Merge remote-tracking branch 'origin/master' into AGDNS-3523-add-context

Author: Mizzick

README.md

@@ -63,6 +63,14 @@ Usage of ./dnsproxy:
         Cache size (in bytes). Default: 64k.
   --config-path=path
         YAML configuration file. Minimal working configuration in config.yaml.dist. Options passed through command line will override the ones from this file.
+  --doh-insecure-enabled
+        If specified, the DoH server will skip TLS certificate verification.
+  --doh-routes
+        Routes for DNS-over-HTTPS.  If not specified, the default routes are registered:
+        - "GET /", deprecated and will soon be removed,
+        - "POST /", deprecated and will soon be removed.
+        - "GET /dns-query",
+        - "POST /dns-query".
   --dns64
         If specified, dnsproxy will act as a DNS64 server.
   --dns64-prefix=subnet

internal/cmd/args.go

@@ -67,6 +67,8 @@ const (
 	pendingRequestsEnabledIdx
 	dns64Idx
 	usePrivateRDNSIdx
+	dohRoutesIdx
+	dohInsecureEnabledIdx
 )
 
 // commandLineOption contains information about a command-line option: its long
@@ -405,6 +407,18 @@ var commandLineOptions = []*commandLineOption{
 		short:     "",
 		valueType: "",
 	},
+	dohRoutesIdx: {
+		description: "List of routes for DNS-over-HTTPS, can be specified multiple times.",
+		long:        "doh-routes",
+		short:       "",
+		valueType:   "route",
+	},
+	dohInsecureEnabledIdx: {
+		description: "If specified, the DoH server will skip TLS certificate verification.",
+		long:        "doh-insecure-enabled",
+		short:       "",
+		valueType:   "",
+	},
 }
 
 // parseCmdLineOptions parses the command-line options.  conf must not be nil.
@@ -464,6 +478,8 @@ func parseCmdLineOptions(conf *configuration) (err error) {
 		pendingRequestsEnabledIdx:   &conf.PendingRequestsEnabled,
 		dns64Idx:                    &conf.DNS64,
 		usePrivateRDNSIdx:           &conf.UsePrivateRDNS,
+		dohRoutesIdx:                &conf.DoHRoutes,
+		dohInsecureEnabledIdx:       &conf.DoHInsecureEnabled,
 	} {
 		addOption(flags, fieldPtr, commandLineOptions[i])
 	}
@@ -536,8 +552,8 @@ func addOption(flags *flag.FlagSet, fieldPtr any, o *commandLineOption) {
 		defineFlagVar(flags, (*uint32Value)(fieldPtr), o)
 	case *float32:
 		defineFlagVar(flags, (*float32Value)(fieldPtr), o)
-	case *[]int:
-		defineFlagVar(flags, newIntSliceValue(fieldPtr), o)
+	case *[]uint16:
+		defineFlagVar(flags, newUInt16SliceValue(fieldPtr), o)
 	case *[]string:
 		defineFlagVar(flags, newStringSliceValue(fieldPtr), o)
 	case *timeutil.Duration:

internal/cmd/config.go

@@ -46,20 +46,25 @@ type configuration struct {
 	// ListenAddrs is the list of server's listen addresses.
 	ListenAddrs []string `yaml:"listen-addrs"`
 
-	// ListenPorts are the ports server listens on.
-	ListenPorts []int `yaml:"listen-ports"`
+	// DoHRoutes is the list of routes for DNS-over-HTTPS.  It must be a slice
+	// of valid route patterns, if it is empty, the default routes are
+	// registered.
+	DoHRoutes []string `yaml:"doh-routes"`
+
+	// ListenPorts are the ports server listens on for plain DNS.
+	ListenPorts []uint16 `yaml:"listen-ports"`
 
 	// HTTPSListenPorts are the ports server listens on for DNS-over-HTTPS.
-	HTTPSListenPorts []int `yaml:"https-port"`
+	HTTPSListenPorts []uint16 `yaml:"https-port"`
 
 	// TLSListenPorts are the ports server listens on for DNS-over-TLS.
-	TLSListenPorts []int `yaml:"tls-port"`
+	TLSListenPorts []uint16 `yaml:"tls-port"`
 
 	// QUICListenPorts are the ports server listens on for DNS-over-QUIC.
-	QUICListenPorts []int `yaml:"quic-port"`
+	QUICListenPorts []uint16 `yaml:"quic-port"`
 
 	// DNSCryptListenPorts are the ports server listens on for DNSCrypt.
-	DNSCryptListenPorts []int `yaml:"dnscrypt-port"`
+	DNSCryptListenPorts []uint16 `yaml:"dnscrypt-port"`
 
 	// Upstreams is the list of DNS upstream servers.
 	Upstreams []string `yaml:"upstream"`
@@ -146,6 +151,10 @@ type configuration struct {
 	// TODO(d.kolyshev): Use more suitable type.
 	TLSMaxVersion float32 `yaml:"tls-max-version"`
 
+	// DoHInsecureEnabled controls whether the DoH server should skip TLS
+	// certificate verification.
+	DoHInsecureEnabled bool `yaml:"doh-insecure-enabled"`
+
 	// help, if true, prints the command-line option help message and quit with
 	// a successful exit-code.
 	help bool

internal/cmd/flag.go

@@ -47,47 +47,48 @@ func (i *float32Value) String() (out string) {
 	return strconv.FormatFloat(float64(*i), 'f', 3, 32)
 }
 
-// intSliceValue represent a struct with a slice of integers that can be defined
-// as a flag for [flag.FlagSet].
-type intSliceValue struct {
-	// values is the pointer to a slice of integers to store parsed values.
-	values *[]int
+// uint16SliceValue represent a struct with a slice of uint16 values that can be
+// defined as a flag for [flag.FlagSet].
+type uint16SliceValue struct {
+	// values is the pointer to a slice of uint16 to store parsed values.
+	values *[]uint16
 
 	// isSet is false until the corresponding flag is met for the first time.
 	// When the flag is found, the default value is overwritten with zero value.
 	isSet bool
 }
 
-// newIntSliceValue returns a pointer to intSliceValue with the given value.
-func newIntSliceValue(p *[]int) (out *intSliceValue) {
-	return &intSliceValue{
+// newUInt16SliceValue returns a pointer to uint16SliceValue with the given
+// value.
+func newUInt16SliceValue(p *[]uint16) (out *uint16SliceValue) {
+	return &uint16SliceValue{
 		values: p,
 		isSet:  false,
 	}
 }
 
 // type check
-var _ flag.Value = (*intSliceValue)(nil)
+var _ flag.Value = (*uint16SliceValue)(nil)
 
-// Set implements the [flag.Value] interface for *intSliceValue.
-func (i *intSliceValue) Set(s string) (err error) {
-	v, err := strconv.Atoi(s)
+// Set implements the [flag.Value] interface for *uint16SliceValue.
+func (i *uint16SliceValue) Set(s string) (err error) {
+	v, err := strconv.ParseUint(s, 10, 16)
 	if err != nil {
-		return fmt.Errorf("parsing integer slice arg %q: %w", s, err)
+		return fmt.Errorf("parsing uint16 slice arg %q: %w", s, err)
 	}
 
 	if !i.isSet {
 		i.isSet = true
-		*i.values = []int{}
+		*i.values = []uint16{}
 	}
 
-	*i.values = append(*i.values, v)
+	*i.values = append(*i.values, uint16(v))
 
 	return nil
 }
 
-// String implements the [flag.Value] interface for *intSliceValue.
-func (i *intSliceValue) String() (out string) {
+// String implements the [flag.Value] interface for *uint16SliceValue.
+func (i *uint16SliceValue) String() (out string) {
 	if i == nil || i.values == nil {
 		return ""
 	}
@@ -98,7 +99,7 @@ func (i *intSliceValue) String() (out string) {
 			stringutil.WriteToBuilder(sb, ",")
 		}
 
-		stringutil.WriteToBuilder(sb, strconv.Itoa(v))
+		stringutil.WriteToBuilder(sb, strconv.FormatUint(uint64(v), 10))
 	}
 
 	return sb.String()

internal/cmd/proxy.go

@@ -26,6 +26,11 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
+// defaultHTTPTimeout is the default timeout for HTTP server operations.
+//
+// TODO(a.garipov):  Consider making configurable.
+const defaultHTTPTimeout = 10 * time.Second
+
 // TODO(e.burkov):  Use a separate type for the YAML configuration file.
 
 // createProxyConfig initializes [proxy.Config].  l must not be nil.
@@ -58,6 +63,24 @@ func createProxyConfig(
 		return nil, fmt.Errorf("ratelimit mw: %w", err)
 	}
 
+	httpConf := &proxy.HTTPConfig{
+		ServerHeader:    conf.HTTPSServerName,
+		Routes:          conf.DoHRoutes,
+		ReadTimeout:     defaultHTTPTimeout,
+		WriteTimeout:    defaultHTTPTimeout,
+		HTTP3Enabled:    conf.HTTP3,
+		InsecureEnabled: conf.DoHInsecureEnabled,
+	}
+
+	if uiStr := conf.HTTPSUserinfo; uiStr != "" {
+		user, pass, ok := strings.Cut(uiStr, ":")
+		if ok {
+			httpConf.Userinfo = url.UserPassword(user, pass)
+		} else {
+			httpConf.Userinfo = url.User(user)
+		}
+	}
+
 	proxyConf = &proxy.Config{
 		Logger:                   l.With(slogutil.KeyPrefix, proxy.LogPrefix),
 		CacheEnabled:             conf.Cache,
@@ -68,7 +91,6 @@ func createProxyConfig(
 		CacheOptimisticMaxAge:    time.Duration(conf.OptimisticMaxAge),
 		CacheOptimistic:          conf.CacheOptimistic,
 		RefuseAny:                conf.RefuseAny,
-		HTTP3:                    conf.HTTP3,
 		// TODO(e.burkov):  The following CIDRs are aimed to match any address.
 		// This is not quite proper approach to be used by default so think
 		// about configuring it.
@@ -78,23 +100,14 @@ func createProxyConfig(
 		},
 		EnableEDNSClientSubnet: conf.EnableEDNSSubnet,
 		UDPBufferSize:          conf.UDPBufferSize,
-		HTTPSServerName:        conf.HTTPSServerName,
 		MaxGoroutines:          conf.MaxGoRoutines,
 		UsePrivateRDNS:         conf.UsePrivateRDNS,
 		PrivateSubnets:         netutil.SubnetSetFunc(netutil.IsLocallyServed),
 		RequestHandler:         ratelimitMw.Wrap(preMw.Wrap(proxy.DefaultHandler{})),
 		PendingRequests: &proxy.PendingRequestsConfig{
 			Enabled: conf.PendingRequestsEnabled,
 		},
-	}
-
-	if uiStr := conf.HTTPSUserinfo; uiStr != "" {
-		user, pass, ok := strings.Cut(uiStr, ":")
-		if ok {
-			proxyConf.Userinfo = url.UserPassword(user, pass)
-		} else {
-			proxyConf.Userinfo = url.User(user)
-		}
+		HTTPConfig: httpConf,
 	}
 
 	conf.initBogusNXDomain(ctx, l, proxyConf)
@@ -391,60 +404,58 @@ func (conf *configuration) initListenAddrs(config *proxy.Config) (err error) {
 	if len(conf.ListenPorts) == 0 {
 		// If ListenPorts has not been parsed through config file nor command
 		// line we set it to 53.
-		conf.ListenPorts = []int{53}
+		conf.ListenPorts = []uint16{53}
 	}
 
 	for _, port := range conf.ListenPorts {
 		for _, ip := range addrs {
-			addrPort := netip.AddrPortFrom(ip, uint16(port))
+			addrPort := netip.AddrPortFrom(ip, port)
 
 			config.UDPListenAddr = append(config.UDPListenAddr, net.UDPAddrFromAddrPort(addrPort))
 			config.TCPListenAddr = append(config.TCPListenAddr, net.TCPAddrFromAddrPort(addrPort))
 		}
 	}
 
-	initTLSListenAddrs(config, conf, addrs)
-	initDNSCryptListenAddrs(config, conf, addrs)
+	if config.TLSConfig != nil {
+		initTLSListenAddrs(config, conf, addrs)
+	}
+
+	if config.DNSCryptResolverCert != nil && config.DNSCryptProviderName != "" {
+		initDNSCryptListenAddrs(config, conf, addrs)
+	}
 
 	return nil
 }
 
-// initTLSListenAddrs sets up proxy configuration TLS listen addresses.
+// initTLSListenAddrs sets up proxy configuration TLS listen addresses.  conf,
+// proxyConf must not be nil.  If conf.HTTPSListenPorts is not empty,
+// proxyConf.HTTPConfig must not be nil.
 func initTLSListenAddrs(proxyConf *proxy.Config, conf *configuration, addrs []netip.Addr) {
-	if proxyConf.TLSConfig == nil {
-		return
-	}
-
+	httpConfig := proxyConf.HTTPConfig
 	for _, ip := range addrs {
 		for _, port := range conf.TLSListenPorts {
-			a := net.TCPAddrFromAddrPort(netip.AddrPortFrom(ip, uint16(port)))
+			a := net.TCPAddrFromAddrPort(netip.AddrPortFrom(ip, port))
 			proxyConf.TLSListenAddr = append(proxyConf.TLSListenAddr, a)
 		}
 
 		for _, port := range conf.HTTPSListenPorts {
-			a := net.TCPAddrFromAddrPort(netip.AddrPortFrom(ip, uint16(port)))
-			proxyConf.HTTPSListenAddr = append(proxyConf.HTTPSListenAddr, a)
+			a := netip.AddrPortFrom(ip, port)
+			httpConfig.ListenAddresses = append(httpConfig.ListenAddresses, a)
 		}
 
 		for _, port := range conf.QUICListenPorts {
-			a := net.UDPAddrFromAddrPort(netip.AddrPortFrom(ip, uint16(port)))
+			a := net.UDPAddrFromAddrPort(netip.AddrPortFrom(ip, port))
 			proxyConf.QUICListenAddr = append(proxyConf.QUICListenAddr, a)
 		}
 	}
 }
 
 // initDNSCryptListenAddrs sets up proxy configuration DNSCrypt listen
-// addresses.
+// addresses.  proxyConf and conf must not be nil.
 func initDNSCryptListenAddrs(proxyConf *proxy.Config, conf *configuration, addrs []netip.Addr) {
-	if proxyConf.DNSCryptResolverCert == nil || proxyConf.DNSCryptProviderName == "" {
-		return
-	}
-
 	for _, port := range conf.DNSCryptListenPorts {
-		p := uint16(port)
-
 		for _, ip := range addrs {
-			addrPort := netip.AddrPortFrom(ip, p)
+			addrPort := netip.AddrPortFrom(ip, port)
 
 			tcp := net.TCPAddrFromAddrPort(addrPort)
 			proxyConf.DNSCryptTCPListenAddr = append(proxyConf.DNSCryptTCPListenAddr, tcp)