xnix:nginx_doh
no way to compare when less than two revisions
差别
这里会显示出您选择的修订版和当前版本之间的差别。
前一修订版 | |||
— | xnix:nginx_doh [2021/12/30 04:47] (当前版本) – Hshh | ||
---|---|---|---|
行 1: | 行 1: | ||
+ | ====== 使用 Nginx 搭建 DNS over HTTPS (DoH) ====== | ||
+ | ==== 参考文档及源代码 ==== | ||
+ | |||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[https:// | ||
+ | - [[http:// | ||
+ | |||
+ | ==== 为 Nginx 增加 njs 功能模块 ==== | ||
+ | |||
+ | 对于 FreeBSD, ports安装时, | ||
+ | 另外 stream 模块都需要加上 | ||
+ | < | ||
+ | load_module / | ||
+ | load_module / | ||
+ | load_module / | ||
+ | </ | ||
+ | |||
+ | 对于 Linux, 如果直接安装已编译好的包, | ||
+ | < | ||
+ | |||
+ | njs 的 [[http:// | ||
+ | ==== 配置 Nginx ==== | ||
+ | |||
+ | 以下是简明配置, | ||
+ | 先从 #2 下载 nginx-dns js 全部代码, | ||
+ | |||
+ | 如果上游DNS服务器使用DNS over TLS(DoT), | ||
+ | |||
+ | 如果上游DNS服务器是普通形式, | ||
+ | |||
+ | < | ||
+ | http { | ||
+ | ....省略.... | ||
+ | ssl_protocols TLSv1.2 TLSv1.3; | ||
+ | ssl_ciphers " | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | ssl_session_cache shared: | ||
+ | ssl_session_timeout 1d; | ||
+ | ssl_dhparam / | ||
+ | ssl_early_data on; | ||
+ | upstream dohloop { | ||
+ | zone dohloop 64k; | ||
+ | server 127.0.0.1: | ||
+ | keepalive 10; | ||
+ | } | ||
+ | server { | ||
+ | server_name hshh.org; | ||
+ | listen 443 ssl http2; | ||
+ | listen [:: | ||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | ssl_stapling on; | ||
+ | ssl_stapling_verify on; | ||
+ | add_header Strict-Transport-Security max-age=31536000; | ||
+ | location /dns-query { | ||
+ | proxy_http_version 1.1; | ||
+ | proxy_set_header Connection ""; | ||
+ | proxy_pass http:// | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | |||
+ | stream { | ||
+ | ssl_protocols TLSv1.2 TLSv1.3; | ||
+ | ssl_ciphers " | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | # | ||
+ | ssl_session_timeout 1d; | ||
+ | ssl_dhparam / | ||
+ | tcp_nodelay on; | ||
+ | js_import / | ||
+ | upstream dot { | ||
+ | zone dot 64k; | ||
+ | server 8.8.8.8: | ||
+ | server 8.8.4.4: | ||
+ | } | ||
+ | server { | ||
+ | listen 127.0.0.1: | ||
+ | js_filter nginx_stream.dns_filter_doh_request; | ||
+ | proxy_ssl on; | ||
+ | proxy_pass dot; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== nginx_stream.js hack ==== | ||
+ | 在本次修改前, | ||
+ | < | ||
+ | export default { glb_get_response, | ||
+ | </ | ||
+ | |||
+ | ==== 测试 ==== | ||
+ | |||
+ | === 使用 curl === | ||
+ | < | ||
+ | curl -v --doh-url https:// | ||
+ | </ | ||
+ | |||
+ | === 使用 doh === | ||
+ | 参见 https:// | ||
+ | |||
+ | ==== 更新说明 ==== | ||
+ | * 20211228, 新版的 njs, 需要 js 源代码输出 export, 为此 js_filter 也需要声明命名空间. 另外配置文件中的 js_include 已被废弃, |
xnix/nginx_doh.txt · 最后更改: 2021/12/30 04:47 由 Hshh