ConfigFile change to allowlist and blocklist (#1375)

* ConfigFile change to allowlist and blocklist

* revised names and warnings

* consistent file naming in kebab case, and generic use of blocklist and allowlist in cmoments for clarity

* update ci files

Co-authored-by: Ian Bashford <ianbashford@gmail.com>
This commit is contained in:
Ian Bashford 2020-06-26 22:18:30 +01:00 committed by GitHub
parent 19c0c3f7db
commit b089d49d25
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 104 additions and 56 deletions

View File

@ -1,5 +1,5 @@
##################
# Test blacklist #
# Test blocklist #
##################
ad.*

View File

@ -20,7 +20,7 @@ section() {
true
}
rm -f blocked.log ip-blocked.log query.log nx.log whitelisted.log
rm -f blocked-names.log blocked-ips.log query.log nx.log allowed-names.log
t || (
cd ../dnscrypt-proxy
@ -94,14 +94,14 @@ kill $(cat /tmp/dnscrypt-proxy.pidfile)
sleep 5
section
t || grep -Fq 'telemetry.example' blocked.log || fail
t || grep -Fq 'telemetry.*' blocked.log || fail
t || grep -Fq 'tracker.xdebian.org' blocked.log || fail
t || grep -Fq 'tracker.*' blocked.log || fail
t || grep -Fq 'telemetry.example' blocked-names.log || fail
t || grep -Fq 'telemetry.*' blocked-names.log || fail
t || grep -Fq 'tracker.xdebian.org' blocked-names.log || fail
t || grep -Fq 'tracker.*' blocked-names.log || fail
section
t || grep -Fq 'dns.google' ip-blocked.log || fail
t || grep -Fq '8.8.8.8' ip-blocked.log || fail
t || grep -Fq 'dns.google' blocked-ips.log || fail
t || grep -Fq '8.8.8.8' blocked-ips.log || fail
section
t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail
@ -127,8 +127,8 @@ t || grep -Eq 'tracker.xdebian.org.*REJECT' query.log || fail
t || grep -Eq 'tracker.debian.org.*PASS' query.log || fail
section
t || grep -Fq 'tracker.debian.org' whitelisted.log || fail
t || grep -Fq '*.tracker.debian' whitelisted.log || fail
t || grep -Fq 'tracker.debian.org' allowed-names.log || fail
t || grep -Fq '*.tracker.debian' allowed-names.log || fail
if [ -s error.log ]; then
cat *.log

View File

@ -23,17 +23,17 @@ file = 'query.log'
[nx_log]
file = 'nx.log'
[blacklist]
blacklist_file = 'blacklist.txt'
log_file = 'blocked.log'
[blocked_names]
blocked_names_file = 'blocked-names.txt'
log_file = 'blocked-names.log'
[ip_blacklist]
blacklist_file = 'ip-blacklist.txt'
log_file = 'ip-blocked.log'
[blocked_ips]
blocked_ips_file = 'blocked-ips.txt'
log_file = 'blocked-ips.log'
[whitelist]
whitelist_file = 'whitelist.txt'
log_file = 'whitelisted.log'
[allowed_names]
allowed_names_file = 'allowed-names.txt'
log_file = 'allowed-names.log'
[schedules]

View File

@ -61,9 +61,12 @@ type Config struct {
CloakTTL uint32 `toml:"cloak_ttl"`
QueryLog QueryLogConfig `toml:"query_log"`
NxLog NxLogConfig `toml:"nx_log"`
BlockName BlockNameConfig `toml:"blacklist"`
WhitelistName WhitelistNameConfig `toml:"whitelist"`
BlockIP BlockIPConfig `toml:"ip_blacklist"`
BlockName BlockNameConfig `toml:"blocked_names"`
BlockNameLegacy BlockNameConfigLegacy `toml:"blacklist"`
WhitelistNameLegacy WhitelistNameConfigLegacy `toml:"whitelist"`
AllowedName AllowedNameConfig `toml:"allowed_names"`
BlockIP BlockIPConfig `toml:"blocked_ips"`
BlockIPLegacy BlockIPConfigLegacy `toml:"ip_blacklist"`
ForwardFile string `toml:"forwarding_rules"`
CloakFile string `toml:"cloaking_rules"`
StaticsConfig map[string]StaticConfig `toml:"static"`
@ -174,18 +177,36 @@ type NxLogConfig struct {
}
type BlockNameConfig struct {
File string `toml:"blocked_names_file"`
LogFile string `toml:"log_file"`
Format string `toml:"log_format"`
}
type BlockNameConfigLegacy struct {
File string `toml:"blacklist_file"`
LogFile string `toml:"log_file"`
Format string `toml:"log_format"`
}
type WhitelistNameConfig struct {
type WhitelistNameConfigLegacy struct {
File string `toml:"whitelist_file"`
LogFile string `toml:"log_file"`
Format string `toml:"log_format"`
}
type AllowedNameConfig struct {
File string `toml:"allowed_names_file"`
LogFile string `toml:"log_file"`
Format string `toml:"log_format"`
}
type BlockIPConfig struct {
File string `toml:"blocked_ips_file"`
LogFile string `toml:"log_file"`
Format string `toml:"log_format"`
}
type BlockIPConfigLegacy struct {
File string `toml:"blacklist_file"`
LogFile string `toml:"log_file"`
Format string `toml:"log_format"`
@ -457,6 +478,15 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
proxy.nxLogFile = config.NxLog.File
proxy.nxLogFormat = config.NxLog.Format
if len(config.BlockName.File) > 0 && len(config.BlockNameLegacy.File) > 0 {
dlog.Fatal("Don't specify both [blocked_names] and [blacklist] sections - Update your config file.")
}
if len(config.BlockNameLegacy.File) > 0 {
dlog.Notice("Use of [blacklist] is deprecated - Update your config file.")
config.BlockName.File = config.BlockNameLegacy.File
config.BlockName.Format = config.BlockNameLegacy.Format
config.BlockName.LogFile = config.BlockNameLegacy.LogFile
}
if len(config.BlockName.Format) == 0 {
config.BlockName.Format = "tsv"
} else {
@ -469,18 +499,36 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
proxy.blockNameFormat = config.BlockName.Format
proxy.blockNameLogFile = config.BlockName.LogFile
if len(config.WhitelistName.Format) == 0 {
config.WhitelistName.Format = "tsv"
if len(config.AllowedName.File) > 0 && len(config.WhitelistNameLegacy.File) > 0 {
dlog.Fatal("Don't specify both [whitelist] and [allowed_names] sections - Update your config file.")
}
if len(config.WhitelistNameLegacy.File) > 0 {
dlog.Notice("Use of [whitelist] is deprecated - Update your config file.")
config.AllowedName.File = config.WhitelistNameLegacy.File
config.AllowedName.Format = config.WhitelistNameLegacy.Format
config.AllowedName.LogFile = config.WhitelistNameLegacy.LogFile
}
if len(config.AllowedName.Format) == 0 {
config.AllowedName.Format = "tsv"
} else {
config.WhitelistName.Format = strings.ToLower(config.WhitelistName.Format)
config.AllowedName.Format = strings.ToLower(config.AllowedName.Format)
}
if config.WhitelistName.Format != "tsv" && config.WhitelistName.Format != "ltsv" {
return errors.New("Unsupported whitelist log format")
if config.AllowedName.Format != "tsv" && config.AllowedName.Format != "ltsv" {
return errors.New("Unsupported allowed_names log format")
}
proxy.whitelistNameFile = config.WhitelistName.File
proxy.whitelistNameFormat = config.WhitelistName.Format
proxy.whitelistNameLogFile = config.WhitelistName.LogFile
proxy.whitelistNameFile = config.AllowedName.File
proxy.whitelistNameFormat = config.AllowedName.Format
proxy.whitelistNameLogFile = config.AllowedName.LogFile
if len(config.BlockIP.File) > 0 && len(config.BlockIPLegacy.File) > 0 {
dlog.Fatal("Don't specify both [blocked_ips] and [ip_blacklist] sections - Update your config file.")
}
if len(config.BlockIPLegacy.File) > 0 {
dlog.Notice("Use of [ip_blacklist] is deprecated - Update your config file.")
config.BlockIP.File = config.BlockIPLegacy.File
config.BlockIP.Format = config.BlockIPLegacy.Format
config.BlockIP.LogFile = config.BlockIPLegacy.LogFile
}
if len(config.BlockIP.Format) == 0 {
config.BlockIP.Format = "tsv"
} else {

View File

@ -75,7 +75,7 @@ require_dnssec = false
# Server must not log user queries (declarative)
require_nolog = true
# Server must not enforce its own blacklist (for parental control, ads blocking...)
# Server must not enforce its own blocklist (for parental control, ads blocking...)
require_nofilter = true
# Server names to avoid even if they match all criteria
@ -275,7 +275,7 @@ log_files_max_backups = 1
## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
## configure dnscrypt-proxy to do any kind of filtering (including the filters
## below and blacklists).
## below and blocklists).
## You can still choose resolvers that do DNSSEC validation.
@ -298,7 +298,7 @@ block_undelegated = true
## TTL for synthetic responses sent when a request has been blocked (due to
## IPv6 or blacklists).
## IPv6 or blocklists).
reject_ttl = 600
@ -444,10 +444,10 @@ cache_neg_max_ttl = 600
######################################################
# Pattern-based blocking (blacklists) #
# Pattern-based blocking (blocklists) #
######################################################
## Blacklists are made of one pattern per line. Example of valid patterns:
## Blocklists are made of one pattern per line. Example of valid patterns:
##
## example.com
## =example.com
@ -456,20 +456,20 @@ cache_neg_max_ttl = 600
## ads*.example.*
## ads*.example[0-9]*.com
##
## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
## A script to build blacklists from public feeds can be found in the
## Example blocklist files can be found at https://download.dnscrypt.info/blacklists/
## A script to build blocklists from public feeds can be found in the
## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
[blacklist]
[blocked_names]
## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
# blacklist_file = 'blacklist.txt'
# blocked_names_file = 'blocked-names.txt'
## Optional path to a file logging blocked queries
# log_file = 'blocked.log'
# log_file = 'blocked-names.log'
## Optional log format: tsv or ltsv (default: tsv)
@ -479,25 +479,25 @@ cache_neg_max_ttl = 600
###########################################################
# Pattern-based IP blocking (IP blacklists) #
# Pattern-based IP blocking (IP blocklists) #
###########################################################
## IP blacklists are made of one pattern per line. Example of valid patterns:
## IP blocklists are made of one pattern per line. Example of valid patterns:
##
## 127.*
## fe80:abcd:*
## 192.168.1.4
[ip_blacklist]
[blocked_ips]
## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
# blacklist_file = 'ip-blacklist.txt'
# blocked_ips_file = 'blocked-ips.txt'
## Optional path to a file logging blocked queries
# log_file = 'ip-blocked.log'
# log_file = 'blocked-ips.log'
## Optional log format: tsv or ltsv (default: tsv)
@ -507,25 +507,25 @@ cache_neg_max_ttl = 600
######################################################
# Pattern-based whitelisting (blacklists bypass) #
# Pattern-based allowlisting (blocklists bypass) #
######################################################
## Whitelists support the same patterns as blacklists
## If a name matches a whitelist entry, the corresponding session
## Allowlists support the same patterns as blocklists
## If a name matches a allowlist entry, the corresponding session
## will bypass names and IP filters.
##
## Time-based rules are also supported to make some websites only accessible at specific times of the day.
[whitelist]
[allowed_names]
## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file)
## Path to the file of allowlisting rules (absolute, or relative to the same directory as the config file)
# whitelist_file = 'whitelist.txt'
# allowed_names_file = 'allowed-names.txt'
## Optional path to a file logging whitelisted queries
## Optional path to a file logging allowlisted queries
# log_file = 'whitelisted.log'
# log_file = 'allowed-names.log'
## Optional log format: tsv or ltsv (default: tsv)
@ -539,10 +539,10 @@ cache_neg_max_ttl = 600
##########################################
## One or more weekly schedules can be defined here.
## Patterns in the name-based blocklist can optionally be followed with @schedule_name
## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
##
## For example, the following rule in a blacklist file:
## For example, the following rule in a blocklist file:
## *.youtube.* @time-to-sleep
## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
##