ipreg/doh101.git
15 months agodoh.lua: handle HEAD correctly master
Tony Finch [Thu, 27 Jun 2019 16:54:25 +0000 (17:54 +0100)]
doh.lua: handle HEAD correctly

Do full GET processing and let NGINX discard the body

22 months agoREADME: notes on CORS
Tony Finch [Mon, 5 Nov 2018 14:40:44 +0000 (14:40 +0000)]
README: notes on CORS

22 months agodoh.pl: print HTTP request as well as response
Tony Finch [Mon, 5 Nov 2018 14:17:55 +0000 (14:17 +0000)]
doh.pl: print HTTP request as well as response

22 months agodoh: promiscuous cross-origin resource sharing
Tony Finch [Mon, 5 Nov 2018 14:08:41 +0000 (14:08 +0000)]
doh: promiscuous cross-origin resource sharing

23 months agoREADME: explain back-end relations better
Tony Finch [Mon, 29 Oct 2018 14:17:55 +0000 (14:17 +0000)]
README: explain back-end relations better

23 months agodoh101: make Do53 back-end server marginally more configurable
Tony Finch [Mon, 29 Oct 2018 14:07:29 +0000 (14:07 +0000)]
doh101: make Do53 back-end server marginally more configurable

Instead of hard-coding the `$server_addr` nginx variable in the Lua
code, use the custom `$resolver` variable (like we used to) and set
`$resolver` to `$server_addr` in `nginx.conf`, so there is one file
that needs to be edited in a relatively easy way to change the
back-end address.

23 months agoDoH is now RFC 8484
Tony Finch [Thu, 25 Oct 2018 15:05:41 +0000 (16:05 +0100)]
DoH is now RFC 8484

23 months agodoh101: fix mode of logrotate config file
Tony Finch [Wed, 10 Oct 2018 15:06:29 +0000 (16:06 +0100)]
doh101: fix mode of logrotate config file

2 years agonginx: Mozilla recommends turning session tickets off
Tony Finch [Fri, 7 Sep 2018 11:18:45 +0000 (12:18 +0100)]
nginx: Mozilla recommends turning session tickets off

2 years agonginx: enable OCSP stapling
Tony Finch [Fri, 7 Sep 2018 11:09:21 +0000 (12:09 +0100)]
nginx: enable OCSP stapling

Sadly nginx only supports it for https not raw tls streams.

2 years agonginx: move common TLS settings to a shared file
Tony Finch [Fri, 7 Sep 2018 11:08:19 +0000 (12:08 +0100)]
nginx: move common TLS settings to a shared file

2 years agonginx: log TLS session resumption
Tony Finch [Fri, 7 Sep 2018 10:40:42 +0000 (11:40 +0100)]
nginx: log TLS session resumption

2 years agonginx: increase session cache size to 10M to allow for about 40K users
Tony Finch [Fri, 7 Sep 2018 09:40:03 +0000 (10:40 +0100)]
nginx: increase session cache size to 10M to allow for about 40K users

2 years agonginx: increase TLS session timeout to 1 day (Mozilla recommendation)
Tony Finch [Fri, 7 Sep 2018 09:37:06 +0000 (10:37 +0100)]
nginx: increase TLS session timeout to 1 day (Mozilla recommendation)

2 years agonginx: reduce timeouts for initial DoT connection setup
Tony Finch [Fri, 7 Sep 2018 09:32:51 +0000 (10:32 +0100)]
nginx: reduce timeouts for initial DoT connection setup

2 years agonginx: rejig whitespace to be less annoying
Tony Finch [Fri, 7 Sep 2018 09:31:08 +0000 (10:31 +0100)]
nginx: rejig whitespace to be less annoying

2 years agodot: optionally wait for idle connection timeout
Tony Finch [Fri, 7 Sep 2018 09:29:38 +0000 (10:29 +0100)]
dot: optionally wait for idle connection timeout

2 years agodoh101: log client port numbers for NAT traceability
Tony Finch [Wed, 5 Sep 2018 18:05:51 +0000 (19:05 +0100)]
doh101: log client port numbers for NAT traceability

2 years agodoh101: support current released version of Firefox
Tony Finch [Wed, 5 Sep 2018 14:50:23 +0000 (15:50 +0100)]
doh101: support current released version of Firefox

2 years agoopenresty: remove the place-holder home page
Tony Finch [Wed, 5 Sep 2018 11:22:35 +0000 (12:22 +0100)]
openresty: remove the place-holder home page

2 years agoopenresty: remove the place-holder home page
Tony Finch [Wed, 5 Sep 2018 11:22:35 +0000 (12:22 +0100)]
openresty: remove the place-holder home page

2 years agodoh101: allow the DoH 400 error page to be customized
Tony Finch [Wed, 5 Sep 2018 11:21:56 +0000 (12:21 +0100)]
doh101: allow the DoH 400 error page to be customized

2 years agodoh101: ensure nginx is enabled and running
Tony Finch [Wed, 5 Sep 2018 10:47:02 +0000 (11:47 +0100)]
doh101: ensure nginx is enabled and running

2 years agonginx: adjust TLS cert symlinks to use more conventional names
Tony Finch [Wed, 5 Sep 2018 10:31:10 +0000 (11:31 +0100)]
nginx: adjust TLS cert symlinks to use more conventional names

2 years agoopenresty: adapt the apt setup to work on Ubuntu as well as Debian
Tony Finch [Thu, 23 Aug 2018 18:24:24 +0000 (19:24 +0100)]
openresty: adapt the apt setup to work on Ubuntu as well as Debian

2 years agoREADME: correct paths that have changed
Tony Finch [Thu, 23 Aug 2018 18:00:53 +0000 (19:00 +0100)]
README: correct paths that have changed

2 years agoREADME: update for split roles
Tony Finch [Thu, 23 Aug 2018 17:58:26 +0000 (18:58 +0100)]
README: update for split roles

2 years agodehydrated: avoid racing for DNS updates to propagate
Tony Finch [Thu, 23 Aug 2018 17:55:15 +0000 (18:55 +0100)]
dehydrated: avoid racing for DNS updates to propagate

2 years agodehydrated: better task name
Tony Finch [Thu, 23 Aug 2018 17:54:58 +0000 (18:54 +0100)]
dehydrated: better task name

2 years agodoh101: put Lua code in the site-specific directory
Tony Finch [Thu, 23 Aug 2018 17:37:44 +0000 (18:37 +0100)]
doh101: put Lua code in the site-specific directory

2 years agodehydrated: ensure nginx/conf exists for TLS cert symlinks
Tony Finch [Thu, 23 Aug 2018 17:36:37 +0000 (18:36 +0100)]
dehydrated: ensure nginx/conf exists for TLS cert symlinks

2 years agodehydrated: avoid trying to restart nginx when it isn't running
Tony Finch [Thu, 23 Aug 2018 17:35:49 +0000 (18:35 +0100)]
dehydrated: avoid trying to restart nginx when it isn't running

This is mainly so that the playbook bootstraps correctly

2 years agodoh101: logging of stream connections
Tony Finch [Thu, 23 Aug 2018 17:35:00 +0000 (18:35 +0100)]
doh101: logging of stream connections

2 years agodoh101: auto-rotate nginx logs
Tony Finch [Thu, 23 Aug 2018 16:20:36 +0000 (17:20 +0100)]
doh101: auto-rotate nginx logs

2 years agodot.pl: support for sending multiple pipelined queries
Tony Finch [Thu, 23 Aug 2018 16:01:48 +0000 (17:01 +0100)]
dot.pl: support for sending multiple pipelined queries

2 years agoansible: move supporting tasks into a separate role
Tony Finch [Thu, 23 Aug 2018 15:50:47 +0000 (16:50 +0100)]
ansible: move supporting tasks into a separate role

This is to reduce the doh101 role closer to something
I can directly use with my production setup.

2 years agoansible: split up the playbook to make it easier to pick-and-choose
Tony Finch [Thu, 23 Aug 2018 15:39:03 +0000 (16:39 +0100)]
ansible: split up the playbook to make it easier to pick-and-choose

2 years ago{doh,dot}.pl: fix -k disabled verification mode
Tony Finch [Thu, 23 Aug 2018 15:35:14 +0000 (16:35 +0100)]
{doh,dot}.pl: fix -k disabled verification mode

2 years agonginx: reduce ssl-related repetition
Tony Finch [Wed, 22 Aug 2018 17:46:24 +0000 (18:46 +0100)]
nginx: reduce ssl-related repetition

2 years agodoh101: customizable error pages for misdirected browsers
Tony Finch [Wed, 22 Aug 2018 17:37:08 +0000 (18:37 +0100)]
doh101: customizable error pages for misdirected browsers

2 years agoansible: reload nginx when Lua modules are changed
Tony Finch [Wed, 22 Aug 2018 15:38:47 +0000 (16:38 +0100)]
ansible: reload nginx when Lua modules are changed

2 years agodoh.lua: append a newline to HTTP error bodies
Tony Finch [Wed, 22 Aug 2018 15:38:08 +0000 (16:38 +0100)]
doh.lua: append a newline to HTTP error bodies

2 years agodoh.lua: raise "method not allowed" errors the correct way
Tony Finch [Wed, 22 Aug 2018 15:35:31 +0000 (16:35 +0100)]
doh.lua: raise "method not allowed" errors the correct way

2 years agonginx: configuration is no longer a template
Tony Finch [Wed, 22 Aug 2018 15:24:51 +0000 (16:24 +0100)]
nginx: configuration is no longer a template

2 years agoREADME: update
Tony Finch [Tue, 21 Aug 2018 19:10:00 +0000 (20:10 +0100)]
README: update

2 years agodot.pl: dumb DNS-over-TLS test client
Tony Finch [Tue, 21 Aug 2018 19:01:44 +0000 (20:01 +0100)]
dot.pl: dumb DNS-over-TLS test client

2 years agoansible: resolver configuration option is now gone
Tony Finch [Tue, 21 Aug 2018 18:58:37 +0000 (19:58 +0100)]
ansible: resolver configuration option is now gone

2 years agonginx: revamp configuration
Tony Finch [Tue, 21 Aug 2018 18:52:57 +0000 (19:52 +0100)]
nginx: revamp configuration

Strip extraneous options.

Use modern cipher list recommended by Mozilla.

Add HTTPS strict tranport security.

Better dual stack support.

For DNS-over-TLS, use the same backend server address as the
client connected to, so that DNS server views work.

Put the DNS-over-HTTPS endpoint at the root. I'll do the
redirect to documentation in an error message file.

2 years agodehydrated: send cronspam to syslog instead of email
Tony Finch [Tue, 21 Aug 2018 18:38:25 +0000 (19:38 +0100)]
dehydrated: send cronspam to syslog instead of email

2 years agoansible: install BIND instead of Unbound
Tony Finch [Tue, 21 Aug 2018 18:36:42 +0000 (19:36 +0100)]
ansible: install BIND instead of Unbound

Mainly because BIND listens on all interfaces by default
(so it works better with my view-friendly DoH proxy)
whereas Unbound only listens on localhost. This saves
me from having to configure the DNS server.

2 years agodoh.lua: revamp for conformance with final draft
Tony Finch [Tue, 21 Aug 2018 18:32:55 +0000 (19:32 +0100)]
doh.lua: revamp for conformance with final draft

DNS responses are scanned for TTLs in order to set the HTTP response
lifetime.

The DNS server address is the same as the HTTP server address -
this is so that doh101 can run on a DNS server that uses views.

The content-type checking and other error checking should
be better now.

2 years agodoh.pl: nicer packet dumps; force RD=1
Tony Finch [Tue, 21 Aug 2018 18:06:56 +0000 (19:06 +0100)]
doh.pl: nicer packet dumps; force RD=1

2 years agodoh.pl: log hexdumps of DNS packets
Tony Finch [Tue, 21 Aug 2018 16:51:56 +0000 (17:51 +0100)]
doh.pl: log hexdumps of DNS packets

2 years agoREADME: a TODO item
Tony Finch [Sun, 18 Mar 2018 15:24:03 +0000 (15:24 +0000)]
README: a TODO item

2 years agodehydrated: do not assume my prototyping TSIG key is available
Tony Finch [Sun, 18 Mar 2018 15:18:17 +0000 (15:18 +0000)]
dehydrated: do not assume my prototyping TSIG key is available

2 years agodoh: documentation etc
Tony Finch [Sun, 18 Mar 2018 15:17:24 +0000 (15:17 +0000)]
doh: documentation etc

2 years agoansible: ignore droppings
Tony Finch [Sun, 18 Mar 2018 14:39:58 +0000 (14:39 +0000)]
ansible: ignore droppings

2 years agodoh.pl: move to a more convenient place
Tony Finch [Sun, 18 Mar 2018 14:38:51 +0000 (14:38 +0000)]
doh.pl: move to a more convenient place

2 years agodoh: install unbound so there is a self-contained resolver
Tony Finch [Sun, 18 Mar 2018 14:29:15 +0000 (14:29 +0000)]
doh: install unbound so there is a self-contained resolver

2 years agoansible: fix inventory YAML syntax
Tony Finch [Sun, 18 Mar 2018 14:25:09 +0000 (14:25 +0000)]
ansible: fix inventory YAML syntax

2 years agoansible: add some top-level files for using the role
Tony Finch [Sun, 18 Mar 2018 14:22:13 +0000 (14:22 +0000)]
ansible: add some top-level files for using the role

2 years agodoh: use a template variable to set the DNS resolver address
Tony Finch [Sun, 18 Mar 2018 14:19:34 +0000 (14:19 +0000)]
doh: use a template variable to set the DNS resolver address

2 years agodoh.pl: add a -k (insecure) option
Tony Finch [Sun, 18 Mar 2018 13:48:38 +0000 (13:48 +0000)]
doh.pl: add a -k (insecure) option

2 years agoopenresty: prune inspect.lua
Tony Finch [Sun, 18 Mar 2018 13:42:31 +0000 (13:42 +0000)]
openresty: prune inspect.lua

This was a dodgy copy from https://github.com/kikito/inspect.lua
and it isn't really appropriate to redistribute it in this way.

2 years agoopenresty: install base64url.lua
Tony Finch [Sun, 18 Mar 2018 13:38:42 +0000 (13:38 +0000)]
openresty: install base64url.lua

2 years agodehydrated: automatically obtain TLS cert
Tony Finch [Sun, 18 Mar 2018 13:38:06 +0000 (13:38 +0000)]
dehydrated: automatically obtain TLS cert

2 years agodoh: remove leftovers from earlier experiments
Tony Finch [Sun, 18 Mar 2018 13:37:28 +0000 (13:37 +0000)]
doh: remove leftovers from earlier experiments

2 years agodehydrated: use the letsencrypt staging CA by default
Tony Finch [Sun, 18 Mar 2018 13:27:02 +0000 (13:27 +0000)]
dehydrated: use the letsencrypt staging CA by default

2 years agodoh: rename role to reduce chance of collisions
Tony Finch [Sun, 18 Mar 2018 13:16:18 +0000 (13:16 +0000)]
doh: rename role to reduce chance of collisions

2 years agodoh: add a blurb
Tony Finch [Sun, 18 Mar 2018 13:11:11 +0000 (13:11 +0000)]
doh: add a blurb

2 years agodoh: turn on http2
Tony Finch [Sun, 18 Mar 2018 12:06:36 +0000 (12:06 +0000)]
doh: turn on http2

2 years agodoh: response body fixes
Tony Finch [Sun, 18 Mar 2018 11:47:49 +0000 (11:47 +0000)]
doh: response body fixes

Avoid appending a newline to the DNS response (d'oh!)

Specify the content type in the Lua handler instead of nginx.conf

Include a Content-Length header

2 years agodoh: the dumbest doh client ever
Tony Finch [Sat, 17 Mar 2018 19:24:39 +0000 (19:24 +0000)]
doh: the dumbest doh client ever

2 years agodoh: one TCP connection per DNS-over-HTTP request
Tony Finch [Sat, 17 Mar 2018 18:59:03 +0000 (18:59 +0000)]
doh: one TCP connection per DNS-over-HTTP request

2 years agodoh: DNS-over-TCP length prefix
Tony Finch [Sat, 17 Mar 2018 18:20:09 +0000 (18:20 +0000)]
doh: DNS-over-TCP length prefix

2 years agodoh: join at a common doh handler
Tony Finch [Sat, 17 Mar 2018 17:57:25 +0000 (17:57 +0000)]
doh: join at a common doh handler

2 years agodoh: fix decode_base64url
Tony Finch [Sat, 17 Mar 2018 17:52:34 +0000 (17:52 +0000)]
doh: fix decode_base64url

2 years agodoh: attempt to decode doh GET request
Tony Finch [Sat, 17 Mar 2018 17:29:41 +0000 (17:29 +0000)]
doh: attempt to decode doh GET request

2 years agodoh: lua ffi wrapper for decode_base64url
Tony Finch [Sat, 17 Mar 2018 17:29:14 +0000 (17:29 +0000)]
doh: lua ffi wrapper for decode_base64url

2 years agodoh: read POST data
Tony Finch [Sat, 17 Mar 2018 16:20:55 +0000 (16:20 +0000)]
doh: read POST data

2 years agodoh: starting to get HTTP logic working
Tony Finch [Sat, 17 Mar 2018 16:16:29 +0000 (16:16 +0000)]
doh: starting to get HTTP logic working

2 years agodoh: inspect nginx lua api
Tony Finch [Sat, 17 Mar 2018 16:16:06 +0000 (16:16 +0000)]
doh: inspect nginx lua api

2 years agodoh: utility for inspecting lua objects
Tony Finch [Sat, 17 Mar 2018 16:15:33 +0000 (16:15 +0000)]
doh: utility for inspecting lua objects

2 years agodoh: neater way of invoking lua
Tony Finch [Sat, 17 Mar 2018 14:59:11 +0000 (14:59 +0000)]
doh: neater way of invoking lua

2 years agodoh: install a lua handler which will do DoH
Tony Finch [Sat, 17 Mar 2018 14:45:46 +0000 (14:45 +0000)]
doh: install a lua handler which will do DoH

2 years agodoh: reload certificates when they are renewed
Tony Finch [Sat, 17 Mar 2018 14:14:48 +0000 (14:14 +0000)]
doh: reload certificates when they are renewed

2 years agodoh: prune nginx.conf gubbins
Tony Finch [Sat, 17 Mar 2018 14:12:23 +0000 (14:12 +0000)]
doh: prune nginx.conf gubbins

2 years agodoh: build packages for getdns
Tony Finch [Sat, 17 Mar 2018 14:04:53 +0000 (14:04 +0000)]
doh: build packages for getdns

2 years agodoh: configure nginx for DNS over TLS
Tony Finch [Sat, 17 Mar 2018 14:04:30 +0000 (14:04 +0000)]
doh: configure nginx for DNS over TLS

2 years agodoh: listen on v6 and redirect to https
Tony Finch [Sat, 17 Mar 2018 13:19:07 +0000 (13:19 +0000)]
doh: listen on v6 and redirect to https

2 years agodoh: nginx ssl config
Tony Finch [Sat, 17 Mar 2018 13:03:16 +0000 (13:03 +0000)]
doh: nginx ssl config

2 years agodoh: use dehydrated to get a cert
Tony Finch [Sat, 17 Mar 2018 12:48:57 +0000 (12:48 +0000)]
doh: use dehydrated to get a cert

2 years agodoh: basic openresty installation
Tony Finch [Sat, 17 Mar 2018 11:02:53 +0000 (11:02 +0000)]
doh: basic openresty installation

2 years agoStart
Tony Finch [Mon, 11 Dec 2017 13:28:44 +0000 (13:28 +0000)]
Start