mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2024-11-29 10:28:53 +03:00
39f5c50acd
Updates #2860. Squashed commit of the following: commit 0d55a99d5c0b9f1d8c9497775dd69929e5091eaa Merge: 73a203ac8d4a4bda64Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Thu Jun 29 16:25:36 2023 +0400 Merge remote-tracking branch 'origin/master' into http-yaml-conf commit 73a203ac8acf083fa289015e1f301d05bf320ea7 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Thu Jun 29 16:21:48 2023 +0400 home: imp docs commit a4819ace94bfe4427f70f1b8341c9babc9234740 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Thu Jun 29 11:45:30 2023 +0400 snap: imp script commit b0913c7ac5c6c46d6a73790fd57d8c5f9d7ace75 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Wed Jun 28 17:34:03 2023 +0400 all: docs commit 14820d6d56f958081d9f236277fd34f356bdab33 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Wed Jun 28 13:21:43 2023 +0400 home: imp tests commit 9db800d3ce39c36da7959e37b4a46736f4217e5c Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Wed Jun 28 13:17:34 2023 +0400 all: docs commit 9174a0ae710da51d85b4e1b1af79eda6a61dd3a2 Merge: ca8c4ae95d88181343Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Wed Jun 28 10:19:01 2023 +0400 Merge remote-tracking branch 'origin/master' into http-yaml-conf # Conflicts: # CHANGELOG.md # internal/home/upgrade.go # internal/home/upgrade_test.go commit ca8c4ae954ece25d78ef2f873bb3ba71fa4b8fa9 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Wed Jun 28 10:07:15 2023 +0400 snap: imp script commit d84473f8e07b2c6e65023613eb4032fd01951521 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Wed Jun 28 09:59:57 2023 +0400 snap: imp script commit 8a0808e42ddbff7d9d3345d758f91b14bb4453be Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Tue Jun 27 15:03:53 2023 +0400 home: http conf commit e8fbb89cc5748f9d8fa4be9e702756bd8b869de9 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Tue Jun 27 14:59:37 2023 +0400 home: imp code commit 46541aabc421118562d564675dfd7e594d2056aa Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Tue Jun 27 12:36:14 2023 +0400 snap: bind port commit cecda5fcfd8c473db42f235b4f586b2193086997 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Tue Jun 27 12:12:39 2023 +0400 docker: bind port commit 8d8945b70366c6b018616a32421c77eb281a6ea1 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Tue Jun 27 11:06:32 2023 +0400 home: imp code commit ae5e8c1c4333d7b752c08605d80e41f55ee50e59 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Tue Jun 27 11:02:09 2023 +0400 home: imp code commit c9ee460f37e32941b84ea5fa94d21b186d6dd82b Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Jun 26 17:11:10 2023 +0400 home: imp code commit 44c72445112ef38d6ec9c25b197c119edd6c959f Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Jun 26 11:52:19 2023 +0400 all: docs commit e3bf5faeb748f347b1202a496788739ff9219ed0 Merge: 38cc0f639e7e638443Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Jun 26 11:39:12 2023 +0400 Merge remote-tracking branch 'origin/master' into http-yaml-conf commit 38cc0f6399040f1fa39d9da31ad6db65a6bdd4cc Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Jun 26 11:38:17 2023 +0400 snap: bind port commit 3b9cb9e8cc89a67e55cecc7a2040c150f8675b4c Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Jun 26 11:25:03 2023 +0400 docker: bind port ... and 4 more commits
640 lines
20 KiB
Go
640 lines
20 KiB
Go
package home
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"net/netip"
|
|
"os"
|
|
"path/filepath"
|
|
"sync"
|
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/filtering"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/querylog"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/schedule"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/stats"
|
|
"github.com/AdguardTeam/dnsproxy/fastip"
|
|
"github.com/AdguardTeam/golibs/errors"
|
|
"github.com/AdguardTeam/golibs/log"
|
|
"github.com/AdguardTeam/golibs/timeutil"
|
|
"github.com/google/renameio/maybe"
|
|
"golang.org/x/exp/slices"
|
|
yaml "gopkg.in/yaml.v3"
|
|
)
|
|
|
|
// dataDir is the name of a directory under the working one to store some
|
|
// persistent data.
|
|
const dataDir = "data"
|
|
|
|
// logSettings are the logging settings part of the configuration file.
|
|
//
|
|
// TODO(a.garipov): Put them into a separate object.
|
|
type logSettings struct {
|
|
// File is the path to the log file. If empty, logs are written to stdout.
|
|
// If "syslog", logs are written to syslog.
|
|
File string `yaml:"log_file"`
|
|
|
|
// MaxBackups is the maximum number of old log files to retain.
|
|
//
|
|
// NOTE: MaxAge may still cause them to get deleted.
|
|
MaxBackups int `yaml:"log_max_backups"`
|
|
|
|
// MaxSize is the maximum size of the log file before it gets rotated, in
|
|
// megabytes. The default value is 100 MB.
|
|
MaxSize int `yaml:"log_max_size"`
|
|
|
|
// MaxAge is the maximum duration for retaining old log files, in days.
|
|
MaxAge int `yaml:"log_max_age"`
|
|
|
|
// Compress determines, if the rotated log files should be compressed using
|
|
// gzip.
|
|
Compress bool `yaml:"log_compress"`
|
|
|
|
// LocalTime determines, if the time used for formatting the timestamps in
|
|
// is the computer's local time.
|
|
LocalTime bool `yaml:"log_localtime"`
|
|
|
|
// Verbose determines, if verbose (aka debug) logging is enabled.
|
|
Verbose bool `yaml:"verbose"`
|
|
}
|
|
|
|
// osConfig contains OS-related configuration.
|
|
type osConfig struct {
|
|
// Group is the name of the group which AdGuard Home must switch to on
|
|
// startup. Empty string means no switching.
|
|
Group string `yaml:"group"`
|
|
// User is the name of the user which AdGuard Home must switch to on
|
|
// startup. Empty string means no switching.
|
|
User string `yaml:"user"`
|
|
// RlimitNoFile is the maximum number of opened fd's per process. Zero
|
|
// means use the default value.
|
|
RlimitNoFile uint64 `yaml:"rlimit_nofile"`
|
|
}
|
|
|
|
type clientsConfig struct {
|
|
// Sources defines the set of sources to fetch the runtime clients from.
|
|
Sources *clientSourcesConfig `yaml:"runtime_sources"`
|
|
// Persistent are the configured clients.
|
|
Persistent []*clientObject `yaml:"persistent"`
|
|
}
|
|
|
|
// clientSourceConfig is used to configure where the runtime clients will be
|
|
// obtained from.
|
|
type clientSourcesConfig struct {
|
|
WHOIS bool `yaml:"whois"`
|
|
ARP bool `yaml:"arp"`
|
|
RDNS bool `yaml:"rdns"`
|
|
DHCP bool `yaml:"dhcp"`
|
|
HostsFile bool `yaml:"hosts"`
|
|
}
|
|
|
|
// configuration is loaded from YAML.
|
|
//
|
|
// Field ordering is important, YAML fields better not to be reordered, if it's
|
|
// not absolutely necessary.
|
|
type configuration struct {
|
|
// Raw file data to avoid re-reading of configuration file
|
|
// It's reset after config is parsed
|
|
fileData []byte
|
|
|
|
// HTTPConfig is the block with http conf.
|
|
HTTPConfig httpConfig `yaml:"http"`
|
|
// Users are the clients capable for accessing the web interface.
|
|
Users []webUser `yaml:"users"`
|
|
// AuthAttempts is the maximum number of failed login attempts a user
|
|
// can do before being blocked.
|
|
AuthAttempts uint `yaml:"auth_attempts"`
|
|
// AuthBlockMin is the duration, in minutes, of the block of new login
|
|
// attempts after AuthAttempts unsuccessful login attempts.
|
|
AuthBlockMin uint `yaml:"block_auth_min"`
|
|
// ProxyURL is the address of proxy server for the internal HTTP client.
|
|
ProxyURL string `yaml:"http_proxy"`
|
|
// Language is a two-letter ISO 639-1 language code.
|
|
Language string `yaml:"language"`
|
|
// Theme is a UI theme for current user.
|
|
Theme Theme `yaml:"theme"`
|
|
// DebugPProf defines if the profiling HTTP handler will listen on :6060.
|
|
DebugPProf bool `yaml:"debug_pprof"`
|
|
|
|
DNS dnsConfig `yaml:"dns"`
|
|
TLS tlsConfigSettings `yaml:"tls"`
|
|
QueryLog queryLogConfig `yaml:"querylog"`
|
|
Stats statsConfig `yaml:"statistics"`
|
|
|
|
// Filters reflects the filters from [filtering.Config]. It's cloned to the
|
|
// config used in the filtering module at the startup. Afterwards it's
|
|
// cloned from the filtering module back here.
|
|
//
|
|
// TODO(e.burkov): Move all the filtering configuration fields into the
|
|
// only configuration subsection covering the changes with a single
|
|
// migration. Also keep the blocked services in mind.
|
|
Filters []filtering.FilterYAML `yaml:"filters"`
|
|
WhitelistFilters []filtering.FilterYAML `yaml:"whitelist_filters"`
|
|
UserRules []string `yaml:"user_rules"`
|
|
|
|
DHCP *dhcpd.ServerConfig `yaml:"dhcp"`
|
|
|
|
// Clients contains the YAML representations of the persistent clients.
|
|
// This field is only used for reading and writing persistent client data.
|
|
// Keep this field sorted to ensure consistent ordering.
|
|
Clients *clientsConfig `yaml:"clients"`
|
|
|
|
logSettings `yaml:",inline"`
|
|
|
|
OSConfig *osConfig `yaml:"os"`
|
|
|
|
sync.RWMutex `yaml:"-"`
|
|
|
|
SchemaVersion int `yaml:"schema_version"` // keeping last so that users will be less tempted to change it -- used when upgrading between versions
|
|
}
|
|
|
|
// httpConfig is a block with HTTP configuration params.
|
|
//
|
|
// Field ordering is important, YAML fields better not to be reordered, if it's
|
|
// not absolutely necessary.
|
|
type httpConfig struct {
|
|
// Address is the address to serve the web UI on.
|
|
Address netip.AddrPort
|
|
|
|
// SessionTTL for a web session.
|
|
// An active session is automatically refreshed once a day.
|
|
SessionTTL timeutil.Duration `yaml:"session_ttl"`
|
|
}
|
|
|
|
// dnsConfig is a block with DNS configuration params.
|
|
//
|
|
// Field ordering is important, YAML fields better not to be reordered, if it's
|
|
// not absolutely necessary.
|
|
type dnsConfig struct {
|
|
BindHosts []netip.Addr `yaml:"bind_hosts"`
|
|
Port int `yaml:"port"`
|
|
|
|
// AnonymizeClientIP defines if clients' IP addresses should be anonymized
|
|
// in query log and statistics.
|
|
AnonymizeClientIP bool `yaml:"anonymize_client_ip"`
|
|
|
|
dnsforward.FilteringConfig `yaml:",inline"`
|
|
|
|
DnsfilterConf *filtering.Config `yaml:",inline"`
|
|
|
|
// UpstreamTimeout is the timeout for querying upstream servers.
|
|
UpstreamTimeout timeutil.Duration `yaml:"upstream_timeout"`
|
|
|
|
// PrivateNets is the set of IP networks for which the private reverse DNS
|
|
// resolver should be used.
|
|
PrivateNets []string `yaml:"private_networks"`
|
|
|
|
// UsePrivateRDNS defines if the PTR requests for unknown addresses from
|
|
// locally-served networks should be resolved via private PTR resolvers.
|
|
UsePrivateRDNS bool `yaml:"use_private_ptr_resolvers"`
|
|
|
|
// LocalPTRResolvers is the slice of addresses to be used as upstreams
|
|
// for PTR queries for locally-served networks.
|
|
LocalPTRResolvers []string `yaml:"local_ptr_upstreams"`
|
|
|
|
// UseDNS64 defines if DNS64 should be used for incoming requests.
|
|
UseDNS64 bool `yaml:"use_dns64"`
|
|
|
|
// DNS64Prefixes is the list of NAT64 prefixes to be used for DNS64.
|
|
DNS64Prefixes []netip.Prefix `yaml:"dns64_prefixes"`
|
|
|
|
// ServeHTTP3 defines if HTTP/3 is be allowed for incoming requests.
|
|
//
|
|
// TODO(a.garipov): Add to the UI when HTTP/3 support is no longer
|
|
// experimental.
|
|
ServeHTTP3 bool `yaml:"serve_http3"`
|
|
|
|
// UseHTTP3Upstreams defines if HTTP/3 is be allowed for DNS-over-HTTPS
|
|
// upstreams.
|
|
//
|
|
// TODO(a.garipov): Add to the UI when HTTP/3 support is no longer
|
|
// experimental.
|
|
UseHTTP3Upstreams bool `yaml:"use_http3_upstreams"`
|
|
}
|
|
|
|
type tlsConfigSettings struct {
|
|
Enabled bool `yaml:"enabled" json:"enabled"` // Enabled is the encryption (DoT/DoH/HTTPS) status
|
|
ServerName string `yaml:"server_name" json:"server_name,omitempty"` // ServerName is the hostname of your HTTPS/TLS server
|
|
ForceHTTPS bool `yaml:"force_https" json:"force_https"` // ForceHTTPS: if true, forces HTTP->HTTPS redirect
|
|
PortHTTPS int `yaml:"port_https" json:"port_https,omitempty"` // HTTPS port. If 0, HTTPS will be disabled
|
|
PortDNSOverTLS int `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"` // DNS-over-TLS port. If 0, DoT will be disabled
|
|
PortDNSOverQUIC int `yaml:"port_dns_over_quic" json:"port_dns_over_quic,omitempty"` // DNS-over-QUIC port. If 0, DoQ will be disabled
|
|
|
|
// PortDNSCrypt is the port for DNSCrypt requests. If it's zero,
|
|
// DNSCrypt is disabled.
|
|
PortDNSCrypt int `yaml:"port_dnscrypt" json:"port_dnscrypt"`
|
|
// DNSCryptConfigFile is the path to the DNSCrypt config file. Must be
|
|
// set if PortDNSCrypt is not zero.
|
|
//
|
|
// See https://github.com/AdguardTeam/dnsproxy and
|
|
// https://github.com/ameshkov/dnscrypt.
|
|
DNSCryptConfigFile string `yaml:"dnscrypt_config_file" json:"dnscrypt_config_file"`
|
|
|
|
// Allow DoH queries via unencrypted HTTP (e.g. for reverse proxying)
|
|
AllowUnencryptedDoH bool `yaml:"allow_unencrypted_doh" json:"allow_unencrypted_doh"`
|
|
|
|
dnsforward.TLSConfig `yaml:",inline" json:",inline"`
|
|
}
|
|
|
|
type queryLogConfig struct {
|
|
// Ignored is the list of host names, which should not be written to log.
|
|
Ignored []string `yaml:"ignored"`
|
|
|
|
// Interval is the interval for query log's files rotation.
|
|
Interval timeutil.Duration `yaml:"interval"`
|
|
|
|
// MemSize is the number of entries kept in memory before they are flushed
|
|
// to disk.
|
|
MemSize uint32 `yaml:"size_memory"`
|
|
|
|
// Enabled defines if the query log is enabled.
|
|
Enabled bool `yaml:"enabled"`
|
|
|
|
// FileEnabled defines, if the query log is written to the file.
|
|
FileEnabled bool `yaml:"file_enabled"`
|
|
}
|
|
|
|
type statsConfig struct {
|
|
// Ignored is the list of host names, which should not be counted.
|
|
Ignored []string `yaml:"ignored"`
|
|
|
|
// Interval is the retention interval for statistics.
|
|
Interval timeutil.Duration `yaml:"interval"`
|
|
|
|
// Enabled defines if the statistics are enabled.
|
|
Enabled bool `yaml:"enabled"`
|
|
}
|
|
|
|
// config is the global configuration structure.
|
|
//
|
|
// TODO(a.garipov, e.burkov): This global is awful and must be removed.
|
|
var config = &configuration{
|
|
AuthAttempts: 5,
|
|
AuthBlockMin: 15,
|
|
HTTPConfig: httpConfig{
|
|
Address: netip.AddrPortFrom(netip.IPv4Unspecified(), 3000),
|
|
SessionTTL: timeutil.Duration{Duration: 30 * timeutil.Day},
|
|
},
|
|
DNS: dnsConfig{
|
|
BindHosts: []netip.Addr{netip.IPv4Unspecified()},
|
|
Port: defaultPortDNS,
|
|
FilteringConfig: dnsforward.FilteringConfig{
|
|
ProtectionEnabled: true, // whether or not use any of filtering features
|
|
BlockingMode: dnsforward.BlockingModeDefault,
|
|
BlockedResponseTTL: 10, // in seconds
|
|
Ratelimit: 20,
|
|
RefuseAny: true,
|
|
AllServers: false,
|
|
HandleDDR: true,
|
|
FastestTimeout: timeutil.Duration{
|
|
Duration: fastip.DefaultPingWaitTimeout,
|
|
},
|
|
|
|
TrustedProxies: []string{"127.0.0.0/8", "::1/128"},
|
|
CacheSize: 4 * 1024 * 1024,
|
|
|
|
EDNSClientSubnet: &dnsforward.EDNSClientSubnet{
|
|
CustomIP: netip.Addr{},
|
|
Enabled: false,
|
|
UseCustom: false,
|
|
},
|
|
|
|
// set default maximum concurrent queries to 300
|
|
// we introduced a default limit due to this:
|
|
// https://github.com/AdguardTeam/AdGuardHome/issues/2015#issuecomment-674041912
|
|
// was later increased to 300 due to https://github.com/AdguardTeam/AdGuardHome/issues/2257
|
|
MaxGoroutines: 300,
|
|
},
|
|
DnsfilterConf: &filtering.Config{
|
|
FilteringEnabled: true,
|
|
FiltersUpdateIntervalHours: 24,
|
|
|
|
ParentalEnabled: false,
|
|
SafeBrowsingEnabled: false,
|
|
|
|
SafeBrowsingCacheSize: 1 * 1024 * 1024,
|
|
SafeSearchCacheSize: 1 * 1024 * 1024,
|
|
ParentalCacheSize: 1 * 1024 * 1024,
|
|
CacheTime: 30,
|
|
|
|
SafeSearchConf: filtering.SafeSearchConfig{
|
|
Enabled: false,
|
|
Bing: true,
|
|
DuckDuckGo: true,
|
|
Google: true,
|
|
Pixabay: true,
|
|
Yandex: true,
|
|
YouTube: true,
|
|
},
|
|
|
|
BlockedServices: &filtering.BlockedServices{
|
|
Schedule: schedule.EmptyWeekly(),
|
|
IDs: []string{},
|
|
},
|
|
},
|
|
UpstreamTimeout: timeutil.Duration{Duration: dnsforward.DefaultTimeout},
|
|
UsePrivateRDNS: true,
|
|
},
|
|
TLS: tlsConfigSettings{
|
|
PortHTTPS: defaultPortHTTPS,
|
|
PortDNSOverTLS: defaultPortTLS, // needs to be passed through to dnsproxy
|
|
PortDNSOverQUIC: defaultPortQUIC,
|
|
},
|
|
QueryLog: queryLogConfig{
|
|
Enabled: true,
|
|
FileEnabled: true,
|
|
Interval: timeutil.Duration{Duration: 90 * timeutil.Day},
|
|
MemSize: 1000,
|
|
Ignored: []string{},
|
|
},
|
|
Stats: statsConfig{
|
|
Enabled: true,
|
|
Interval: timeutil.Duration{Duration: 1 * timeutil.Day},
|
|
Ignored: []string{},
|
|
},
|
|
// NOTE: Keep these parameters in sync with the one put into
|
|
// client/src/helpers/filters/filters.js by scripts/vetted-filters.
|
|
//
|
|
// TODO(a.garipov): Think of a way to make scripts/vetted-filters update
|
|
// these as well if necessary.
|
|
Filters: []filtering.FilterYAML{{
|
|
Filter: filtering.Filter{ID: 1},
|
|
Enabled: true,
|
|
URL: "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt",
|
|
Name: "AdGuard DNS filter",
|
|
}, {
|
|
Filter: filtering.Filter{ID: 2},
|
|
Enabled: false,
|
|
URL: "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt",
|
|
Name: "AdAway Default Blocklist",
|
|
}},
|
|
DHCP: &dhcpd.ServerConfig{
|
|
LocalDomainName: "lan",
|
|
Conf4: dhcpd.V4ServerConf{
|
|
LeaseDuration: dhcpd.DefaultDHCPLeaseTTL,
|
|
ICMPTimeout: dhcpd.DefaultDHCPTimeoutICMP,
|
|
},
|
|
Conf6: dhcpd.V6ServerConf{
|
|
LeaseDuration: dhcpd.DefaultDHCPLeaseTTL,
|
|
},
|
|
},
|
|
Clients: &clientsConfig{
|
|
Sources: &clientSourcesConfig{
|
|
WHOIS: true,
|
|
ARP: true,
|
|
RDNS: true,
|
|
DHCP: true,
|
|
HostsFile: true,
|
|
},
|
|
},
|
|
logSettings: logSettings{
|
|
Compress: false,
|
|
LocalTime: false,
|
|
MaxBackups: 0,
|
|
MaxSize: 100,
|
|
MaxAge: 3,
|
|
},
|
|
OSConfig: &osConfig{},
|
|
SchemaVersion: currentSchemaVersion,
|
|
Theme: ThemeAuto,
|
|
}
|
|
|
|
// getConfigFilename returns path to the current config file
|
|
func (c *configuration) getConfigFilename() string {
|
|
configFile, err := filepath.EvalSymlinks(Context.configFilename)
|
|
if err != nil {
|
|
if !errors.Is(err, os.ErrNotExist) {
|
|
log.Error("unexpected error while config file path evaluation: %s", err)
|
|
}
|
|
configFile = Context.configFilename
|
|
}
|
|
if !filepath.IsAbs(configFile) {
|
|
configFile = filepath.Join(Context.workDir, configFile)
|
|
}
|
|
return configFile
|
|
}
|
|
|
|
// readLogSettings reads logging settings from the config file. We do it in a
|
|
// separate method in order to configure logger before the actual configuration
|
|
// is parsed and applied.
|
|
func readLogSettings() (ls *logSettings) {
|
|
ls = &logSettings{}
|
|
|
|
yamlFile, err := readConfigFile()
|
|
if err != nil {
|
|
return ls
|
|
}
|
|
|
|
err = yaml.Unmarshal(yamlFile, ls)
|
|
if err != nil {
|
|
log.Error("Couldn't get logging settings from the configuration: %s", err)
|
|
}
|
|
|
|
return ls
|
|
}
|
|
|
|
// validateBindHosts returns error if any of binding hosts from configuration is
|
|
// not a valid IP address.
|
|
func validateBindHosts(conf *configuration) (err error) {
|
|
if !conf.HTTPConfig.Address.IsValid() {
|
|
return errors.Error("http.address is not a valid ip address")
|
|
}
|
|
|
|
for i, addr := range conf.DNS.BindHosts {
|
|
if !addr.IsValid() {
|
|
return fmt.Errorf("dns.bind_hosts at index %d is not a valid ip address", i)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// parseConfig loads configuration from the YAML file
|
|
func parseConfig() (err error) {
|
|
var fileData []byte
|
|
fileData, err = readConfigFile()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
config.fileData = nil
|
|
err = yaml.Unmarshal(fileData, &config)
|
|
if err != nil {
|
|
// Don't wrap the error since it's informative enough as is.
|
|
return err
|
|
}
|
|
|
|
err = validateBindHosts(config)
|
|
if err != nil {
|
|
// Don't wrap the error since it's informative enough as is.
|
|
return err
|
|
}
|
|
|
|
tcpPorts := aghalg.UniqChecker[tcpPort]{}
|
|
addPorts(tcpPorts, tcpPort(config.HTTPConfig.Address.Port()))
|
|
|
|
udpPorts := aghalg.UniqChecker[udpPort]{}
|
|
addPorts(udpPorts, udpPort(config.DNS.Port))
|
|
|
|
if config.TLS.Enabled {
|
|
addPorts(
|
|
tcpPorts,
|
|
tcpPort(config.TLS.PortHTTPS),
|
|
tcpPort(config.TLS.PortDNSOverTLS),
|
|
tcpPort(config.TLS.PortDNSCrypt),
|
|
)
|
|
|
|
// TODO(e.burkov): Consider adding a udpPort with the same value when
|
|
// we add support for HTTP/3 for web admin interface.
|
|
addPorts(udpPorts, udpPort(config.TLS.PortDNSOverQUIC))
|
|
}
|
|
|
|
if err = tcpPorts.Validate(); err != nil {
|
|
return fmt.Errorf("validating tcp ports: %w", err)
|
|
} else if err = udpPorts.Validate(); err != nil {
|
|
return fmt.Errorf("validating udp ports: %w", err)
|
|
}
|
|
|
|
if !filtering.ValidateUpdateIvl(config.DNS.DnsfilterConf.FiltersUpdateIntervalHours) {
|
|
config.DNS.DnsfilterConf.FiltersUpdateIntervalHours = 24
|
|
}
|
|
|
|
if config.DNS.UpstreamTimeout.Duration == 0 {
|
|
config.DNS.UpstreamTimeout = timeutil.Duration{Duration: dnsforward.DefaultTimeout}
|
|
}
|
|
|
|
err = setContextTLSCipherIDs()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// udpPort is the port number for UDP protocol.
|
|
type udpPort int
|
|
|
|
// tcpPort is the port number for TCP protocol.
|
|
type tcpPort int
|
|
|
|
// addPorts is a helper for ports validation that skips zero ports.
|
|
func addPorts[T tcpPort | udpPort](uc aghalg.UniqChecker[T], ports ...T) {
|
|
for _, p := range ports {
|
|
if p != 0 {
|
|
uc.Add(p)
|
|
}
|
|
}
|
|
}
|
|
|
|
// readConfigFile reads configuration file contents.
|
|
func readConfigFile() (fileData []byte, err error) {
|
|
if len(config.fileData) > 0 {
|
|
return config.fileData, nil
|
|
}
|
|
|
|
name := config.getConfigFilename()
|
|
log.Debug("reading config file: %s", name)
|
|
|
|
// Do not wrap the error because it's informative enough as is.
|
|
return os.ReadFile(name)
|
|
}
|
|
|
|
// Saves configuration to the YAML file and also saves the user filter contents to a file
|
|
func (c *configuration) write() (err error) {
|
|
c.Lock()
|
|
defer c.Unlock()
|
|
|
|
if Context.auth != nil {
|
|
config.Users = Context.auth.GetUsers()
|
|
}
|
|
|
|
if Context.tls != nil {
|
|
tlsConf := tlsConfigSettings{}
|
|
Context.tls.WriteDiskConfig(&tlsConf)
|
|
config.TLS = tlsConf
|
|
}
|
|
|
|
if Context.stats != nil {
|
|
statsConf := stats.Config{}
|
|
Context.stats.WriteDiskConfig(&statsConf)
|
|
config.Stats.Interval = timeutil.Duration{Duration: statsConf.Limit}
|
|
config.Stats.Enabled = statsConf.Enabled
|
|
config.Stats.Ignored = statsConf.Ignored.Values()
|
|
slices.Sort(config.Stats.Ignored)
|
|
}
|
|
|
|
if Context.queryLog != nil {
|
|
dc := querylog.Config{}
|
|
Context.queryLog.WriteDiskConfig(&dc)
|
|
config.DNS.AnonymizeClientIP = dc.AnonymizeClientIP
|
|
config.QueryLog.Enabled = dc.Enabled
|
|
config.QueryLog.FileEnabled = dc.FileEnabled
|
|
config.QueryLog.Interval = timeutil.Duration{Duration: dc.RotationIvl}
|
|
config.QueryLog.MemSize = dc.MemSize
|
|
config.QueryLog.Ignored = dc.Ignored.Values()
|
|
slices.Sort(config.Stats.Ignored)
|
|
}
|
|
|
|
if Context.filters != nil {
|
|
Context.filters.WriteDiskConfig(config.DNS.DnsfilterConf)
|
|
config.Filters = config.DNS.DnsfilterConf.Filters
|
|
config.WhitelistFilters = config.DNS.DnsfilterConf.WhitelistFilters
|
|
config.UserRules = config.DNS.DnsfilterConf.UserRules
|
|
}
|
|
|
|
if s := Context.dnsServer; s != nil {
|
|
c := dnsforward.FilteringConfig{}
|
|
s.WriteDiskConfig(&c)
|
|
dns := &config.DNS
|
|
dns.FilteringConfig = c
|
|
dns.LocalPTRResolvers, config.Clients.Sources.RDNS, dns.UsePrivateRDNS = s.RDNSSettings()
|
|
}
|
|
|
|
if Context.dhcpServer != nil {
|
|
Context.dhcpServer.WriteDiskConfig(config.DHCP)
|
|
}
|
|
|
|
config.Clients.Persistent = Context.clients.forConfig()
|
|
|
|
configFile := config.getConfigFilename()
|
|
log.Debug("writing config file %q", configFile)
|
|
|
|
buf := &bytes.Buffer{}
|
|
enc := yaml.NewEncoder(buf)
|
|
enc.SetIndent(2)
|
|
|
|
err = enc.Encode(config)
|
|
if err != nil {
|
|
return fmt.Errorf("generating config file: %w", err)
|
|
}
|
|
|
|
err = maybe.WriteFile(configFile, buf.Bytes(), 0o644)
|
|
if err != nil {
|
|
return fmt.Errorf("writing config file: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// setContextTLSCipherIDs sets the TLS cipher suite IDs to use.
|
|
func setContextTLSCipherIDs() (err error) {
|
|
if len(config.TLS.OverrideTLSCiphers) == 0 {
|
|
log.Info("tls: using default ciphers")
|
|
|
|
Context.tlsCipherIDs = aghtls.SaferCipherSuites()
|
|
|
|
return nil
|
|
}
|
|
|
|
log.Info("tls: overriding ciphers: %s", config.TLS.OverrideTLSCiphers)
|
|
|
|
Context.tlsCipherIDs, err = aghtls.ParseCiphers(config.TLS.OverrideTLSCiphers)
|
|
if err != nil {
|
|
return fmt.Errorf("parsing override ciphers: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|