Add options to set the cipher suite as well as disable session tickets
This commit is contained in:
Frank Denis
parent
a4366b0593
commit
1fa3e5d7f3
|
|
@ -16,73 +16,77 @@ import (
|
|||
)
|
||||
|
||||
type Config struct {
|
||||
LogLevel int `toml:"log_level"`
|
||||
LogFile *string `toml:"log_file"`
|
||||
UseSyslog bool `toml:"use_syslog"`
|
||||
ServerNames []string `toml:"server_names"`
|
||||
ListenAddresses []string `toml:"listen_addresses"`
|
||||
Daemonize bool
|
||||
ForceTCP bool `toml:"force_tcp"`
|
||||
Timeout int `toml:"timeout"`
|
||||
KeepAlive int `toml:"keepalive"`
|
||||
CertRefreshDelay int `toml:"cert_refresh_delay"`
|
||||
CertIgnoreTimestamp bool `toml:"cert_ignore_timestamp"`
|
||||
LBStrategy string `toml:"lb_strategy"`
|
||||
BlockIPv6 bool `toml:"block_ipv6"`
|
||||
Cache bool
|
||||
CacheSize int `toml:"cache_size"`
|
||||
CacheNegTTL uint32 `toml:"cache_neg_ttl"`
|
||||
CacheMinTTL uint32 `toml:"cache_min_ttl"`
|
||||
CacheMaxTTL uint32 `toml:"cache_max_ttl"`
|
||||
QueryLog QueryLogConfig `toml:"query_log"`
|
||||
NxLog NxLogConfig `toml:"nx_log"`
|
||||
BlockName BlockNameConfig `toml:"blacklist"`
|
||||
BlockIP BlockIPConfig `toml:"ip_blacklist"`
|
||||
ForwardFile string `toml:"forwarding_rules"`
|
||||
CloakFile string `toml:"cloaking_rules"`
|
||||
ServersConfig map[string]StaticConfig `toml:"static"`
|
||||
SourcesConfig map[string]SourceConfig `toml:"sources"`
|
||||
SourceRequireDNSSEC bool `toml:"require_dnssec"`
|
||||
SourceRequireNoLog bool `toml:"require_nolog"`
|
||||
SourceRequireNoFilter bool `toml:"require_nofilter"`
|
||||
SourceDNSCrypt bool `toml:"dnscrypt_servers"`
|
||||
SourceDoH bool `toml:"doh_servers"`
|
||||
SourceIPv4 bool `toml:"ipv4_servers"`
|
||||
SourceIPv6 bool `toml:"ipv6_servers"`
|
||||
MaxClients uint32 `toml:"max_clients"`
|
||||
FallbackResolver string `toml:"fallback_resolver"`
|
||||
IgnoreSystemDNS bool `toml:"ignore_system_dns"`
|
||||
AllWeeklyRanges map[string]WeeklyRangesStr `toml:"schedules"`
|
||||
LogMaxSize int `toml:"log_files_max_size"`
|
||||
LogMaxAge int `toml:"log_files_max_age"`
|
||||
LogMaxBackups int `toml:"log_files_max_backups"`
|
||||
LogLevel int `toml:"log_level"`
|
||||
LogFile *string `toml:"log_file"`
|
||||
UseSyslog bool `toml:"use_syslog"`
|
||||
ServerNames []string `toml:"server_names"`
|
||||
ListenAddresses []string `toml:"listen_addresses"`
|
||||
Daemonize bool
|
||||
ForceTCP bool `toml:"force_tcp"`
|
||||
Timeout int `toml:"timeout"`
|
||||
KeepAlive int `toml:"keepalive"`
|
||||
CertRefreshDelay int `toml:"cert_refresh_delay"`
|
||||
CertIgnoreTimestamp bool `toml:"cert_ignore_timestamp"`
|
||||
LBStrategy string `toml:"lb_strategy"`
|
||||
BlockIPv6 bool `toml:"block_ipv6"`
|
||||
Cache bool
|
||||
CacheSize int `toml:"cache_size"`
|
||||
CacheNegTTL uint32 `toml:"cache_neg_ttl"`
|
||||
CacheMinTTL uint32 `toml:"cache_min_ttl"`
|
||||
CacheMaxTTL uint32 `toml:"cache_max_ttl"`
|
||||
QueryLog QueryLogConfig `toml:"query_log"`
|
||||
NxLog NxLogConfig `toml:"nx_log"`
|
||||
BlockName BlockNameConfig `toml:"blacklist"`
|
||||
BlockIP BlockIPConfig `toml:"ip_blacklist"`
|
||||
ForwardFile string `toml:"forwarding_rules"`
|
||||
CloakFile string `toml:"cloaking_rules"`
|
||||
ServersConfig map[string]StaticConfig `toml:"static"`
|
||||
SourcesConfig map[string]SourceConfig `toml:"sources"`
|
||||
SourceRequireDNSSEC bool `toml:"require_dnssec"`
|
||||
SourceRequireNoLog bool `toml:"require_nolog"`
|
||||
SourceRequireNoFilter bool `toml:"require_nofilter"`
|
||||
SourceDNSCrypt bool `toml:"dnscrypt_servers"`
|
||||
SourceDoH bool `toml:"doh_servers"`
|
||||
SourceIPv4 bool `toml:"ipv4_servers"`
|
||||
SourceIPv6 bool `toml:"ipv6_servers"`
|
||||
MaxClients uint32 `toml:"max_clients"`
|
||||
FallbackResolver string `toml:"fallback_resolver"`
|
||||
IgnoreSystemDNS bool `toml:"ignore_system_dns"`
|
||||
AllWeeklyRanges map[string]WeeklyRangesStr `toml:"schedules"`
|
||||
LogMaxSize int `toml:"log_files_max_size"`
|
||||
LogMaxAge int `toml:"log_files_max_age"`
|
||||
LogMaxBackups int `toml:"log_files_max_backups"`
|
||||
TLSDisableSessionTickets bool `toml:"tls_disable_session_tickets"`
|
||||
TLSCipherSuite []uint16 `toml:"tls_cipher_suite"`
|
||||
}
|
||||
|
||||
func newConfig() Config {
|
||||
return Config{
|
||||
LogLevel: int(dlog.LogLevel()),
|
||||
ListenAddresses: []string{"127.0.0.1:53"},
|
||||
Timeout: 2500,
|
||||
KeepAlive: 5,
|
||||
CertRefreshDelay: 240,
|
||||
CertIgnoreTimestamp: false,
|
||||
Cache: true,
|
||||
CacheSize: 256,
|
||||
CacheNegTTL: 60,
|
||||
CacheMinTTL: 60,
|
||||
CacheMaxTTL: 8600,
|
||||
SourceRequireNoLog: true,
|
||||
SourceRequireNoFilter: true,
|
||||
SourceIPv4: true,
|
||||
SourceIPv6: false,
|
||||
SourceDNSCrypt: true,
|
||||
SourceDoH: true,
|
||||
MaxClients: 250,
|
||||
FallbackResolver: DefaultFallbackResolver,
|
||||
IgnoreSystemDNS: false,
|
||||
LogMaxSize: 10,
|
||||
LogMaxAge: 7,
|
||||
LogMaxBackups: 1,
|
||||
LogLevel: int(dlog.LogLevel()),
|
||||
ListenAddresses: []string{"127.0.0.1:53"},
|
||||
Timeout: 2500,
|
||||
KeepAlive: 5,
|
||||
CertRefreshDelay: 240,
|
||||
CertIgnoreTimestamp: false,
|
||||
Cache: true,
|
||||
CacheSize: 256,
|
||||
CacheNegTTL: 60,
|
||||
CacheMinTTL: 60,
|
||||
CacheMaxTTL: 8600,
|
||||
SourceRequireNoLog: true,
|
||||
SourceRequireNoFilter: true,
|
||||
SourceIPv4: true,
|
||||
SourceIPv6: false,
|
||||
SourceDNSCrypt: true,
|
||||
SourceDoH: true,
|
||||
MaxClients: 250,
|
||||
FallbackResolver: DefaultFallbackResolver,
|
||||
IgnoreSystemDNS: false,
|
||||
LogMaxSize: 10,
|
||||
LogMaxAge: 7,
|
||||
LogMaxBackups: 1,
|
||||
TLSDisableSessionTickets: false,
|
||||
TLSCipherSuite: nil,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -203,6 +207,8 @@ func ConfigLoad(proxy *Proxy, svcFlag *string) error {
|
|||
proxy.logMaxSize = config.LogMaxSize
|
||||
proxy.logMaxAge = config.LogMaxAge
|
||||
proxy.logMaxBackups = config.LogMaxBackups
|
||||
proxy.xTransport.tlsDisableSessionTickets = config.TLSDisableSessionTickets
|
||||
proxy.xTransport.tlsCipherSuite = config.TLSCipherSuite
|
||||
proxy.xTransport.fallbackResolver = config.FallbackResolver
|
||||
if len(config.FallbackResolver) > 0 {
|
||||
proxy.xTransport.ignoreSystemDNS = config.IgnoreSystemDNS
|
||||
|
|
@ -210,6 +216,7 @@ func ConfigLoad(proxy *Proxy, svcFlag *string) error {
|
|||
proxy.xTransport.useIPv4 = config.SourceIPv4
|
||||
proxy.xTransport.useIPv6 = config.SourceIPv6
|
||||
proxy.xTransport.keepAlive = time.Duration(config.KeepAlive) * time.Second
|
||||
proxy.xTransport.rebuildTransport()
|
||||
proxy.timeout = time.Duration(config.Timeout) * time.Millisecond
|
||||
proxy.maxClients = config.MaxClients
|
||||
proxy.mainProto = "udp"
|
||||
|
|
|
|||
|
|
@ -109,6 +109,24 @@ keepalive = 5
|
|||
cert_refresh_delay = 240
|
||||
|
||||
|
||||
## DoH: Disable TLS session tickets
|
||||
## increases privacy but also latency - Bump keepalive up to compensate.
|
||||
|
||||
tls_disable_session_tickets = false
|
||||
|
||||
|
||||
## DoH: Use a specific cipher suite
|
||||
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||
|
||||
### On non-Intel systems such as Raspberry Pi and other ARM systems, the following is recommended
|
||||
### Everybody else should not set this parameter, and just use the default suite.
|
||||
|
||||
# tls_cipher_suite = [52392, 49199]
|
||||
|
||||
|
||||
## Fallback resolver
|
||||
## This is a normal, non-encrypted DNS resolver, that will be only used
|
||||
## for one-shot queries when retrieving the initial resolvers list, and
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ package main
|
|||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
|
@ -18,6 +19,7 @@ import (
|
|||
|
||||
"github.com/jedisct1/dlog"
|
||||
"github.com/miekg/dns"
|
||||
"golang.org/x/net/http2"
|
||||
)
|
||||
|
||||
const DefaultFallbackResolver = "9.9.9.9:53"
|
||||
|
|
@ -28,27 +30,31 @@ type CachedIPs struct {
|
|||
}
|
||||
|
||||
type XTransport struct {
|
||||
transport *http.Transport
|
||||
keepAlive time.Duration
|
||||
timeout time.Duration
|
||||
cachedIPs CachedIPs
|
||||
fallbackResolver string
|
||||
ignoreSystemDNS bool
|
||||
useIPv4 bool
|
||||
useIPv6 bool
|
||||
transport *http.Transport
|
||||
keepAlive time.Duration
|
||||
timeout time.Duration
|
||||
cachedIPs CachedIPs
|
||||
fallbackResolver string
|
||||
ignoreSystemDNS bool
|
||||
useIPv4 bool
|
||||
useIPv6 bool
|
||||
tlsDisableSessionTickets bool
|
||||
tlsCipherSuite []uint16
|
||||
}
|
||||
|
||||
var DefaultKeepAlive = 5 * time.Second
|
||||
|
||||
func NewXTransport(timeout time.Duration, useIPv4 bool, useIPv6 bool) *XTransport {
|
||||
xTransport := XTransport{
|
||||
cachedIPs: CachedIPs{cache: make(map[string]string)},
|
||||
keepAlive: DefaultKeepAlive,
|
||||
timeout: timeout,
|
||||
fallbackResolver: DefaultFallbackResolver,
|
||||
ignoreSystemDNS: false,
|
||||
useIPv4: useIPv4,
|
||||
useIPv6: useIPv6,
|
||||
cachedIPs: CachedIPs{cache: make(map[string]string)},
|
||||
keepAlive: DefaultKeepAlive,
|
||||
timeout: timeout,
|
||||
fallbackResolver: DefaultFallbackResolver,
|
||||
ignoreSystemDNS: false,
|
||||
useIPv4: useIPv4,
|
||||
useIPv6: useIPv6,
|
||||
tlsDisableSessionTickets: false,
|
||||
tlsCipherSuite: nil,
|
||||
}
|
||||
xTransport.rebuildTransport()
|
||||
return &xTransport
|
||||
|
|
@ -91,6 +97,17 @@ func (xTransport *XTransport) rebuildTransport() {
|
|||
return dialer.DialContext(ctx, network, addrStr)
|
||||
},
|
||||
}
|
||||
if xTransport.tlsDisableSessionTickets || xTransport.tlsCipherSuite != nil {
|
||||
tlsClientConfig := tls.Config{
|
||||
SessionTicketsDisabled: xTransport.tlsDisableSessionTickets,
|
||||
}
|
||||
if xTransport.tlsCipherSuite != nil {
|
||||
tlsClientConfig.PreferServerCipherSuites = false
|
||||
tlsClientConfig.CipherSuites = xTransport.tlsCipherSuite
|
||||
}
|
||||
transport.TLSClientConfig = &tlsClientConfig
|
||||
}
|
||||
http2.ConfigureTransport(transport)
|
||||
xTransport.transport = transport
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue