daxi20/AdGuardHome
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

home: refactor override

Browse Source
This commit is contained in:
Ainar Garipov
2022-10-14 20:14:07 +03:00
parent a736f67205
commit 5ae826d8a9
4 changed files with 47 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
internal/dnsforward/config.go
View File

@@ -12,7 +12,6 @@ import (
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
"github.com/AdguardTeam/AdGuardHome/internal/filtering"
"github.com/AdguardTeam/dnsproxy/proxy"
"github.com/AdguardTeam/dnsproxy/upstream"
@@ -166,10 +165,9 @@ type TLSConfig struct {
// DNS names from certificate (SAN) or CN value from Subject
dnsNames []string
// OverrideTLSCiphers holds the cipher names. If the slice is empty
// default set of ciphers are used for https listener, else this is
// considered.
OverrideTLSCiphers []string `yaml:"override_tls_ciphers" json:"-"`
// OverrideTLSCiphers, when set, contains the names of the cipher suites to
// use. If the slice is empty, the default safe suites are used.
OverrideTLSCiphers []string `yaml:"override_tls_ciphers,omitempty" json:"-"`
}
// DNSCryptConfig is the DNSCrypt server configuration struct.
@@ -198,7 +196,9 @@ type ServerConfig struct {
UpstreamTimeout time.Duration
TLSv12Roots *x509.CertPool // list of root CAs for TLSv1.2
TLSCiphers []uint16 // list of TLS ciphers to use
// TLSCiphers are the IDs of TLS cipher suites to use.
TLSCiphers []uint16
// Called when the configuration is changed by HTTP request
ConfigModified func()
@@ -353,17 +353,13 @@ func UpstreamHTTPVersions(http3 bool) (v []upstream.HTTPVersion) {
// prepareUpstreamSettings - prepares upstream DNS server settings
func (s *Server) prepareUpstreamSettings() error {
// We're setting a customized set of RootCAs
// The reason is that Go default mechanism of loading TLS roots
// does not always work properly on some routers so we're
// loading roots manually and pass it here.
// See "util.LoadSystemRootCAs"
// We're setting a customized set of RootCAs. The reason is that Go default
// mechanism of loading TLS roots does not always work properly on some
// routers so we're loading roots manually and pass it here.
//
// See [aghtls.SystemRootCAs].
upstream.RootCAs = s.conf.TLSv12Roots
// See util.InitTLSCiphers -- removed unsafe ciphers
if len(s.conf.TLSCiphers) > 0 {
upstream.CipherSuites = s.conf.TLSCiphers
}
upstream.CipherSuites = s.conf.TLSCiphers
// Load upstreams either from the file, or from the settings
var upstreams []string
@@ -499,7 +495,7 @@ func (s *Server) prepareTLS(proxyConfig *proxy.Config) error {
proxyConfig.TLSConfig = &tls.Config{
GetCertificate: s.onGetCertificate,
CipherSuites: aghtls.SaferCipherSuites(),
CipherSuites: s.conf.TLSCiphers,
MinVersion: tls.VersionTLS12,
}