From 1e7c562bdb5344f4ba3555df845552e723cc2c72 Mon Sep 17 00:00:00 2001 From: minoplhy Date: Sat, 28 Aug 2021 13:31:03 +0700 Subject: [PATCH] A BIG REVOLUTION --- configuration/dns-resolver/kresd-forward.conf | 44 +++++++++++++++++++ configuration/{ => dns-resolver}/kresd.conf | 18 ++++---- configuration/reverseproxy/README.md | 5 +++ configuration/{ => reverseproxy}/haproxy.cfg | 0 configuration/reverseproxy/nginx/README.md | 9 ++++ configuration/reverseproxy/nginx/doh | 25 +++++++++++ configuration/reverseproxy/nginx/dot-stream | 15 +++++++ 7 files changed, 107 insertions(+), 9 deletions(-) create mode 100644 configuration/dns-resolver/kresd-forward.conf rename configuration/{ => dns-resolver}/kresd.conf (77%) create mode 100644 configuration/reverseproxy/README.md rename configuration/{ => reverseproxy}/haproxy.cfg (100%) create mode 100644 configuration/reverseproxy/nginx/README.md create mode 100644 configuration/reverseproxy/nginx/doh create mode 100644 configuration/reverseproxy/nginx/dot-stream diff --git a/configuration/dns-resolver/kresd-forward.conf b/configuration/dns-resolver/kresd-forward.conf new file mode 100644 index 0000000..313065a --- /dev/null +++ b/configuration/dns-resolver/kresd-forward.conf @@ -0,0 +1,44 @@ +-- SPDX-License-Identifier: CC0-1.0 +-- vim:syntax=lua:set ts=4 sw=4: +-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/ + +-- visit https://knot-resolver.readthedocs.io/en/stable/config-logging-monitoring.html for more info +log_level('info') +-- Network interface configuration +net.listen('127.0.0.1', 5353, { kind = 'dns' }) +net.listen('::1', 5353, { kind = 'dns', freebind = true }) +net.listen('0.0.0.0', 53, { kind = 'dns' }) +net.listen('::', 53, { kind = 'dns', freebind = true }) + + +-- Load useful modules +modules = { + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records + 'policy' +} + + +-- policy help : https://knot-resolver.readthedocs.io/en/stable/modules-policy.html +-- This is Just a Blocklist +policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minopallow.txt',true)) +policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/adguard-exceptions.txt',true)) +policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minoplhyallowlist.txt',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minopdeny.txt',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minoplhy.txt',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minoplhyneto.txt',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-ultimate.txt',true)) + +policy.add(policy.all( + policy.TLS_FORWARD({ + -- multiple servers can be specified for a single slice + -- the one with lowest round-trip time will be used + -- + -- You can changes this as your choices address below is DOT + -- and there's other protocol avvailable on : https://knot-resolver.readthedocs.io/en/stable/config-network-forwarding.html + {'9.9.9.9', hostname='dns.quad9.net'}, + {'2620:fe::fe', hostname='dns.quad9.net'}, + }) +)) + diff --git a/configuration/kresd.conf b/configuration/dns-resolver/kresd.conf similarity index 77% rename from configuration/kresd.conf rename to configuration/dns-resolver/kresd.conf index 5c8d8cc..b625b81 100644 --- a/configuration/kresd.conf +++ b/configuration/dns-resolver/kresd.conf @@ -10,6 +10,7 @@ net.listen('::1', 5353, { kind = 'dns', freebind = true }) net.listen('0.0.0.0', 53, { kind = 'dns' }) net.listen('::', 53, { kind = 'dns', freebind = true }) + -- Load useful modules modules = { 'hints > iterate', -- Load /etc/hosts and allow custom root hints @@ -23,12 +24,11 @@ cache.size = 50 * MB -- policy help : https://knot-resolver.readthedocs.io/en/stable/modules-policy.html -- This is Just a Blocklist -policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minopallow.rpz',true)) -policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/adguard-exceptions.rpz',true)) -policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minoplhy-privatebuild.rpz',true)) -policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minopdeny.rpz',true)) -policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-regional.rpz',true)) -policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/urlhaus-abuse_ch.rpz',true)) -policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-xtreme.rpz',true)) -policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minop-cname-cloaking.rpz',true)) -policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/ad-cname-tracker.rpz',true)) +policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minopallow.txt',true)) +policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/adguard-exceptions.txt',true)) +policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minoplhyallowlist.txt',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minopdeny.txt',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minoplhy.txt',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minoplhyneto.txt',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-ultimate.txt',true)) + diff --git a/configuration/reverseproxy/README.md b/configuration/reverseproxy/README.md new file mode 100644 index 0000000..e09c1dd --- /dev/null +++ b/configuration/reverseproxy/README.md @@ -0,0 +1,5 @@ +# NGINX or Haproxy +My Personal Recommendation is NGINX over Haproxy +## Why? +* NGINX is faster and easier to customize and take care of +* Haproxy is ok but Performance is main issues of my configuration \ No newline at end of file diff --git a/configuration/haproxy.cfg b/configuration/reverseproxy/haproxy.cfg similarity index 100% rename from configuration/haproxy.cfg rename to configuration/reverseproxy/haproxy.cfg diff --git a/configuration/reverseproxy/nginx/README.md b/configuration/reverseproxy/nginx/README.md new file mode 100644 index 0000000..0a7e79f --- /dev/null +++ b/configuration/reverseproxy/nginx/README.md @@ -0,0 +1,9 @@ +# doh-stream +Before copying this to somewhere else like '/etc/nginx/stream/dot-stream' + +Please add this line to /etc/nginx/nginx.conf : +``` +stream { + include /etc/nginx/streams/*; +} +``` \ No newline at end of file diff --git a/configuration/reverseproxy/nginx/doh b/configuration/reverseproxy/nginx/doh new file mode 100644 index 0000000..4d1137e --- /dev/null +++ b/configuration/reverseproxy/nginx/doh @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name SERVER_NAME; + + server_tokens off; + ssl_protocols TLSv1.3; + # HTTP Security Headers + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=63072000"; + ssl_certificate /go/to/ket/; + ssl_certificate_key /go/to/ket/; + gzip off; + add_header Last-Modified $date_gmt; + etag off; + + location /dns-query { + proxy_pass http://localhost:8053/dns-query; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + +} \ No newline at end of file diff --git a/configuration/reverseproxy/nginx/dot-stream b/configuration/reverseproxy/nginx/dot-stream new file mode 100644 index 0000000..e2726a0 --- /dev/null +++ b/configuration/reverseproxy/nginx/dot-stream @@ -0,0 +1,15 @@ + # DNS upstream pool +upstream dns { + zone dns 64k; + server 127.0.0.1:5353; + } + + # DoT server for decryption +server { + listen 853 ssl; + listen [::]:853 ssl; + ssl_certificate /go/to/ket/; + ssl_certificate_key /go/to/ket/; + proxy_pass dns; + } +