0yW2Cwk/DPc2+t/Aw6QvzPpiIFre0=
|
||||||
|
@ -105,6 +107,7 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO
|
||||||
github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
|
github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
|
||||||
github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
|
github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
|
||||||
github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU=
|
github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU=
|
||||||
|
github.com/jessevdk/go-flags v1.4.0 h1:4IU2WS7AumrZ/40jfhf4QVDMsQwqA7VEHozFRrGARJA=
|
||||||
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
|
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
|
||||||
github.com/joomcode/errorx v1.0.1/go.mod h1:kgco15ekB6cs+4Xjzo7SPeXzx38PbJzBwbnu9qfVNHQ=
|
github.com/joomcode/errorx v1.0.1/go.mod h1:kgco15ekB6cs+4Xjzo7SPeXzx38PbJzBwbnu9qfVNHQ=
|
||||||
github.com/joomcode/errorx v1.0.3 h1:3e1mi0u7/HTPNdg6d6DYyKGBhA5l9XpsfuVE29NxnWw=
|
github.com/joomcode/errorx v1.0.3 h1:3e1mi0u7/HTPNdg6d6DYyKGBhA5l9XpsfuVE29NxnWw=
|
||||||
|
|
|
@ -94,6 +94,11 @@ type FilteringConfig struct {
|
||||||
AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients
|
AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients
|
||||||
DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked
|
DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked
|
||||||
BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked
|
BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked
|
||||||
|
// TrustedProxies is the list of IP addresses and CIDR networks to
|
||||||
|
// detect proxy servers addresses the DoH requests from which should be
|
||||||
|
// handled. The value of nil or an empty slice for this field makes
|
||||||
|
// Proxy not trust any address.
|
||||||
|
TrustedProxies []string `yaml:"trusted_proxies"`
|
||||||
|
|
||||||
// DNS cache settings
|
// DNS cache settings
|
||||||
// --
|
// --
|
||||||
|
@ -210,6 +215,7 @@ func (s *Server) createProxyConfig() (proxy.Config, error) {
|
||||||
Ratelimit: int(s.conf.Ratelimit),
|
Ratelimit: int(s.conf.Ratelimit),
|
||||||
RatelimitWhitelist: s.conf.RatelimitWhitelist,
|
RatelimitWhitelist: s.conf.RatelimitWhitelist,
|
||||||
RefuseAny: s.conf.RefuseAny,
|
RefuseAny: s.conf.RefuseAny,
|
||||||
|
TrustedProxies: s.conf.TrustedProxies,
|
||||||
CacheMinTTL: s.conf.CacheMinTTL,
|
CacheMinTTL: s.conf.CacheMinTTL,
|
||||||
CacheMaxTTL: s.conf.CacheMaxTTL,
|
CacheMaxTTL: s.conf.CacheMaxTTL,
|
||||||
CacheOptimistic: s.conf.CacheOptimistic,
|
CacheOptimistic: s.conf.CacheOptimistic,
|
||||||
|
|
|
@ -227,6 +227,7 @@ func (s *Server) WriteDiskConfig(c *FilteringConfig) {
|
||||||
c.AllowedClients = aghstrings.CloneSlice(sc.AllowedClients)
|
c.AllowedClients = aghstrings.CloneSlice(sc.AllowedClients)
|
||||||
c.DisallowedClients = aghstrings.CloneSlice(sc.DisallowedClients)
|
c.DisallowedClients = aghstrings.CloneSlice(sc.DisallowedClients)
|
||||||
c.BlockedHosts = aghstrings.CloneSlice(sc.BlockedHosts)
|
c.BlockedHosts = aghstrings.CloneSlice(sc.BlockedHosts)
|
||||||
|
c.TrustedProxies = aghstrings.CloneSlice(sc.TrustedProxies)
|
||||||
c.UpstreamDNS = aghstrings.CloneSlice(sc.UpstreamDNS)
|
c.UpstreamDNS = aghstrings.CloneSlice(sc.UpstreamDNS)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -179,6 +179,8 @@ var config = configuration{
|
||||||
RefuseAny: true,
|
RefuseAny: true,
|
||||||
AllServers: false,
|
AllServers: false,
|
||||||
|
|
||||||
|
TrustedProxies: []string{"127.0.0.0/8", "::1/128"},
|
||||||
|
|
||||||
// set default maximum concurrent queries to 300
|
// set default maximum concurrent queries to 300
|
||||||
// we introduced a default limit due to this:
|
// we introduced a default limit due to this:
|
||||||
// https://github.com/AdguardTeam/AdGuardHome/issues/2015#issuecomment-674041912
|
// https://github.com/AdguardTeam/AdGuardHome/issues/2015#issuecomment-674041912
|
||||||
|
|
Loading…
Reference in a new issue