no way to compare when less than two revisions

差别

这里会显示出您选择的修订版和当前版本之间的差别。

@@ 行 1: / 行 1: @@
+====== 使用 Nginx 搭建 DNS over HTTPS (DoH) ======
+==== 参考文档及源代码 ====
+  - [[https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/|Using NGINX as a DoT or DoH Gateway]]
+  - [[https://github.com/TuxInvader/nginx-dns|NGINX DNS (DNS/DoT/DoH), nginx_stream.js源代码]]
+  - [[https://www.nginx.com/blog/introduction-nginscript|Introduction to the NGINX JavaScript Module]]
+  - [[https://nginx.org/en/docs/njs/|njs scripting language]]
+  - [[http://hg.nginx.org/njs|njs source repository]]
+==== 为 Nginx 增加 njs 功能模块 ====
+对于 FreeBSD, ports安装时, 选上 NJS 模块即可, 如果选了 DSO, 则配置文件需要加载 njs 的 stream 模块.
+另外 stream 模块都需要加上
+<code>
+load_module /usr/local/libexec/nginx/ndk_http_module.so;
+load_module /usr/local/libexec/nginx/ngx_stream_js_module.so;
+load_module /usr/local/libexec/nginx/ngx_stream_module.so;
+</code>
+对于 Linux, 如果直接安装已编译好的包, 可参考上面文档 #4. 如果是手动编译, 则需要下载源代码并且编译nginx时添加参数. 例如
+<code>--add-module=/path/njs-src/nginx</code>
+njs 的 [[http://hg.nginx.org/njs|最新源代码]]
+==== 配置 Nginx ====
+以下是简明配置, 详细的参考上面的文档 #1 和 #2
+先从 #2 下载 nginx-dns js 全部代码, 本地目录 /path/nginx_dns
+如果上游DNS服务器使用DNS over TLS(DoT),一般是853端口, 则 stream 配置需要启用 proxy_ssl
+如果上游DNS服务器是普通形式, 一般是53端口, 则 stream 配置**不**需要启用 proxy_ssl
+<code>
+http {
+	....省略....
+	ssl_protocols			TLSv1.2 TLSv1.3;
+	ssl_ciphers			"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+	ssl_prefer_server_ciphers	on;
+	ssl_session_cache		shared:SSL:50m;
+	ssl_session_timeout		1d;
+	ssl_dhparam			/path/dh4096.pem;
+	ssl_early_data			on;
+	upstream dohloop {
+		zone		dohloop 64k;
+		server		127.0.0.1:8053;
+		keepalive	10;
+	}
+	server {
+		server_name		hshh.org;
+		listen			443 ssl http2;
+		listen			[::]:443 ssl http2;
+		ssl_certificate		/path/fullchain.pem;
+		ssl_certificate_key	/path/privkey.pem;
+		ssl_stapling		on;
+		ssl_stapling_verify	on;
+		add_header		Strict-Transport-Security max-age=31536000;
+		location /dns-query {
+			proxy_http_version	1.1;
+			proxy_set_header	Connection "";
+			proxy_pass		http://dohloop;
+		}
+	}
+}
+stream {
+	ssl_protocols			TLSv1.2 TLSv1.3;
+	ssl_ciphers			"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+	ssl_prefer_server_ciphers	on;
+	#ssl_session_cache		shared:SSL:50m;
+	ssl_session_timeout		1d;
+	ssl_dhparam			/path/dh4096.pem;
+	tcp_nodelay			on;
+	js_import			/path/nginx_dns/nginx_stream.js;
+	upstream dot {
+		zone	dot 64k;
+		server	8.8.8.8:853;
+		server	8.8.4.4:853;
+	}
+	server {
+		listen		127.0.0.1:8053;
+		js_filter	nginx_stream.dns_filter_doh_request;
+		proxy_ssl	on; # 如果上面upstream dot内的DNS服务器不是DoT, 即是普通53端口, 则注释本行
+		proxy_pass	dot;
+	}
+}
+</code>
+==== nginx_stream.js hack ====
+在本次修改前, nginx_stream.js 还未适配最新的 njs, 需要手动添加以下至文件末尾
+<code>
+export default { glb_get_response, glb_process_request, glb_get_edns_subnet, dns_filter_doh_request, dns_preread_doh_request, dns_preread_dns_request, dns_get_qname, dns_get_response };
+</code>
+==== 测试 ====
+=== 使用 curl ===
+<code>
+curl -v --doh-url https://dnsserver/dns-query http://example.com
+</code>
+=== 使用 doh ===
+参见 https://github.com/curl/doh
+==== 更新说明 ====
+  * 20211228, 新版的 njs, 需要 js 源代码输出 export, 为此 js_filter 也需要声明命名空间. 另外配置文件中的 js_include 已被废弃, 取而代之为 js_import. nginx_stream.js 也可能需要手动修改适配.