Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
dnsdist: Allow accepting DoH queries over HTTP instead of HTTPS #8267
It allows using dnsdist behind a reverse-proxy or any other device offloading TLS.
Should this come with some check(s) that the remote actually offloaded SSL? Or at least support for such thing?
HAPROXY supports sending TLS status with in version 2 header. Apache/nginx can send header(s) that inform about TLS usage. Also these connections should not be accepted from untrusted IP sources.
I would not require such header nor would I add such restriction.
What I think is more important:
I think we should let the administrator configure the ACL properly, and accept plaintext connections when told to do so.
I currently suspect an error in the DoH (HTTPs) configuration.
DNS over HTTPs with haproxy works
DNS over HTTP (HTTPS with haproxy) -- but the following two lines do not work.
The documentary says "If no certificate (or key) files are specified, listen for incoming DNS over HTTP connections instead."
But how do I define "no certificate"?
However, if I only use addDOHLocal("0.0.0.0:80"),