improving nginx config for doh reverse proxy

bepass-org · Nov 24, 2023 · 8c485a4 · 8c485a4
1 parent cce4092
commit 8c485a4
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 40 deletions.
diff --git a/main.go b/main.go
@@ -71,46 +71,55 @@ func processDNSQuery(query []byte) ([]byte, error) {
 
 	domain := msg.Question[0].Name
 	if ip, ok := findValueByKeyContains(config.Domains, domain); ok {
-		rr, err := dns.NewRR(domain + " A " + ip)
-		if err != nil {
-			return nil, err
+		hdr := dns.RR_Header{
+			Name:   domain,
+			Rrtype: dns.TypeA,
+			Class:  dns.ClassINET,
+			Ttl:    3600, // example TTL
 		}
-		msg.Answer = append(msg.Answer, rr)
-	} else {
-		resp, err := http.Post("https://1.1.1.1/dns-query", "application/dns-message", bytes.NewReader(query))
-		if err != nil {
-			return nil, err
+		rr := &dns.A{
+			Hdr: hdr,
+			A:   net.ParseIP(ip),
+		}
+		if rr.A == nil {
+			return nil, fmt.Errorf("invalid IP address")
 		}
-		defer resp.Body.Close()
+		msg.Answer = append(msg.Answer, rr)
+		msg.SetReply(&msg) // Set appropriate flags and sections
+		return msg.Pack()
+	}
 
-		// Use a fixed-size buffer from the pool for the initial read
-		buffer := BufferPool.Get().([]byte)
-		defer BufferPool.Put(buffer)
+	resp, err := http.Post("https://1.1.1.1/dns-query", "application/dns-message", bytes.NewReader(query))
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
 
-		// Read the initial chunk of the response
-		n, err := resp.Body.Read(buffer)
-		if err != nil && err != io.EOF {
-			return nil, err
-		}
+	// Use a fixed-size buffer from the pool for the initial read
+	buffer := BufferPool.Get().([]byte)
+	defer BufferPool.Put(buffer)
 
-		// If the buffer was large enough to hold the entire response, return it
-		if n < len(buffer) {
-			return buffer[:n], nil
-		}
+	// Read the initial chunk of the response
+	n, err := resp.Body.Read(buffer)
+	if err != nil && err != io.EOF {
+		return nil, err
+	}
 
-		// If the response is larger than our buffer, we need to read the rest
-		// and append to a dynamically-sized buffer
-		var dynamicBuffer bytes.Buffer
-		dynamicBuffer.Write(buffer[:n])
-		_, err = dynamicBuffer.ReadFrom(resp.Body)
-		if err != nil {
-			return nil, err
-		}
+	// If the buffer was large enough to hold the entire response, return it
+	if n < len(buffer) {
+		return buffer[:n], nil
+	}
 
-		return dynamicBuffer.Bytes(), nil
+	// If the response is larger than our buffer, we need to read the rest
+	// and append to a dynamically-sized buffer
+	var dynamicBuffer bytes.Buffer
+	dynamicBuffer.Write(buffer[:n])
+	_, err = dynamicBuffer.ReadFrom(resp.Body)
+	if err != nil {
+		return nil, err
 	}
 
-	return msg.Pack()
+	return dynamicBuffer.Bytes(), nil
 }
 
 // handleDoTConnection handles a single DoT connection.

diff --git a/nginx.conf b/nginx.conf
@@ -1,22 +1,27 @@
+upstream dohloop {
+    zone dohloop 64k;
+    server 127.0.0.1:8080;
+}
+
 server {
     server_name _;
 
-    location / {
+    proxy_cache_methods GET POST;
 
-      proxy_set_header        Host $host;
-      proxy_set_header        X-Real-IP $remote_addr;
-      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header        X-Forwarded-Proto $scheme;
+    location /dns-query {
+        proxy_pass http://dohloop;
+        proxy_http_version 1.0;
+    }
 
-      proxy_pass          http://127.0.0.1:8080;
+    location / {
+      return 404 "404 Not Found\n";
     }
 
-    listen 8443 ssl; # managed by Certbot
+    listen 8443 ssl http2; # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/<YOUR_HOST>/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/<YOUR_HOST>/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
 }
 
 
@@ -34,7 +39,8 @@ server {
       proxy_set_header        X-Real-IP $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header        X-Forwarded-Proto $scheme;
-
+      proxy_buffering         off;
+      proxy_request_buffering off;
       proxy_pass          http://$host:80;
     }
 }