diff --git a/Dockerfile b/Dockerfile index 5ceb490..b3f91e1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,38 +33,34 @@ RUN echo "I'm building for $TARGETPLATFORM" # Update Base RUN apk update && apk upgrade +# Create Users +RUN addgroup snidust && adduser -D -H -G snidust snidust + # Install needed packages and clean up -RUN apk add --no-cache tini dnsdist curl bash gnupg procps ca-certificates openssl dog lua5.4-filesystem ipcalc libcap && rm -rf /var/cache/apk/* +RUN apk add --no-cache tini dnsdist curl bash gnupg procps ca-certificates openssl dog lua5.4-filesystem ipcalc libcap nginx nginx-mod-stream && rm -rf /var/cache/apk/* # Setup Folder(s) RUN mkdir -p /etc/dnsdist/conf.d && \ mkdir -p /etc/snidust/ && \ mkdir -p /etc/sniproxy/ -# Download and install sniproxy -RUN ARCH=$(case ${TARGETPLATFORM:-linux/amd64} in \ - "linux/amd64") echo "amd64" ;; \ - "linux/arm/v7") echo "arm" ;; \ - "linux/arm64") echo "arm64" ;; \ - *) echo "" ;; esac) \ - && echo "ARCH=$ARCH" \ - && curl -sSL https://github.com/mosajjal/sniproxy/releases/download/v2.0.4/sniproxy-v2.0.4-linux-${ARCH}.tar.gz | tar xvz \ - && chmod +x sniproxy && install sniproxy /usr/local/bin && setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/sniproxy && rm sniproxy - # Copy Files COPY configs/dnsdist/dnsdist.conf.template /etc/dnsdist/dnsdist.conf.template COPY configs/dnsdist/conf.d/00-SniDust.conf /etc/dnsdist/conf.d/00-SniDust.conf +COPY configs/nginx/nginx.conf /etc/nginx/nginx.conf COPY domains.d /etc/snidust/domains.d -COPY configs/sniproxy/config.yaml /etc/sniproxy/config.yaml COPY entrypoint.sh /entrypoint.sh COPY generateACL.sh /generateACL.sh COPY dynDNSCron.sh /dynDNSCron.sh -RUN addgroup snidust && adduser -D -H -G snidust snidust + RUN chown -R snidust:snidust /etc/dnsdist/ && \ - chown -R snidust:snidust /etc/sniproxy/ && \ + chown -R snidust:snidust /etc/nginx/ && \ + chown -R snidust:snidust /var/log/nginx/ && \ + chown -R snidust:snidust /var/lib/nginx/ && \ + chown -R snidust:snidust /run/nginx/ && \ chmod +x /entrypoint.sh && \ chmod +x /generateACL.sh && \ chmod +x dynDNSCron.sh diff --git a/configs/dnsdist/conf.d/00-SniDust.conf b/configs/dnsdist/conf.d/00-SniDust.conf index a566ddc..8157c08 100644 --- a/configs/dnsdist/conf.d/00-SniDust.conf +++ b/configs/dnsdist/conf.d/00-SniDust.conf @@ -57,7 +57,7 @@ function ReloadACL(dq) dq.dh:setQR(true) infolog("[INFO] [SniDust] *** Reloading ACL... ***") - os.execute("/generateACL.sh && touch /tmp/reload_sni_proxy && PID_SNIPROXY=$(pidof sniproxy) && kill -HUP $PID_SNIPROXY") + os.execute("/generateACL.sh && /usr/sbin/nginx reload") setACLFromFile("/etc/dnsdist/allowedClients.acl") infolog("[INFO] [SniDust] *** ACL reload complete! ***") diff --git a/configs/nginx/nginx.conf b/configs/nginx/nginx.conf new file mode 100644 index 0000000..c6439ce --- /dev/null +++ b/configs/nginx/nginx.conf @@ -0,0 +1,42 @@ +load_module '/usr/lib/nginx/modules/ngx_stream_module.so'; +worker_processes auto; +worker_rlimit_nofile 35000; +events { + worker_connections 15000; + multi_accept off; +} + +http { + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + server { + listen 8080 default_server; + listen [::]:8080 default_server; + resolver 8.8.8.8 ipv6=off; + include /etc/nginx/allowedClients.conf; + location / { + proxy_pass http://$host$request_uri; + } + } + +} + + +stream { + log_format basic '$remote_addr [$time_local] ' + '$protocol $status $bytes_sent $bytes_received ' + '$session_time'; + + access_log /var/log/nginx/access.log basic; + error_log /var/log/nginx/error.log error; + + server { + resolver 1.1.1.1 ipv6=off; + listen 8443; + include /etc/nginx/allowedClients.conf; + ssl_preread on; + proxy_connect_timeout 5s; + proxy_pass $ssl_preread_server_name:443; + } +} \ No newline at end of file diff --git a/configs/sniproxy/config.yaml b/configs/sniproxy/config.yaml deleted file mode 100644 index 279669d..0000000 --- a/configs/sniproxy/config.yaml +++ /dev/null @@ -1,67 +0,0 @@ -general: - # Upsteam DNS URI. examples: Upstream DNS URI. examples: udp://1.1.1.1:53, tcp://1.1.1.1:53, tcp-tls://1.1.1.1:853, https://dns.google/dns-query - upstream_dns: udp://8.8.8.8:53 - # enable send DNS through socks5 - upstream_dns_over_socks5: false - # Use a SOCKS proxy for upstream HTTP/HTTPS traffic. Example: socks5://admin: - upstream_socks5: - # DNS Port to listen on. Should remain 53 in most cases. MUST NOT be empty. Bind to dummy Port cause we use dnsdist - bind_dns_over_udp: "127.0.0.1:1234" - # enable DNS over TCP. empty disables it. example: "127.0.0.1:53" - bind_dns_over_tcp: - # enable DNS over TLS. empty disables it. example: "127.0.0.1:853" - bind_dns_over_tls: - # enable DNS over QUIC. empty disables it. example: "127.0.0.1:8853" - bind_dns_over_quic: - # Path to the certificate for DoH, DoT and DoQ. eg: /tmp/mycert.pem - tls_cert: - # Path to the certificate key for DoH, DoT and DoQ. eg: /tmp/mycert.key - tls_key: - # HTTP Port to listen on. Should remain 80 in most cases - bind_http: "0.0.0.0:80" - # HTTPS Port to listen on. Should remain 443 in most cases - bind_https: "0.0.0.0:443" - # Enable prometheus endpoint on IP:PORT. example: 127.0.0.1:8080. Always exposes /metrics and only supports HTTP - bind_prometheus: - # Interface used for outbound TLS connections. uses OS prefered one if empty - interface: - # Public IPv4 of the server, reply address of DNS A queries - public_ipv4: 127.0.0.1 # Dummy IP to supress "error" message - # Public IPv6 of the server, reply address of DNS AAAA queries - public_ipv6: ::1 # Dummy IP to supress "error" message - # log level for the application. choices: debug, info, warn, error - # by default, the logs are colored so they are not suited for logging to a file. - # in order to disable colors, set NO_COLOR=true in the environment variables - log_level: error - -acl: - # geoip filtering - # - # the logic is as follows: - # 1. if mmdb is not loaded or not available, it's fail-open (allow by default) - # 2. if the IP can't be resolved to a country, it's rejected - # 3. if the country is in the blocked list, it's rejected - # 4. if the country is in the allowed list, it's allowed - # note that the reject list is checked first and takes priority over the allow list - # if the IP's country doesn't match any of the above, it's allowed if the blocked list is not empty - # for example, if the blockedlist is [US] and the allowedlist is empty, a connection from - # CA will be allowed. but if blockedlist is empty and allowedlist is [US], a connection from - # CA will be rejected. - geoip: - enabled: false - # domain filtering - domain: - enabled: false # false means ALL domains will be allowed to go through the proxy - # IP/CIDR filtering - cidr: - enabled: true - # priority of the cidr filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order - priority: 10 - # Path to the CIDR list. eg: /tmp/cidr.csv. Look at the example file for the format. - path: /etc/sniproxy/allowedClients.acl - # Interval to re-fetch the cidr list - refresh_interval: 1h0m0s - # FQDN override. This ACL is used to override the destination IP to not be the one resolved by the upstream DNS or the proxy itself, rather a custom IP and port - # if the destination is HTTP, it uses tls_cert and tls_key certificate to terminate the original connection. - override: - enabled: false diff --git a/dynDNSCron.sh b/dynDNSCron.sh index 74fe0de..2187965 100644 --- a/dynDNSCron.sh +++ b/dynDNSCron.sh @@ -11,8 +11,7 @@ else echo "[ERROR] [DnyDNSCron] Failed to reload DnsDist ACL config!" fi -touch /tmp/reload_sni_proxy -echo "[INFO] [DnyDNSCron] Reloading/Restarting Sniproxy..." -PID_SNIPROXY=$(pidof sniproxy) -kill -HUP $PID_SNIPROXY -echo "[INFO] [DnyDNSCron] Sniproxy successfully reloaded/restarted" \ No newline at end of file + +echo "[INFO] [DnyDNSCron] reloading nginx..." +/usr/sbin/nginx reload +echo "[INFO] [DnyDNSCron] ngix successfully reloaded" \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 1a400dc..00f1b1a 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -28,7 +28,7 @@ source generateACL.sh set -e -echo "[INFO] Generating DNSDist Configs..." +echo "[INFO] Generating DNSDist Config..." /bin/bash /etc/dnsdist/dnsdist.conf.template > /etc/dnsdist/dnsdist.conf if [ "$DYNDNS_CRON_ENABLED" = true ]; @@ -41,16 +41,9 @@ fi echo "[INFO] Starting DNSDist..." /usr/bin/dnsdist -C /etc/dnsdist/dnsdist.conf --supervised --disable-syslog --uid snidust --gid snidust & -echo "[INFO] Starting sniproxy" -(until /usr/local/bin/sniproxy --config "/etc/sniproxy/config.yaml"; do - if [ -f "/tmp/reload_sni_proxy" ]; - then - # ignore => restarted by cron - rm -f /tmp/reload_sni_proxy - else - echo "[WARN] sniproxy crashed with exit code $?. Restarting..." >&2 - fi - sleep 1 -done) & + +echo "[INFO] Starting nginx.." +nginx + echo "[INFO] Using $EXTERNAL_IP - Point your DNS settings to this address" wait -n diff --git a/generateACL.sh b/generateACL.sh index da6c36c..bd48a4f 100644 --- a/generateACL.sh +++ b/generateACL.sh @@ -39,6 +39,9 @@ if [ -f "/etc/dnsdist/allowedClients.acl" ]; then while read -r line do - echo "$line,allow" >> /etc/sniproxy/allowedClients.acl + echo "allow $line;" >> /etc/nginx/allowedClients.conf + echo "deny all;" >> /etc/nginx/allowedClients.conf done < "/etc/dnsdist/allowedClients.acl" +else + touch /etc/nginx/allowedClients.conf fi \ No newline at end of file