Merge branch 'master' into 4926-scroll

Updates #4926

Squashed commit of the following:

commit 23a352d214
Merge: 44c64893 8e89cc12
Author: Ildar Kamalov <ik@adguard.com>
Date:   Mon Sep 19 19:35:48 2022 +0300

    Merge branch 'master' into 4926-scroll

commit 44c64893bb
Author: Ildar Kamalov <ik@adguard.com>
Date:   Mon Sep 19 19:34:54 2022 +0300

    fix

commit 3f8f8c7253
Author: Ildar Kamalov <ik@adguard.com>
Date:   Mon Sep 19 19:30:59 2022 +0300

    client: fix tabs scroll on mobile

.github/stale.yml

@@ -4,17 +4,15 @@
 'daysUntilClose': 15
 # Issues with these labels will never be considered stale.
 'exemptLabels':
-  - 'bug'
-  - 'documentation'
-  - 'enhancement'
-  - 'feature request'
-  - 'help wanted'
-  - 'localization'
-  - 'needs investigation'
-  - 'recurrent'
-  - 'research'
-# Set to true to ignore issues in a milestone.
-'exemptMilestones': true
+- 'bug'
+- 'documentation'
+- 'enhancement'
+- 'feature request'
+- 'help wanted'
+- 'localization'
+- 'needs investigation'
+- 'recurrent'
+- 'research'
 # Label to use when marking an issue as stale.
 'staleLabel': 'wontfix'
 # Comment to post when marking an issue as stale. Set to `false` to disable.
@@ -24,5 +22,3 @@
   for your contributions.
 # Comment to post when closing a stale issue. Set to `false` to disable.
 'closeComment': false
-# Limit the number of actions per hour.
-'limitPerRun': 1

CHANGELOG.md

@@ -12,62 +12,11 @@ and this project adheres to
 ## [Unreleased]
 
 <!--
-## [v0.108.0] - TBA (APPROX.)
+## [v0.108.0] - 2022-12-01 (APPROX.)
 -->
 
-
-
-<!--
-## [v0.107.15] - 2022-10-26 (APPROX.)
-
-See also the [v0.107.15 GitHub milestone][ms-v0.107.15].
-
-[ms-v0.107.15]:   https://github.com/AdguardTeam/AdGuardHome/milestone/51?closed=1
--->
-
-
-
-## [v0.107.14] - 2022-09-29
-
-See also the [v0.107.14 GitHub milestone][ms-v0.107.14].
-
 ### Security
 
-A Cross-Site Request Forgery (CSRF) vulnerability has been discovered.  The CVE
-number is to be assigned.  We thank Daniel Elkabes from Mend.io for reporting
-this vulnerability to us.
-
-#### `SameSite` Policy
-
-The `SameSite` policy on the AdGuard Home session cookies is now set to `Lax`.
-Which means that the only cross-site HTTP request for which the browser is
-allowed to send the session cookie is navigating to the AdGuard Home domain.
-
-**Users are strongly advised to log out, clear browser cache, and log in again
-after updating.**
-
-#### Removal Of Plain-Text APIs (BREAKING API CHANGE)
-
-We have implemented several measures to prevent such vulnerabilities in the
-future, but some of these measures break backwards compatibility for the sake of
-better protection.
-
-The following APIs, which previously accepted or returned `text/plain` data,
-now accept or return data as JSON.  All new formats for the request and response
-bodies are documented in `openapi/openapi.yaml` and `openapi/CHANGELOG.md`.
-
-- `GET  /control/i18n/current_language`;
-- `POST /control/dhcp/find_active_dhcp`;
-- `POST /control/filtering/set_rules`;
-- `POST /control/i18n/change_language`.
-
-#### Stricter Content-Type Checks (BREAKING API CHANGE)
-
-All JSON APIs now check if the request actually has the `application/json`
-content-type.
-
-#### Other Security Changes
-
 - Weaker cipher suites that use the CBC (cipher block chaining) mode of
   operation have been disabled ([#2993]).
 
@@ -76,15 +25,19 @@ content-type.
 - Support for plain (unencrypted) HTTP/2 ([#4930]).  This is useful for AdGuard
   Home installations behind a reverse proxy.
 
-### Fixed
-
-- Incorrect path template in DDR responses ([#4927]).
-
 [#2993]: https://github.com/AdguardTeam/AdGuardHome/issues/2993
-[#4927]: https://github.com/AdguardTeam/AdGuardHome/issues/4927
 [#4930]: https://github.com/AdguardTeam/AdGuardHome/issues/4930
 
+
+
+
+<!--
+## [v0.107.14] - 2022-10-05 (APPROX.)
+
+See also the [v0.107.14 GitHub milestone][ms-v0.107.14].
+
 [ms-v0.107.14]:   https://github.com/AdguardTeam/AdGuardHome/milestone/50?closed=1
+-->
 
 
 
@@ -1283,12 +1236,11 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
 
 
 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.15...HEAD
-[v0.107.15]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.14...v0.107.15
--->
-
 [Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.14...HEAD
 [v0.107.14]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.13...v0.107.14
+-->
+
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.13...HEAD
 [v0.107.13]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.12...v0.107.13
 [v0.107.12]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.11...v0.107.12
 [v0.107.11]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.10...v0.107.11

Makefile

@@ -34,6 +34,8 @@ YARN_INSTALL_FLAGS = $(YARN_FLAGS) --network-timeout 120000 --silent\
 	--ignore-engines --ignore-optional --ignore-platform\
 	--ignore-scripts
 
+V1API = 0
+
 # Macros for the build-release target.  If FRONTEND_PREBUILT is 0, the
 # default, the macro $(BUILD_RELEASE_DEPS_$(FRONTEND_PREBUILT)) expands
 # into BUILD_RELEASE_DEPS_0, and so both frontend and backend
@@ -61,6 +63,7 @@ ENV = env\
 	PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\
 	RACE='$(RACE)'\
 	SIGN='$(SIGN)'\
+	V1API='$(V1API)'\
 	VERBOSE='$(VERBOSE)'\
 	VERSION='$(VERSION)'\
 

SECURITY.md

@@ -1,18 +0,0 @@
- #  Security Policy
-
-## Reporting a Vulnerability
-
-Please send your vulnerability reports to <security@adguard.com>.  To make sure
-that your report reaches us, please:
-
-1.  Include the words “AdGuard Home” and “vulnerability” to the subject line as
-    well as a short description of the vulnerability.  For example:
-
-     >  AdGuard Home API vulnerability: possible XSS attack
-
-2.  Make sure that the message body contains a clear description of the
-    vulnerability.
-
-If you have not received a reply to your email within 7 days, please make sure
-to follow up with us again at <security@adguard.com>.  Once again, make sure
-that the word “vulnerability” is in the subject line.

client/src/__locales/be.json

@@ -635,6 +635,5 @@
     "parental_control": "Бацькоўскі кантроль",
     "safe_browsing": "Бяспечны інтэрнэт",
     "served_from_cache": "{{value}} <i>(атрымана з кэша)</i>",
-    "form_error_password_length": "Пароль павінен быць не менш за {{value}} сімвалаў",
-    "anonymizer_notification": "<0>Заўвага:</0> Ананімізацыя IP уключана. Вы можаце адключыць яго ў <1>Агульных наладах</1> ."
+    "form_error_password_length": "Пароль павінен быць не менш за {{value}} сімвалаў"
 }

client/src/__locales/cs.json

@@ -635,6 +635,5 @@
     "parental_control": "Rodičovská ochrana",
     "safe_browsing": "Bezpečné prohlížení",
     "served_from_cache": "{{value}} <i>(převzato z mezipaměti)</i>",
-    "form_error_password_length": "Heslo musí být alespoň {{value}} znaků dlouhé",
-    "anonymizer_notification": "<0>Poznámka:</0> Anonymizace IP je zapnuta. Můžete ji vypnout v <1>Obecných nastaveních</1>."
+    "form_error_password_length": "Heslo musí být alespoň {{value}} znaků dlouhé"
 }

client/src/__locales/da.json

@@ -635,6 +635,5 @@
     "parental_control": "Forældrekontrol",
     "safe_browsing": "Sikker Browsing",
     "served_from_cache": "{{value}} <i>(leveret fra cache)</i>",
-    "form_error_password_length": "Adgangskoden skal udgøre mindst {{value}} tegn.",
-    "anonymizer_notification": "<0>Bemærk:</0> IP-anonymisering er aktiveret. Det kan deaktiveres via <1>Generelle indstillinger</1>."
+    "form_error_password_length": "Adgangskoden skal udgøre mindst {{value}} tegn."
 }

client/src/__locales/de.json

@@ -635,6 +635,5 @@
     "parental_control": "Kindersicherung",
     "safe_browsing": "Internetsicherheit",
     "served_from_cache": "{{value}} <i>(aus dem Cache abgerufen)</i>",
-    "form_error_password_length": "Das Passwort muss mindestens {{value}} Zeichen enthalten",
-    "anonymizer_notification": "<0>Hinweis:</0> Die IP-Anonymisierung ist aktiviert. Sie können sie in den <1>Allgemeinen Einstellungen</1> deaktivieren."
+    "form_error_password_length": "Das Passwort muss mindestens {{value}} Zeichen enthalten"
 }

client/src/__locales/es.json

@@ -635,6 +635,5 @@
     "parental_control": "Control parental",
     "safe_browsing": "Navegación segura",
     "served_from_cache": "{{value}} <i>(servido desde la caché)</i>",
-    "form_error_password_length": "La contraseña debe tener al menos {{value}} caracteres",
-    "anonymizer_notification": "<0>Nota:</0> La anonimización de IP está habilitada. Puedes deshabilitarla en <1>Configuración general</1>."
+    "form_error_password_length": "La contraseña debe tener al menos {{value}} caracteres"
 }

client/src/__locales/fi.json

@@ -635,6 +635,5 @@
     "parental_control": "Lapsilukko",
     "safe_browsing": "Turvallinen selaus",
     "served_from_cache": "{{value}} <i>(jaettu välimuistista)</i>",
-    "form_error_password_length": "Salasanan on oltava ainakin {{value}} merkkiä",
-    "anonymizer_notification": "<0>Huomioi:</0> IP-osoitteen anonymisointi on käytössä. Voit poistaa sen käytöstä <1>Yleisistä asetuksista</1>."
+    "form_error_password_length": "Salasanan on oltava ainakin {{value}} merkkiä"
 }

client/src/__locales/fr.json

@@ -635,6 +635,5 @@
     "parental_control": "Contrôle parental",
     "safe_browsing": "Navigation sécurisée",
     "served_from_cache": "{{value}} <i>(depuis le cache)</i>",
-    "form_error_password_length": "Le mot de passe doit comporter au moins {{value}} caractères",
-    "anonymizer_notification": "<0>Note :</0> L'anonymisation IP est activée. Vous pouvez la désactiver dans les <1>paramètres généraux</1>."
+    "form_error_password_length": "Le mot de passe doit comporter au moins {{value}} caractères"
 }

client/src/__locales/hr.json

@@ -635,6 +635,5 @@
     "parental_control": "Roditeljska zaštita",
     "safe_browsing": "Sigurno surfanje",
     "served_from_cache": "{{value}} <i>(dohvaćeno iz predmemorije)</i>",
-    "form_error_password_length": "Lozinka mora imati najmanje {{value}} znakova",
-    "anonymizer_notification": "<0>Napomena:</0>IP anonimizacija je omogućena. Možete ju onemogućiti u <1>općim postavkama</1>."
+    "form_error_password_length": "Lozinka mora imati najmanje {{value}} znakova"
 }

client/src/__locales/hu.json

@@ -635,6 +635,5 @@
     "parental_control": "Szülői felügyelet",
     "safe_browsing": "Biztonságos böngészés",
     "served_from_cache": "{{value}} <i>(gyorsítótárból kiszolgálva)</i>",
-    "form_error_password_length": "A jelszó legalább {{value}} karakter hosszú kell, hogy legyen",
-    "anonymizer_notification": "<0>Megjegyzés:</0> Az IP anonimizálás engedélyezve van. Az <1>Általános beállításoknál letilthatja</1> ."
+    "form_error_password_length": "A jelszó legalább {{value}} karakter hosszú kell, hogy legyen"
 }

client/src/__locales/id.json

@@ -635,6 +635,5 @@
     "parental_control": "Kontrol Orang Tua",
     "safe_browsing": "Penjelajahan Aman",
     "served_from_cache": "{{value}} <i>(disajikan dari cache)</i>",
-    "form_error_password_length": "Kata sandi harus minimal {{value}} karakter",
-    "anonymizer_notification": "<0>Catatan:</0> Anonimisasi IP diaktifkan. Anda dapat menonaktifkannya di <1>Pengaturan umum</1> ."
+    "form_error_password_length": "Kata sandi harus minimal {{value}} karakter"
 }

client/src/__locales/it.json

@@ -635,6 +635,5 @@
     "parental_control": "Controllo Parentale",
     "safe_browsing": "Navigazione Sicura",
     "served_from_cache": "{{value}} <i>(fornito dalla cache)</i>",
-    "form_error_password_length": "La password deve contenere almeno {{value}} caratteri",
-    "anonymizer_notification": "<0>Attenzione:</0> L'anonimizzazione dell'IP è abilitata. Puoi disabilitarla in <1>Impostazioni generali</1>."
+    "form_error_password_length": "La password deve contenere almeno {{value}} caratteri"
 }

client/src/__locales/ja.json

@@ -635,6 +635,5 @@
     "parental_control": "ペアレンタルコントロール",
     "safe_browsing": "セーフブラウジング",
     "served_from_cache": "{{value}} <i>(キャッシュから応答)</i>",
-    "form_error_password_length": "パスワードは{{value}}文字以上にしてください",
-    "anonymizer_notification": "【<0>注意</0>】IPの匿名化が有効になっています。 <1>一般設定</1>で無効にできます。"
+    "form_error_password_length": "パスワードは{{value}}文字以上にしてください"
 }

client/src/__locales/ko.json

@@ -635,6 +635,5 @@
     "parental_control": "자녀 보호",
     "safe_browsing": "세이프 브라우징",
     "served_from_cache": "{{value}} <i>(캐시에서 제공)</i>",
-    "form_error_password_length": "비밀번호는 {{value}}자 이상이어야 합니다",
-    "anonymizer_notification": "<0>참고:</0> IP 익명화가 활성화되었습니다. <1>일반 설정</1>에서 비활성화할 수 있습니다."
+    "form_error_password_length": "비밀번호는 {{value}}자 이상이어야 합니다"
 }

client/src/__locales/nl.json

@@ -557,7 +557,7 @@
     "fastest_addr_desc": "Alle DNS-servers bevragen en het snelste IP adres terugkoppelen. Dit zal de DNS verzoeken vertragen omdat AdGuard Home moet wachten op de antwoorden van alles DNS-servers, maar verbetert wel de connectiviteit.",
     "autofix_warning_text": "Als je op \"Repareren\" klikt, configureert AdGuard Home jouw systeem om de AdGuard Home DNS-server te gebruiken.",
     "autofix_warning_list": "De volgende taken worden uitgevoerd: <0> Deactiveren van Systeem DNSStubListener</0> <0> DNS-serveradres instellen op 127.0.0.1 </0> <0> Symbolisch koppelingsdoel van /etc/resolv.conf vervangen door /run/systemd/resolve/resolv.conf </0> <0> Stop DNSStubListener (herlaad systemd-resolved service) </0>",
-    "autofix_warning_result": "Als gevolg hiervan worden alle DNS-aanvragen van je systeem standaard door AdGuard Home verwerkt.",
+    "autofix_warning_result": "Als gevolg hiervan worden alle DNS-verzoeken van je systeem standaard door AdGuard Home verwerkt.",
     "tags_title": "Labels",
     "tags_desc": "Je kunt labels selecteren die overeenkomen met de client. Labels kunnen worden opgenomen in de filterregels om ze \n nauwkeuriger toe te passen. <0>Meer informatie</0>.",
     "form_select_tags": "Client tags selecteren",
@@ -628,13 +628,12 @@
     "original_response": "Oorspronkelijke reactie",
     "click_to_view_queries": "Klik om queries te bekijken",
     "port_53_faq_link": "Poort 53 wordt vaak gebruikt door services als DNSStubListener- of de systeem DNS-resolver. Lees a.u.b. <0>deze instructie</0> hoe dit is op te lossen.",
-    "adg_will_drop_dns_queries": "AdGuard Home zal alle DNS-aanvragen van deze cliënt laten vervallen.",
+    "adg_will_drop_dns_queries": "AdGuard Home zal alle DNS-verzoeken van deze cliënt laten vervallen.",
     "filter_allowlist": "WAARSCHUWING: Deze actie zal ook de regel \"{{disallowed_rule}}\" uitsluiten van de lijst met toegestane clients.",
     "last_rule_in_allowlist": "Kan deze client niet weigeren omdat het uitsluiten van de regel \"{{disallowed_rule}}\" de lijst \"Toegestane clients\" zal UITSCHAKELEN.",
     "use_saved_key": "De eerder opgeslagen sleutel gebruiken",
     "parental_control": "Ouderlijk toezicht",
     "safe_browsing": "Veilig browsen",
     "served_from_cache": "{{value}} <i>(geleverd vanuit cache)</i>",
-    "form_error_password_length": "Wachtwoord moet minimaal {{value}} tekens lang zijn",
-    "anonymizer_notification": "<0>Opmerking:</0> IP-anonimisering is ingeschakeld. Je kunt het uitschakelen in <1>Algemene instellingen</1>."
+    "form_error_password_length": "Wachtwoord moet minimaal {{value}} tekens lang zijn"
 }

client/src/__locales/pl.json

@@ -635,6 +635,5 @@
     "parental_control": "Kontrola rodzicielska",
     "safe_browsing": "Bezpieczne przeglądanie",
     "served_from_cache": "{{value}} <i>(podawane z pamięci podręcznej)</i>",
-    "form_error_password_length": "Hasło musi mieć co najmniej {{value}} znaków",
-    "anonymizer_notification": "<0>Uwaga:</0> Anonimizacja IP jest włączona. Możesz ją wyłączyć w <1>Ustawieniach ogólnych</1>."
+    "form_error_password_length": "Hasło musi mieć co najmniej {{value}} znaków"
 }

client/src/__locales/pt-br.json

@@ -635,6 +635,5 @@
     "parental_control": "Controle parental",
     "safe_browsing": "Navegação segura",
     "served_from_cache": "{{value}} <i>(servido do cache)</i>",
-    "form_error_password_length": "A senha deve ter pelo menos {{value}} caracteres",
-    "anonymizer_notification": "<0>Observação:</0> A anonimização de IP está ativada. Você pode desativá-lo em <1>Configurações gerais</1>."
+    "form_error_password_length": "A senha deve ter pelo menos {{value}} caracteres"
 }

client/src/__locales/pt-pt.json

@@ -635,6 +635,5 @@
     "parental_control": "Controlo parental",
     "safe_browsing": "Navegação segura",
     "served_from_cache": "{{value}} <i>(servido do cache)</i>",
-    "form_error_password_length": "A palavra-passe deve ter pelo menos {{value}} caracteres",
-    "anonymizer_notification": "<0>Observação:</0> A anonimização de IP está ativada. Você pode desativá-la em <1>Definições gerais</1>."
+    "form_error_password_length": "A palavra-passe deve ter pelo menos {{value}} caracteres"
 }

client/src/__locales/ro.json

@@ -635,6 +635,5 @@
     "parental_control": "Control Parental",
     "safe_browsing": "Navigare în siguranță",
     "served_from_cache": "{{value}} <i>(furnizat din cache)</i>",
-    "form_error_password_length": "Parola trebuie să aibă cel puțin {{value}} caractere",
-    "anonymizer_notification": "<0>Nota:</0> Anonimizarea IP este activată. Puteți să o dezactivați în <1>Setări generale</1>."
+    "form_error_password_length": "Parola trebuie să aibă cel puțin {{value}} caractere"
 }

client/src/__locales/ru.json

@@ -635,6 +635,5 @@
     "parental_control": "Родительский контроль",
     "safe_browsing": "Безопасный интернет",
     "served_from_cache": "{{value}} <i>(получено из кеша)</i>",
-    "form_error_password_length": "Пароль должен быть длиной не меньше {{value}} символов",
-    "anonymizer_notification": "<0>Внимание:</0> включена анонимизация IP-адресов. Вы можете отключить её в разделе <1>Основные настройки</1>."
+    "form_error_password_length": "Пароль должен быть длиной не меньше {{value}} символов"
 }

client/src/__locales/sk.json

@@ -635,6 +635,5 @@
     "parental_control": "Rodičovská kontrola",
     "safe_browsing": "Bezpečné prehliadanie",
     "served_from_cache": "{{value}} <i>(prevzatá z cache pamäte)</i>",
-    "form_error_password_length": "Heslo musí mať dĺžku aspoň {{value}} znakov",
-    "anonymizer_notification": "<0>Poznámka:</0> Anonymizácia IP je zapnutá. Môžete ju vypnúť vo <1>Všeobecných nastaveniach</1>."
+    "form_error_password_length": "Heslo musí mať dĺžku aspoň {{value}} znakov"
 }

client/src/__locales/sl.json

@@ -635,6 +635,5 @@
     "parental_control": "Starševski nadzor",
     "safe_browsing": "Varno brskanje",
     "served_from_cache": "{{value}} <i>(postreženo iz predpomnilnika)</i>",
-    "form_error_password_length": "Geslo mora vsebovati najmanj {{value}} znakov",
-    "anonymizer_notification": "<0>Opomba:</0> Anonimizacija IP je omogočena. Onemogočite ga lahko v <1>Splošnih nastavitvah</1>."
+    "form_error_password_length": "Geslo mora vsebovati najmanj {{value}} znakov"
 }

client/src/__locales/sr-cs.json

@@ -635,6 +635,5 @@
     "parental_control": "Roditeljska kontrola",
     "safe_browsing": "Sigurno pregledanje",
     "served_from_cache": "{{value}} <i>(posluženo iz predmemorije)</i>",
-    "form_error_password_length": "Lozinka mora imati najmanje {{value}} znakova",
-    "anonymizer_notification": "<0>Nota:</0> IP prepoznavanje je omogućeno. Možete ga onemogućiti u opštim <1>postavkama</1>."
+    "form_error_password_length": "Lozinka mora imati najmanje {{value}} znakova"
 }

client/src/__locales/sv.json

@@ -635,6 +635,5 @@
     "parental_control": "Föräldrakontroll",
     "safe_browsing": "Säker surfning",
     "served_from_cache": "{{value}} <i>(levereras från cache)</i>",
-    "form_error_password_length": "Lösenordet måste vara minst {{value}} tecken långt",
-    "anonymizer_notification": "<0>Observera:</0> IP-anonymisering är aktiverad. Du kan inaktivera den i <1>Allmänna inställningar</1>."
+    "form_error_password_length": "Lösenordet måste vara minst {{value}} tecken långt"
 }

client/src/__locales/tr.json

@@ -368,7 +368,7 @@
     "encryption_server_enter": "Alan adınızı girin",
     "encryption_server_desc": "Ayarlanırsa, AdGuard Home ClientID'leri algılar, DDR sorgularına yanıt verir ve ek bağlantı doğrulamaları gerçekleştirir. Ayarlanmazsa, bu özellikler devre dışı bırakılır. Sertifikadaki DNS Adlarından biriyle eşleşmelidir.",
     "encryption_redirect": "Otomatik olarak HTTPS'e yönlendir",
-    "encryption_redirect_desc": "İşaretlenirse, AdGuard Home sizi otomatik olarak HTTP adresinden HTTPS adreslerine yönlendirecektir.",
+    "encryption_redirect_desc": "Etkinleştirirseniz, AdGuard Home sizi HTTP adresi yerine HTTPS adresine yönlendirir.",
     "encryption_https": "HTTPS bağlantı noktası",
     "encryption_https_desc": "HTTPS bağlantı noktası yapılandırılırsa, AdGuard Home yönetici arayüzüne HTTPS aracılığıyla erişilebilir olacak ve ayrıca '/dns-query' üzerinden DNS-over-HTTPS bağlantısı sağlayacaktır.",
     "encryption_dot": "DNS-over-TLS bağlantı noktası",
@@ -408,7 +408,7 @@
     "fix": "Düzelt",
     "dns_providers": "Aralarından seçim yapabileceğiniz, bilinen <0>DNS sağlayıcıların listesi</0>.",
     "update_now": "Şimdi güncelle",
-    "update_failed": "Otomatik güncelleme başarısız oldu. Elle güncellemek için lütfen <a>bu adımları izleyin</a>.",
+    "update_failed": "Otomatik güncelleme başarısız oldu. Elle güncellemek için lütfen <a>bu adımları uygulayın</a>.",
     "manual_update": "Elle güncellemek için lütfen <a>bu adımları uygulayın</a>.",
     "processing_update": "Lütfen bekleyin, AdGuard Home güncelleniyor",
     "clients_title": "Kalıcı istemciler",
@@ -635,6 +635,5 @@
     "parental_control": "Ebeveyn Denetimi",
     "safe_browsing": "Güvenli Gezinti",
     "served_from_cache": "{{value}} <i>(önbellekten kullanıldı)</i>",
-    "form_error_password_length": "Parola en az {{value}} karakter uzunluğunda olmalıdır",
-    "anonymizer_notification": "<0>Not:</0> IP anonimleştirme etkinleştirildi. Bunu <1>Genel ayarlardan</1> devre dışı bırakabilirsiniz."
+    "form_error_password_length": "Parola en az {{value}} karakter uzunluğunda olmalıdır"
 }

client/src/__locales/uk.json

@@ -635,6 +635,5 @@
     "parental_control": "Батьківський контроль",
     "safe_browsing": "Безпечний перегляд",
     "served_from_cache": "{{value}} <i>(отримано з кешу)</i>",
-    "form_error_password_length": "Пароль мусить мати принаймні {{value}} символів",
-    "anonymizer_notification": "<0>Примітка:</0> IP-анонімізацію ввімкнено. Ви можете вимкнути його в <1>Загальні налаштування</1> ."
+    "form_error_password_length": "Пароль мусить мати принаймні {{value}} символів"
 }

client/src/__locales/vi.json

@@ -635,6 +635,5 @@
     "parental_control": "Quản lý của phụ huynh",
     "safe_browsing": "Duyệt web an toàn",
     "served_from_cache": "{{value}} <i>(được phục vụ từ bộ nhớ cache)</i>",
-    "form_error_password_length": "Mật khẩu phải có ít nhất {{value}} ký tự",
-    "anonymizer_notification": "<0> Lưu ý:</0> Tính năng ẩn danh IP được bật. Bạn có thể tắt nó trong <1> Cài đặt chung</1>."
+    "form_error_password_length": "Mật khẩu phải có ít nhất {{value}} ký tự"
 }

client/src/__locales/zh-cn.json

@@ -635,6 +635,5 @@
     "parental_control": "家长控制",
     "safe_browsing": "安全浏览",
     "served_from_cache": "{{value}}<i>(由缓存提供)</i>",
-    "form_error_password_length": "密码必须至少有 {{value}} 个字符",
-    "anonymizer_notification": "<0>注意：</0> IP 匿名化已启用。您可以在<1>常规设置</1>中禁用它。"
+    "form_error_password_length": "密码必须至少有 {{value}} 个字符"
 }

client/src/__locales/zh-tw.json

@@ -635,6 +635,5 @@
     "parental_control": "家長控制",
     "safe_browsing": "安全瀏覽",
     "served_from_cache": "{{value}} <i>(由快取提供)</i>",
-    "form_error_password_length": "密碼必須為至少長 {{value}} 個字元",
-    "anonymizer_notification": "<0>注意：</0>IP 匿名化被啟用。您可在<1>一般設定</1>中禁用它。"
+    "form_error_password_length": "密碼必須為至少長 {{value}} 個字元"
 }

client/src/actions/filtering.js

@@ -31,9 +31,7 @@ export const setRulesSuccess = createAction('SET_RULES_SUCCESS');
 export const setRules = (rules) => async (dispatch) => {
     dispatch(setRulesRequest());
     try {
-        const normalizedRules = {
-            rules: normalizeRulesTextarea(rules)?.split('\n'),
-        };
+        const normalizedRules = normalizeRulesTextarea(rules);
         await apiClient.setRules(normalizedRules);
         dispatch(addSuccessToast('updated_custom_filtering_toast'));
         dispatch(setRulesSuccess());

client/src/actions/index.js

@@ -355,7 +355,7 @@ export const changeLanguageSuccess = createAction('CHANGE_LANGUAGE_SUCCESS');
 export const changeLanguage = (lang) => async (dispatch) => {
     dispatch(changeLanguageRequest());
     try {
-        await apiClient.changeLanguage({ language: lang });
+        await apiClient.changeLanguage(lang);
         dispatch(changeLanguageSuccess());
     } catch (error) {
         dispatch(addErrorToast({ error }));
@@ -370,8 +370,8 @@ export const getLanguageSuccess = createAction('GET_LANGUAGE_SUCCESS');
 export const getLanguage = () => async (dispatch) => {
     dispatch(getLanguageRequest());
     try {
-        const langSettings = await apiClient.getCurrentLanguage();
-        dispatch(getLanguageSuccess(langSettings.language));
+        const language = await apiClient.getCurrentLanguage();
+        dispatch(getLanguageSuccess(language));
     } catch (error) {
         dispatch(addErrorToast({ error }));
         dispatch(getLanguageFailure());
@@ -421,10 +421,7 @@ export const findActiveDhcpFailure = createAction('FIND_ACTIVE_DHCP_FAILURE');
 export const findActiveDhcp = (name) => async (dispatch, getState) => {
     dispatch(findActiveDhcpRequest());
     try {
-        const req = {
-            interface: name,
-        };
-        const activeDhcp = await apiClient.findActiveDhcp(req);
+        const activeDhcp = await apiClient.findActiveDhcp(name);
         dispatch(findActiveDhcpSuccess(activeDhcp));
         const { check, interface_name, interfaces } = getState().dhcp;
         const selectedInterface = getState().form[FORM_NAME.DHCP_INTERFACES].values.interface_name;

client/src/api/Api.js

@@ -130,7 +130,7 @@ class Api {
         const { path, method } = this.FILTERING_SET_RULES;
         const parameters = {
             data: rules,
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'text/plain' },
         };
         return this.makeRequest(path, method, parameters);
     }
@@ -173,7 +173,12 @@ class Api {
 
     enableParentalControl() {
         const { path, method } = this.PARENTAL_ENABLE;
-        return this.makeRequest(path, method);
+        const parameter = 'sensitivity=TEEN'; // this parameter TEEN is hardcoded
+        const config = {
+            data: parameter,
+            headers: { 'Content-Type': 'text/plain' },
+        };
+        return this.makeRequest(path, method, config);
     }
 
     disableParentalControl() {
@@ -235,11 +240,11 @@ class Api {
         return this.makeRequest(path, method);
     }
 
-    changeLanguage(config) {
+    changeLanguage(lang) {
         const { path, method } = this.CHANGE_LANGUAGE;
         const parameters = {
-            data: config,
-            headers: { 'Content-Type': 'application/json' },
+            data: lang,
+            headers: { 'Content-Type': 'text/plain' },
         };
         return this.makeRequest(path, method, parameters);
     }
@@ -280,11 +285,11 @@ class Api {
         return this.makeRequest(path, method, parameters);
     }
 
-    findActiveDhcp(req) {
+    findActiveDhcp(name) {
         const { path, method } = this.DHCP_FIND_ACTIVE;
         const parameters = {
-            data: req,
-            headers: { 'Content-Type': 'application/json' },
+            data: name,
+            headers: { 'Content-Type': 'text/plain' },
         };
         return this.makeRequest(path, method, parameters);
     }

client/src/components/Logs/Cells/ClientCell.js

@@ -62,7 +62,7 @@ const ClientCell = ({
         'white-space--nowrap': isDetailed,
     });
 
-    const hintClass = classNames('icons mr-4 icon--24 logs__question icon--lightgray', {
+    const hintClass = classNames('icons mr-4 icon--24 icon--lightgray', {
         'my-3': isDetailed,
     });
 

client/src/components/Logs/Cells/DomainCell.js

@@ -34,7 +34,7 @@ const DomainCell = ({
         'my-3': isDetailed,
     });
 
-    const privacyIconClass = classNames('icons mx-2 icon--24 d-none d-sm-block logs__question', {
+    const privacyIconClass = classNames('icons mx-2 icon--24 d-none d-sm-block', {
         'icon--green': hasTracker,
         'icon--disabled': !hasTracker,
         'my-3': isDetailed,

client/src/components/Logs/Cells/IconTooltip.css

@@ -49,12 +49,6 @@
     padding-top: 1rem;
 }
 
-@media (max-width: 1024px) {
-    .grid .key-colon, .grid .title--border {
-        font-weight: 600;
-    }
-}
-
 @media (max-width: 767.98px) {
     .grid {
         grid-template-columns: 35% 55%;
@@ -76,6 +70,10 @@
         grid-column: 2 / span 1;
         margin: 0 !important;
     }
+
+    .grid .key-colon, .grid .title--border {
+        font-weight: 600;
+    }
 }
 
 .grid .key-colon:nth-child(odd)::after {

client/src/components/Logs/Cells/ResponseCell.js

@@ -97,7 +97,7 @@ const ResponseCell = ({
     return (
         <div className="logs__cell logs__cell--response" role="gridcell">
             <IconTooltip
-                className={classNames('icons mr-4 icon--24 icon--lightgray logs__question', { 'my-3': isDetailed })}
+                className={classNames('icons mr-4 icon--24 icon--lightgray', { 'my-3': isDetailed })}
                 columnClass='grid grid--limited'
                 tooltipClass='px-5 pb-5 pt-4 mw-75 custom-tooltip__response-details'
                 contentItemClass='text-truncate key-colon o-hidden'

client/src/components/Logs/Logs.css

@@ -485,13 +485,3 @@
 .bg--green {
     color: var(--green79);
 }
-
-@media (max-width: 1024px) {
-    .logs__question {
-        display: none;
-    }
-}
-
-.logs__modal {
-    max-width: 720px;
-}

client/src/components/Logs/index.js

@@ -184,34 +184,27 @@ const Logs = () => {
                 setButtonType={setButtonType}
                 setModalOpened={setModalOpened}
         />
-        <Modal
-            portalClassName='grid'
-            isOpen={isSmallScreen && isModalOpened}
-            onRequestClose={closeModal}
-            style={{
-                content: {
-                    width: '100%',
-                    height: 'fit-content',
-                    left: '50%',
-                    top: 47,
-                    padding: '1rem 1.5rem 1rem',
-                    maxWidth: '720px',
-                    transform: 'translateX(-50%)',
-                },
-                overlay: {
-                    backgroundColor: 'rgba(0,0,0,0.5)',
-                },
-            }}
+        <Modal portalClassName='grid' isOpen={isSmallScreen && isModalOpened}
+               onRequestClose={closeModal}
+               style={{
+                   content: {
+                       width: '100%',
+                       height: 'fit-content',
+                       left: 0,
+                       top: 47,
+                       padding: '1rem 1.5rem 1rem',
+                   },
+                   overlay: {
+                       backgroundColor: 'rgba(0,0,0,0.5)',
+                   },
+               }}
         >
-            <div className="logs__modal-wrap">
-                <svg
-                    className="icon icon--24 icon-cross d-block cursor--pointer"
-                    onClick={closeModal}
-                >
-                    <use xlinkHref="#cross" />
-                </svg>
-                {processContent(detailedDataCurrent, buttonType)}
-            </div>
+            <svg
+                    className="icon icon--24 icon-cross d-block d-md-none cursor--pointer"
+                    onClick={closeModal}>
+                <use xlinkHref="#cross" />
+            </svg>
+            {processContent(detailedDataCurrent, buttonType)}
         </Modal>
     </>;
 

internal/aghhttp/aghhttp.go

@@ -2,21 +2,13 @@
 package aghhttp
 
 import (
-	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 
-	"github.com/AdguardTeam/AdGuardHome/internal/version"
 	"github.com/AdguardTeam/golibs/log"
 )
 
-// HTTP scheme constants.
-const (
-	SchemeHTTP  = "http"
-	SchemeHTTPS = "https"
-)
-
 // RegisterFunc is the function that sets the handler to handle the URL for the
 // method.
 //
@@ -36,40 +28,3 @@ func Error(r *http.Request, w http.ResponseWriter, code int, format string, args
 	log.Error("%s %s: %s", r.Method, r.URL, text)
 	http.Error(w, text, code)
 }
-
-// UserAgent returns the ID of the service as a User-Agent string.  It can also
-// be used as the value of the Server HTTP header.
-func UserAgent() (ua string) {
-	return fmt.Sprintf("AdGuardHome/%s", version.Version())
-}
-
-// textPlainDeprMsg is the message returned to API users when they try to use
-// an API that used to accept "text/plain" but doesn't anymore.
-const textPlainDeprMsg = `using this api with the text/plain content-type is deprecated; ` +
-	`use application/json`
-
-// WriteTextPlainDeprecated responds to the request with a message about
-// deprecation and removal of a plain-text API if the request is made with the
-// "text/plain" content-type.
-func WriteTextPlainDeprecated(w http.ResponseWriter, r *http.Request) (isPlainText bool) {
-	if r.Header.Get(HdrNameContentType) != HdrValTextPlain {
-		return false
-	}
-
-	Error(r, w, http.StatusUnsupportedMediaType, textPlainDeprMsg)
-
-	return true
-}
-
-// WriteJSONResponse sets the content-type header in w.Header() to
-// "application/json", encodes resp to w, calls Error on any returned error, and
-// returns it as well.
-func WriteJSONResponse(w http.ResponseWriter, r *http.Request, resp any) (err error) {
-	w.Header().Set(HdrNameContentType, HdrValApplicationJSON)
-	err = json.NewEncoder(w).Encode(resp)
-	if err != nil {
-		Error(r, w, http.StatusInternalServerError, "encoding resp: %s", err)
-	}
-
-	return err
-}

internal/aghhttp/header.go

@@ -1,22 +0,0 @@
-package aghhttp
-
-// HTTP Headers
-
-// HTTP header name constants.
-//
-// TODO(a.garipov): Remove unused.
-const (
-	HdrNameAcceptEncoding           = "Accept-Encoding"
-	HdrNameAccessControlAllowOrigin = "Access-Control-Allow-Origin"
-	HdrNameContentType              = "Content-Type"
-	HdrNameContentEncoding          = "Content-Encoding"
-	HdrNameServer                   = "Server"
-	HdrNameTrailer                  = "Trailer"
-	HdrNameUserAgent                = "User-Agent"
-)
-
-// HTTP header value constants.
-const (
-	HdrValApplicationJSON = "application/json"
-	HdrValTextPlain       = "text/plain"
-)

internal/aghnet/ipset_linux.go

@@ -18,18 +18,27 @@ import (
 
 // How to test on a real Linux machine:
 //
-//  1. Run "sudo ipset create example_set hash:ip family ipv4".
+// 1.  Run:
 //
-//  2. Run "sudo ipset list example_set".  The Members field should be empty.
+//   sudo ipset create example_set hash:ip family ipv4
 //
-//  3. Add the line "example.com/example_set" to your AdGuardHome.yaml.
+// 2.  Run:
 //
-//  4. Start AdGuardHome.
+//   sudo ipset list example_set
 //
-//  5. Make requests to example.com and its subdomains.
+// The Members field should be empty.
 //
-//  6. Run "sudo ipset list example_set".  The Members field should contain the
-//     resolved IP addresses.
+// 3.  Add the line "example.com/example_set" to your AdGuardHome.yaml.
+//
+// 4.  Start AdGuardHome.
+//
+// 5.  Make requests to example.com and its subdomains.
+//
+// 6.  Run:
+//
+//   sudo ipset list example_set
+//
+// The Members field should contain the resolved IP addresses.
 
 // newIpsetMgr returns a new Linux ipset manager.
 func newIpsetMgr(ipsetConf []string) (set IpsetManager, err error) {

internal/dhcpd/http_unix.go

@@ -5,9 +5,11 @@ package dhcpd
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
 	"os"
+	"strings"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
@@ -408,37 +410,31 @@ type dhcpSearchResult struct {
 	V6 dhcpSearchV6Result `json:"v6"`
 }
 
-// findActiveServerReq is the JSON structure for the request to find active DHCP
-// servers.
-type findActiveServerReq struct {
-	Interface string `json:"interface"`
-}
-
-// handleDHCPFindActiveServer performs the following tasks:
-//  1. searches for another DHCP server in the network;
-//  2. check if a static IP is configured for the network interface;
-//  3. responds with the results.
+// Perform the following tasks:
+// . Search for another DHCP server running
+// . Check if a static IP is configured for the network interface
+// Respond with results
 func (s *server) handleDHCPFindActiveServer(w http.ResponseWriter, r *http.Request) {
-	if aghhttp.WriteTextPlainDeprecated(w, r) {
-		return
-	}
-
-	req := &findActiveServerReq{}
-	err := json.NewDecoder(r.Body).Decode(req)
+	// This use of ReadAll is safe, because request's body is now limited.
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "reading req: %s", err)
+		msg := fmt.Sprintf("failed to read request body: %s", err)
+		log.Error(msg)
+		http.Error(w, msg, http.StatusBadRequest)
 
 		return
 	}
 
-	ifaceName := req.Interface
+	ifaceName := strings.TrimSpace(string(body))
 	if ifaceName == "" {
-		aghhttp.Error(r, w, http.StatusBadRequest, "empty interface name")
+		msg := "empty interface name specified"
+		log.Error(msg)
+		http.Error(w, msg, http.StatusBadRequest)
 
 		return
 	}
 
-	result := &dhcpSearchResult{
+	result := dhcpSearchResult{
 		V4: dhcpSearchV4Result{
 			OtherServer: dhcpSearchOtherResult{
 				Found: "no",
@@ -463,14 +459,6 @@ func (s *server) handleDHCPFindActiveServer(w http.ResponseWriter, r *http.Reque
 		result.V4.StaticIP.IP = aghnet.GetSubnet(ifaceName).String()
 	}
 
-	setOtherDHCPResult(ifaceName, result)
-
-	_ = aghhttp.WriteJSONResponse(w, r, result)
-}
-
-// setOtherDHCPResult sets the results of the check for another DHCP server in
-// result.
-func setOtherDHCPResult(ifaceName string, result *dhcpSearchResult) {
 	found4, found6, err4, err6 := aghnet.CheckOtherDHCP(ifaceName)
 	if err4 != nil {
 		result.V4.OtherServer.Found = "error"
@@ -478,13 +466,24 @@ func setOtherDHCPResult(ifaceName string, result *dhcpSearchResult) {
 	} else if found4 {
 		result.V4.OtherServer.Found = "yes"
 	}
-
 	if err6 != nil {
 		result.V6.OtherServer.Found = "error"
 		result.V6.OtherServer.Error = err6.Error()
 	} else if found6 {
 		result.V6.OtherServer.Found = "yes"
 	}
+
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(result)
+	if err != nil {
+		aghhttp.Error(
+			r,
+			w,
+			http.StatusInternalServerError,
+			"Failed to marshal DHCP found json: %s",
+			err,
+		)
+	}
 }
 
 func (s *server) handleDHCPAddStaticLease(w http.ResponseWriter, r *http.Request) {

internal/dnsforward/dns.go

@@ -296,7 +296,7 @@ func (s *Server) makeDDRResponse(req *dns.Msg) (resp *dns.Msg) {
 		values := []dns.SVCBKeyValue{
 			&dns.SVCBAlpn{Alpn: []string{"h2"}},
 			&dns.SVCBPort{Port: uint16(addr.Port)},
-			&dns.SVCBDoHPath{Template: "/dns-query{?dns}"},
+			&dns.SVCBDoHPath{Template: "/dns-query?dns"},
 		}
 
 		ans := &dns.SVCB{

internal/dnsforward/dns_test.go

@@ -26,7 +26,7 @@ func TestServer_ProcessDDRQuery(t *testing.T) {
 		Value: []dns.SVCBKeyValue{
 			&dns.SVCBAlpn{Alpn: []string{"h2"}},
 			&dns.SVCBPort{Port: 8044},
-			&dns.SVCBDoHPath{Template: "/dns-query{?dns}"},
+			&dns.SVCBDoHPath{Template: "/dns-query?dns"},
 		},
 	}
 

internal/dnsforward/dnsforward_test.go

@@ -67,11 +67,10 @@ func createTestServer(
 		ID: 0, Data: []byte(rules),
 	}}
 
-	f, err := filtering.New(filterConf, filters)
-	require.NoError(t, err)
-
+	f := filtering.New(filterConf, filters)
 	f.SetEnabled(true)
 
+	var err error
 	s, err = NewServer(DNSCreateParams{
 		DHCPServer:  testDHCP,
 		DNSFilter:   f,
@@ -775,9 +774,7 @@ func TestBlockedCustomIP(t *testing.T) {
 		Data: []byte(rules),
 	}}
 
-	f, err := filtering.New(&filtering.Config{}, filters)
-	require.NoError(t, err)
-
+	f := filtering.New(&filtering.Config{}, filters)
 	s, err := NewServer(DNSCreateParams{
 		DHCPServer:  testDHCP,
 		DNSFilter:   f,
@@ -909,9 +906,7 @@ func TestRewrite(t *testing.T) {
 			Type:   dns.TypeCNAME,
 		}},
 	}
-	f, err := filtering.New(c, nil)
-	require.NoError(t, err)
-
+	f := filtering.New(c, nil)
 	f.SetEnabled(true)
 
 	s, err := NewServer(DNSCreateParams{
@@ -1026,14 +1021,19 @@ var testDHCP = &dhcpd.MockInterface{
 	OnWriteDiskConfig:   func(c *dhcpd.ServerConfig) { panic("not implemented") },
 }
 
+// func (*testDHCP) Leases(flags dhcpd.GetLeasesFlags) (leases []*dhcpd.Lease) {
+// 	return []*dhcpd.Lease{{
+// 		IP:       net.IP{192, 168, 12, 34},
+// 		HWAddr:   net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
+// 		Hostname: "myhost",
+// 	}}
+// }
+
 func TestPTRResponseFromDHCPLeases(t *testing.T) {
 	const localDomain = "lan"
 
-	flt, err := filtering.New(&filtering.Config{}, nil)
-	require.NoError(t, err)
-
 	s, err := NewServer(DNSCreateParams{
-		DNSFilter:   flt,
+		DNSFilter:   filtering.New(&filtering.Config{}, nil),
 		DHCPServer:  testDHCP,
 		PrivateNets: netutil.SubnetSetFunc(netutil.IsLocallyServed),
 		LocalDomain: localDomain,
@@ -1100,11 +1100,9 @@ func TestPTRResponseFromHosts(t *testing.T) {
 		assert.Equal(t, uint32(1), atomic.LoadUint32(&eventsCalledCounter))
 	})
 
-	flt, err := filtering.New(&filtering.Config{
+	flt := filtering.New(&filtering.Config{
 		EtcHosts: hc,
 	}, nil)
-	require.NoError(t, err)
-
 	flt.SetEnabled(true)
 
 	var s *Server

internal/dnsforward/filter_test.go

@@ -35,8 +35,7 @@ func TestHandleDNSRequest_filterDNSResponse(t *testing.T) {
 		ID: 0, Data: []byte(rules),
 	}}
 
-	f, err := filtering.New(&filtering.Config{}, filters)
-	require.NoError(t, err)
+	f := filtering.New(&filtering.Config{}, filters)
 	f.SetEnabled(true)
 
 	s, err := NewServer(DNSCreateParams{

internal/filtering/blocked.go

@@ -421,34 +421,31 @@ func initBlockedServices() {
 }
 
 // BlockedSvcKnown - return TRUE if a blocked service name is known
-func BlockedSvcKnown(s string) (ok bool) {
-	_, ok = serviceRules[s]
-
+func BlockedSvcKnown(s string) bool {
+	_, ok := serviceRules[s]
 	return ok
 }
 
 // ApplyBlockedServices - set blocked services settings for this DNS request
-func (d *DNSFilter) ApplyBlockedServices(setts *Settings, list []string) {
+func (d *DNSFilter) ApplyBlockedServices(setts *Settings, list []string, global bool) {
 	setts.ServicesRules = []ServiceEntry{}
-	if list == nil {
+	if global {
 		d.confLock.RLock()
 		defer d.confLock.RUnlock()
-
 		list = d.Config.BlockedServices
 	}
-
 	for _, name := range list {
 		rules, ok := serviceRules[name]
+
 		if !ok {
 			log.Error("unknown service name: %s", name)
-
 			continue
 		}
 
-		setts.ServicesRules = append(setts.ServicesRules, ServiceEntry{
-			Name:  name,
-			Rules: rules,
-		})
+		s := ServiceEntry{}
+		s.Name = name
+		s.Rules = rules
+		setts.ServicesRules = append(setts.ServicesRules, s)
 	}
 }
 
@@ -493,3 +490,10 @@ func (d *DNSFilter) handleBlockedServicesSet(w http.ResponseWriter, r *http.Requ
 
 	d.ConfigModified()
 }
+
+// registerBlockedServicesHandlers - register HTTP handlers
+func (d *DNSFilter) registerBlockedServicesHandlers() {
+	d.Config.HTTPRegister(http.MethodGet, "/control/blocked_services/services", d.handleBlockedServicesAvailableServices)
+	d.Config.HTTPRegister(http.MethodGet, "/control/blocked_services/list", d.handleBlockedServicesList)
+	d.Config.HTTPRegister(http.MethodPost, "/control/blocked_services/set", d.handleBlockedServicesSet)
+}

internal/filtering/dnsrewrite_test.go

@@ -49,7 +49,7 @@ func TestDNSFilter_CheckHostRules_dnsrewrite(t *testing.T) {
 |1.2.3.5.in-addr.arpa^$dnsrewrite=NOERROR;PTR;new-ptr-with-dot.
 `
 
-	f, _ := newForTest(t, nil, []Filter{{ID: 0, Data: []byte(text)}})
+	f := newForTest(t, nil, []Filter{{ID: 0, Data: []byte(text)}})
 	setts := &Settings{
 		FilteringEnabled: true,
 	}

internal/filtering/filtering.go

@@ -6,10 +6,7 @@ import (
 	"fmt"
 	"io/fs"
 	"net"
-	"net/http"
 	"os"
-	"path/filepath"
-	"regexp"
 	"runtime"
 	"runtime/debug"
 	"strings"
@@ -27,7 +24,6 @@ import (
 	"github.com/AdguardTeam/urlfilter/filterlist"
 	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
-	"golang.org/x/exp/slices"
 )
 
 // The IDs of built-in filter lists.
@@ -73,13 +69,8 @@ type Config struct {
 	// enabled is used to be returned within Settings.
 	//
 	// It is of type uint32 to be accessed by atomic.
-	//
-	// TODO(e.burkov):  Use atomic.Bool in Go 1.19.
 	enabled uint32
 
-	FilteringEnabled           bool   `yaml:"filtering_enabled"`       // whether or not use filter lists
-	FiltersUpdateIntervalHours uint32 `yaml:"filters_update_interval"` // time period to update filters (in hours)
-
 	ParentalEnabled     bool `yaml:"parental_enabled"`
 	SafeSearchEnabled   bool `yaml:"safesearch_enabled"`
 	SafeBrowsingEnabled bool `yaml:"safebrowsing_enabled"`
@@ -107,24 +98,6 @@ type Config struct {
 
 	// CustomResolver is the resolver used by DNSFilter.
 	CustomResolver Resolver `yaml:"-"`
-
-	// HTTPClient is the client to use for updating the remote filters.
-	HTTPClient *http.Client `yaml:"-"`
-
-	// DataDir is used to store filters' contents.
-	DataDir string `yaml:"-"`
-
-	// filtersMu protects filter lists.
-	filtersMu *sync.RWMutex
-
-	// Filters are the blocking filter lists.
-	Filters []FilterYAML `yaml:"-"`
-
-	// WhitelistFilters are the allowing filter lists.
-	WhitelistFilters []FilterYAML `yaml:"-"`
-
-	// UserRules is the global list of custom rules.
-	UserRules []string `yaml:"-"`
 }
 
 // LookupStats store stats collected during safebrowsing or parental checks
@@ -155,13 +128,11 @@ type hostChecker struct {
 
 // DNSFilter matches hostnames and DNS requests against filtering rules.
 type DNSFilter struct {
-	rulesStorage    *filterlist.RuleStorage
-	filteringEngine *urlfilter.DNSEngine
-
+	rulesStorage         *filterlist.RuleStorage
+	filteringEngine      *urlfilter.DNSEngine
 	rulesStorageAllow    *filterlist.RuleStorage
 	filteringEngineAllow *urlfilter.DNSEngine
-
-	engineLock sync.RWMutex
+	engineLock           sync.RWMutex
 
 	parentalServer       string // access via methods
 	safeBrowsingServer   string // access via methods
@@ -185,12 +156,6 @@ type DNSFilter struct {
 	// TODO(e.burkov): Use upstream that configured in dnsforward instead.
 	resolver Resolver
 
-	refreshLock *sync.Mutex
-
-	// filterTitleRegexp is the regular expression to retrieve a name of a
-	// filter list.
-	filterTitleRegexp *regexp.Regexp
-
 	hostCheckers []hostChecker
 }
 
@@ -203,7 +168,7 @@ type Filter struct {
 	Data []byte `yaml:"-"`
 
 	// ID is automatically assigned when filter is added using nextFilterID.
-	ID int64 `yaml:"id"`
+	ID int64
 }
 
 // Reason holds an enum detailing why it was filtered or not filtered
@@ -280,7 +245,15 @@ func (r Reason) String() string {
 }
 
 // In returns true if reasons include r.
-func (r Reason) In(reasons ...Reason) (ok bool) { return slices.Contains(reasons, r) }
+func (r Reason) In(reasons ...Reason) (ok bool) {
+	for _, reason := range reasons {
+		if r == reason {
+			return true
+		}
+	}
+
+	return false
+}
 
 // SetEnabled sets the status of the *DNSFilter.
 func (d *DNSFilter) SetEnabled(enabled bool) {
@@ -288,7 +261,6 @@ func (d *DNSFilter) SetEnabled(enabled bool) {
 	if enabled {
 		i = 1
 	}
-
 	atomic.StoreUint32(&d.enabled, uint32(i))
 }
 
@@ -307,20 +279,11 @@ func (d *DNSFilter) GetConfig() (s Settings) {
 
 // WriteDiskConfig - write configuration
 func (d *DNSFilter) WriteDiskConfig(c *Config) {
-	func() {
-		d.confLock.Lock()
-		defer d.confLock.Unlock()
+	d.confLock.Lock()
+	defer d.confLock.Unlock()
 
-		*c = d.Config
-		c.Rewrites = cloneRewrites(c.Rewrites)
-	}()
-
-	d.filtersMu.RLock()
-	defer d.filtersMu.RUnlock()
-
-	c.Filters = slices.Clone(d.Filters)
-	c.WhitelistFilters = slices.Clone(d.WhitelistFilters)
-	c.UserRules = slices.Clone(d.UserRules)
+	*c = d.Config
+	c.Rewrites = cloneRewrites(c.Rewrites)
 }
 
 // cloneRewrites returns a deep copy of entries.
@@ -346,8 +309,6 @@ func (d *DNSFilter) SetFilters(blockFilters, allowFilters []Filter, async bool)
 		}
 
 		d.filtersInitializerLock.Lock() // prevent multiple writers from adding more than 1 task
-		defer d.filtersInitializerLock.Unlock()
-
 		// remove all pending tasks
 		stop := false
 		for !stop {
@@ -360,6 +321,7 @@ func (d *DNSFilter) SetFilters(blockFilters, allowFilters []Filter, async bool)
 		}
 
 		d.filtersInitializerChan <- params
+		d.filtersInitializerLock.Unlock()
 		return nil
 	}
 
@@ -388,19 +350,22 @@ func (d *DNSFilter) filtersInitializer() {
 func (d *DNSFilter) Close() {
 	d.engineLock.Lock()
 	defer d.engineLock.Unlock()
-
 	d.reset()
 }
 
 func (d *DNSFilter) reset() {
+	var err error
+
 	if d.rulesStorage != nil {
-		if err := d.rulesStorage.Close(); err != nil {
+		err = d.rulesStorage.Close()
+		if err != nil {
 			log.Error("filtering: rulesStorage.Close: %s", err)
 		}
 	}
 
 	if d.rulesStorageAllow != nil {
-		if err := d.rulesStorageAllow.Close(); err != nil {
+		err = d.rulesStorageAllow.Close()
+		if err != nil {
 			log.Error("filtering: rulesStorageAllow.Close: %s", err)
 		}
 	}
@@ -920,30 +885,29 @@ func InitModule() {
 	initBlockedServices()
 }
 
-// New creates properly initialized DNS Filter that is ready to be used.  c must
-// be non-nil.
-func New(c *Config, blockFilters []Filter) (d *DNSFilter, err error) {
+// New creates properly initialized DNS Filter that is ready to be used.
+func New(c *Config, blockFilters []Filter) (d *DNSFilter) {
 	d = &DNSFilter{
-		resolver:          net.DefaultResolver,
-		refreshLock:       &sync.Mutex{},
-		filterTitleRegexp: regexp.MustCompile(`^! Title: +(.*)$`),
+		resolver: net.DefaultResolver,
 	}
+	if c != nil {
 
-	d.safebrowsingCache = cache.New(cache.Config{
-		EnableLRU: true,
-		MaxSize:   c.SafeBrowsingCacheSize,
-	})
-	d.safeSearchCache = cache.New(cache.Config{
-		EnableLRU: true,
-		MaxSize:   c.SafeSearchCacheSize,
-	})
-	d.parentalCache = cache.New(cache.Config{
-		EnableLRU: true,
-		MaxSize:   c.ParentalCacheSize,
-	})
+		d.safebrowsingCache = cache.New(cache.Config{
+			EnableLRU: true,
+			MaxSize:   c.SafeBrowsingCacheSize,
+		})
+		d.safeSearchCache = cache.New(cache.Config{
+			EnableLRU: true,
+			MaxSize:   c.SafeSearchCacheSize,
+		})
+		d.parentalCache = cache.New(cache.Config{
+			EnableLRU: true,
+			MaxSize:   c.ParentalCacheSize,
+		})
 
-	if r := c.CustomResolver; r != nil {
-		d.resolver = r
+		if c.CustomResolver != nil {
+			d.resolver = c.CustomResolver
+		}
 	}
 
 	d.hostCheckers = []hostChecker{{
@@ -966,26 +930,27 @@ func New(c *Config, blockFilters []Filter) (d *DNSFilter, err error) {
 		name:  "safe search",
 	}}
 
-	defer func() { err = errors.Annotate(err, "filtering: %w") }()
-
-	err = d.initSecurityServices()
+	err := d.initSecurityServices()
 	if err != nil {
-		return nil, fmt.Errorf("initializing services: %s", err)
+		log.Error("filtering: initialize services: %s", err)
+
+		return nil
 	}
 
-	d.Config = *c
-	d.filtersMu = &sync.RWMutex{}
+	if c != nil {
+		d.Config = *c
+		err = d.prepareRewrites()
+		if err != nil {
+			log.Error("rewrites: preparing: %s", err)
 
-	err = d.prepareRewrites()
-	if err != nil {
-		return nil, fmt.Errorf("rewrites: preparing: %s", err)
+			return nil
+		}
 	}
 
 	bsvcs := []string{}
 	for _, s := range d.BlockedServices {
 		if !BlockedSvcKnown(s) {
 			log.Debug("skipping unknown blocked-service %q", s)
-
 			continue
 		}
 		bsvcs = append(bsvcs, s)
@@ -995,24 +960,13 @@ func New(c *Config, blockFilters []Filter) (d *DNSFilter, err error) {
 	if blockFilters != nil {
 		err = d.initFiltering(nil, blockFilters)
 		if err != nil {
+			log.Error("Can't initialize filtering subsystem: %s", err)
 			d.Close()
-
-			return nil, fmt.Errorf("initializing filtering subsystem: %s", err)
+			return nil
 		}
 	}
 
-	_ = os.MkdirAll(filepath.Join(d.DataDir, filterDir), 0o755)
-
-	d.loadFilters(d.Filters)
-	d.loadFilters(d.WhitelistFilters)
-
-	d.Filters = deduplicateFilters(d.Filters)
-	d.WhitelistFilters = deduplicateFilters(d.WhitelistFilters)
-
-	updateUniqueFilterID(d.Filters)
-	updateUniqueFilterID(d.WhitelistFilters)
-
-	return d, nil
+	return d
 }
 
 // Start - start the module:
@@ -1022,10 +976,9 @@ func (d *DNSFilter) Start() {
 	d.filtersInitializerChan = make(chan filtersInitializerParams, 1)
 	go d.filtersInitializer()
 
-	d.RegisterFilteringHandlers()
-
-	// Here we should start updating filters,
-	//  but currently we can't wake up the periodic task to do so.
-	// So for now we just start this periodic task from here.
-	go d.periodicallyRefreshFilters()
+	if d.Config.HTTPRegister != nil { // for tests
+		d.registerSecurityHandlers()
+		d.registerRewritesHandlers()
+		d.registerBlockedServicesHandlers()
+	}
 }

internal/filtering/filtering_test.go

@@ -26,6 +26,10 @@ const (
 	pcBlocked = "pornhub.com"
 )
 
+var setts = Settings{
+	ProtectionEnabled: true,
+}
+
 // Helpers.
 
 func purgeCaches(d *DNSFilter) {
@@ -40,8 +44,8 @@ func purgeCaches(d *DNSFilter) {
 	}
 }
 
-func newForTest(t testing.TB, c *Config, filters []Filter) (f *DNSFilter, setts *Settings) {
-	setts = &Settings{
+func newForTest(t testing.TB, c *Config, filters []Filter) *DNSFilter {
+	setts = Settings{
 		ProtectionEnabled: true,
 		FilteringEnabled:  true,
 	}
@@ -53,31 +57,26 @@ func newForTest(t testing.TB, c *Config, filters []Filter) (f *DNSFilter, setts
 		setts.SafeSearchEnabled = c.SafeSearchEnabled
 		setts.SafeBrowsingEnabled = c.SafeBrowsingEnabled
 		setts.ParentalEnabled = c.ParentalEnabled
-	} else {
-		// It must not be nil.
-		c = &Config{}
 	}
-	f, err := New(c, filters)
-	require.NoError(t, err)
+	d := New(c, filters)
+	purgeCaches(d)
 
-	purgeCaches(f)
-
-	return f, setts
+	return d
 }
 
-func (d *DNSFilter) checkMatch(t *testing.T, hostname string, setts *Settings) {
+func (d *DNSFilter) checkMatch(t *testing.T, hostname string) {
 	t.Helper()
 
-	res, err := d.CheckHost(hostname, dns.TypeA, setts)
+	res, err := d.CheckHost(hostname, dns.TypeA, &setts)
 	require.NoErrorf(t, err, "host %q", hostname)
 
 	assert.Truef(t, res.IsFiltered, "host %q", hostname)
 }
 
-func (d *DNSFilter) checkMatchIP(t *testing.T, hostname, ip string, qtype uint16, setts *Settings) {
+func (d *DNSFilter) checkMatchIP(t *testing.T, hostname, ip string, qtype uint16) {
 	t.Helper()
 
-	res, err := d.CheckHost(hostname, qtype, setts)
+	res, err := d.CheckHost(hostname, qtype, &setts)
 	require.NoErrorf(t, err, "host %q", hostname, err)
 	require.NotEmpty(t, res.Rules, "host %q", hostname)
 
@@ -89,10 +88,10 @@ func (d *DNSFilter) checkMatchIP(t *testing.T, hostname, ip string, qtype uint16
 	assert.Equalf(t, ip, r.IP.String(), "host %q", hostname)
 }
 
-func (d *DNSFilter) checkMatchEmpty(t *testing.T, hostname string, setts *Settings) {
+func (d *DNSFilter) checkMatchEmpty(t *testing.T, hostname string) {
 	t.Helper()
 
-	res, err := d.CheckHost(hostname, dns.TypeA, setts)
+	res, err := d.CheckHost(hostname, dns.TypeA, &setts)
 	require.NoErrorf(t, err, "host %q", hostname)
 
 	assert.Falsef(t, res.IsFiltered, "host %q", hostname)
@@ -112,19 +111,19 @@ func TestEtcHostsMatching(t *testing.T) {
 	filters := []Filter{{
 		ID: 0, Data: []byte(text),
 	}}
-	d, setts := newForTest(t, nil, filters)
+	d := newForTest(t, nil, filters)
 	t.Cleanup(d.Close)
 
-	d.checkMatchIP(t, "google.com", addr, dns.TypeA, setts)
-	d.checkMatchIP(t, "www.google.com", addr, dns.TypeA, setts)
-	d.checkMatchEmpty(t, "subdomain.google.com", setts)
-	d.checkMatchEmpty(t, "example.org", setts)
+	d.checkMatchIP(t, "google.com", addr, dns.TypeA)
+	d.checkMatchIP(t, "www.google.com", addr, dns.TypeA)
+	d.checkMatchEmpty(t, "subdomain.google.com")
+	d.checkMatchEmpty(t, "example.org")
 
 	// IPv4 match.
-	d.checkMatchIP(t, "block.com", "0.0.0.0", dns.TypeA, setts)
+	d.checkMatchIP(t, "block.com", "0.0.0.0", dns.TypeA)
 
 	// Empty IPv6.
-	res, err := d.CheckHost("block.com", dns.TypeAAAA, setts)
+	res, err := d.CheckHost("block.com", dns.TypeAAAA, &setts)
 	require.NoError(t, err)
 
 	assert.True(t, res.IsFiltered)
@@ -135,10 +134,10 @@ func TestEtcHostsMatching(t *testing.T) {
 	assert.Empty(t, res.Rules[0].IP)
 
 	// IPv6 match.
-	d.checkMatchIP(t, "ipv6.com", addr6, dns.TypeAAAA, setts)
+	d.checkMatchIP(t, "ipv6.com", addr6, dns.TypeAAAA)
 
 	// Empty IPv4.
-	res, err = d.CheckHost("ipv6.com", dns.TypeA, setts)
+	res, err = d.CheckHost("ipv6.com", dns.TypeA, &setts)
 	require.NoError(t, err)
 
 	assert.True(t, res.IsFiltered)
@@ -149,7 +148,7 @@ func TestEtcHostsMatching(t *testing.T) {
 	assert.Empty(t, res.Rules[0].IP)
 
 	// Two IPv4, both must be returned.
-	res, err = d.CheckHost("host2", dns.TypeA, setts)
+	res, err = d.CheckHost("host2", dns.TypeA, &setts)
 	require.NoError(t, err)
 
 	assert.True(t, res.IsFiltered)
@@ -160,7 +159,7 @@ func TestEtcHostsMatching(t *testing.T) {
 	assert.Equal(t, res.Rules[1].IP, net.IP{0, 0, 0, 2})
 
 	// One IPv6 address.
-	res, err = d.CheckHost("host2", dns.TypeAAAA, setts)
+	res, err = d.CheckHost("host2", dns.TypeAAAA, &setts)
 	require.NoError(t, err)
 
 	assert.True(t, res.IsFiltered)
@@ -177,27 +176,27 @@ func TestSafeBrowsing(t *testing.T) {
 	aghtest.ReplaceLogWriter(t, logOutput)
 	aghtest.ReplaceLogLevel(t, log.DEBUG)
 
-	d, setts := newForTest(t, &Config{SafeBrowsingEnabled: true}, nil)
+	d := newForTest(t, &Config{SafeBrowsingEnabled: true}, nil)
 	t.Cleanup(d.Close)
 
 	d.SetSafeBrowsingUpstream(aghtest.NewBlockUpstream(sbBlocked, true))
-	d.checkMatch(t, sbBlocked, setts)
+	d.checkMatch(t, sbBlocked)
 
 	require.Contains(t, logOutput.String(), fmt.Sprintf("safebrowsing lookup for %q", sbBlocked))
 
-	d.checkMatch(t, "test."+sbBlocked, setts)
-	d.checkMatchEmpty(t, "yandex.ru", setts)
-	d.checkMatchEmpty(t, pcBlocked, setts)
+	d.checkMatch(t, "test."+sbBlocked)
+	d.checkMatchEmpty(t, "yandex.ru")
+	d.checkMatchEmpty(t, pcBlocked)
 
 	// Cached result.
 	d.safeBrowsingServer = "127.0.0.1"
-	d.checkMatch(t, sbBlocked, setts)
-	d.checkMatchEmpty(t, pcBlocked, setts)
+	d.checkMatch(t, sbBlocked)
+	d.checkMatchEmpty(t, pcBlocked)
 	d.safeBrowsingServer = defaultSafebrowsingServer
 }
 
 func TestParallelSB(t *testing.T) {
-	d, setts := newForTest(t, &Config{SafeBrowsingEnabled: true}, nil)
+	d := newForTest(t, &Config{SafeBrowsingEnabled: true}, nil)
 	t.Cleanup(d.Close)
 
 	d.SetSafeBrowsingUpstream(aghtest.NewBlockUpstream(sbBlocked, true))
@@ -206,10 +205,10 @@ func TestParallelSB(t *testing.T) {
 		for i := 0; i < 100; i++ {
 			t.Run(fmt.Sprintf("aaa%d", i), func(t *testing.T) {
 				t.Parallel()
-				d.checkMatch(t, sbBlocked, setts)
-				d.checkMatch(t, "test."+sbBlocked, setts)
-				d.checkMatchEmpty(t, "yandex.ru", setts)
-				d.checkMatchEmpty(t, pcBlocked, setts)
+				d.checkMatch(t, sbBlocked)
+				d.checkMatch(t, "test."+sbBlocked)
+				d.checkMatchEmpty(t, "yandex.ru")
+				d.checkMatchEmpty(t, pcBlocked)
 			})
 		}
 	})
@@ -218,7 +217,7 @@ func TestParallelSB(t *testing.T) {
 // Safe Search.
 
 func TestSafeSearch(t *testing.T) {
-	d, _ := newForTest(t, &Config{SafeSearchEnabled: true}, nil)
+	d := newForTest(t, &Config{SafeSearchEnabled: true}, nil)
 	t.Cleanup(d.Close)
 	val, ok := d.SafeSearchDomain("www.google.com")
 	require.True(t, ok)
@@ -227,7 +226,7 @@ func TestSafeSearch(t *testing.T) {
 }
 
 func TestCheckHostSafeSearchYandex(t *testing.T) {
-	d, setts := newForTest(t, &Config{
+	d := newForTest(t, &Config{
 		SafeSearchEnabled: true,
 	}, nil)
 	t.Cleanup(d.Close)
@@ -244,7 +243,7 @@ func TestCheckHostSafeSearchYandex(t *testing.T) {
 		"www.yandex.com",
 	} {
 		t.Run(strings.ToLower(host), func(t *testing.T) {
-			res, err := d.CheckHost(host, dns.TypeA, setts)
+			res, err := d.CheckHost(host, dns.TypeA, &setts)
 			require.NoError(t, err)
 
 			assert.True(t, res.IsFiltered)
@@ -259,7 +258,7 @@ func TestCheckHostSafeSearchYandex(t *testing.T) {
 
 func TestCheckHostSafeSearchGoogle(t *testing.T) {
 	resolver := &aghtest.TestResolver{}
-	d, setts := newForTest(t, &Config{
+	d := newForTest(t, &Config{
 		SafeSearchEnabled: true,
 		CustomResolver:    resolver,
 	}, nil)
@@ -278,7 +277,7 @@ func TestCheckHostSafeSearchGoogle(t *testing.T) {
 		"www.google.je",
 	} {
 		t.Run(host, func(t *testing.T) {
-			res, err := d.CheckHost(host, dns.TypeA, setts)
+			res, err := d.CheckHost(host, dns.TypeA, &setts)
 			require.NoError(t, err)
 
 			assert.True(t, res.IsFiltered)
@@ -292,12 +291,12 @@ func TestCheckHostSafeSearchGoogle(t *testing.T) {
 }
 
 func TestSafeSearchCacheYandex(t *testing.T) {
-	d, setts := newForTest(t, nil, nil)
+	d := newForTest(t, nil, nil)
 	t.Cleanup(d.Close)
 	const domain = "yandex.ru"
 
 	// Check host with disabled safesearch.
-	res, err := d.CheckHost(domain, dns.TypeA, setts)
+	res, err := d.CheckHost(domain, dns.TypeA, &setts)
 	require.NoError(t, err)
 
 	assert.False(t, res.IsFiltered)
@@ -306,10 +305,10 @@ func TestSafeSearchCacheYandex(t *testing.T) {
 
 	yandexIP := net.IPv4(213, 180, 193, 56)
 
-	d, setts = newForTest(t, &Config{SafeSearchEnabled: true}, nil)
+	d = newForTest(t, &Config{SafeSearchEnabled: true}, nil)
 	t.Cleanup(d.Close)
 
-	res, err = d.CheckHost(domain, dns.TypeA, setts)
+	res, err = d.CheckHost(domain, dns.TypeA, &setts)
 	require.NoError(t, err)
 
 	// For yandex we already know valid IP.
@@ -326,20 +325,20 @@ func TestSafeSearchCacheYandex(t *testing.T) {
 
 func TestSafeSearchCacheGoogle(t *testing.T) {
 	resolver := &aghtest.TestResolver{}
-	d, setts := newForTest(t, &Config{
+	d := newForTest(t, &Config{
 		CustomResolver: resolver,
 	}, nil)
 	t.Cleanup(d.Close)
 
 	const domain = "www.google.ru"
-	res, err := d.CheckHost(domain, dns.TypeA, setts)
+	res, err := d.CheckHost(domain, dns.TypeA, &setts)
 	require.NoError(t, err)
 
 	assert.False(t, res.IsFiltered)
 
 	require.Empty(t, res.Rules)
 
-	d, setts = newForTest(t, &Config{SafeSearchEnabled: true}, nil)
+	d = newForTest(t, &Config{SafeSearchEnabled: true}, nil)
 	t.Cleanup(d.Close)
 	d.resolver = resolver
 
@@ -359,7 +358,7 @@ func TestSafeSearchCacheGoogle(t *testing.T) {
 		}
 	}
 
-	res, err = d.CheckHost(domain, dns.TypeA, setts)
+	res, err = d.CheckHost(domain, dns.TypeA, &setts)
 	require.NoError(t, err)
 	require.Len(t, res.Rules, 1)
 
@@ -380,22 +379,22 @@ func TestParentalControl(t *testing.T) {
 	aghtest.ReplaceLogWriter(t, logOutput)
 	aghtest.ReplaceLogLevel(t, log.DEBUG)
 
-	d, setts := newForTest(t, &Config{ParentalEnabled: true}, nil)
+	d := newForTest(t, &Config{ParentalEnabled: true}, nil)
 	t.Cleanup(d.Close)
 
 	d.SetParentalUpstream(aghtest.NewBlockUpstream(pcBlocked, true))
-	d.checkMatch(t, pcBlocked, setts)
+	d.checkMatch(t, pcBlocked)
 	require.Contains(t, logOutput.String(), fmt.Sprintf("parental lookup for %q", pcBlocked))
 
-	d.checkMatch(t, "www."+pcBlocked, setts)
-	d.checkMatchEmpty(t, "www.yandex.ru", setts)
-	d.checkMatchEmpty(t, "yandex.ru", setts)
-	d.checkMatchEmpty(t, "api.jquery.com", setts)
+	d.checkMatch(t, "www."+pcBlocked)
+	d.checkMatchEmpty(t, "www.yandex.ru")
+	d.checkMatchEmpty(t, "yandex.ru")
+	d.checkMatchEmpty(t, "api.jquery.com")
 
 	// Test cached result.
 	d.parentalServer = "127.0.0.1"
-	d.checkMatch(t, pcBlocked, setts)
-	d.checkMatchEmpty(t, "yandex.ru", setts)
+	d.checkMatch(t, pcBlocked)
+	d.checkMatchEmpty(t, "yandex.ru")
 }
 
 // Filtering.
@@ -680,10 +679,10 @@ func TestMatching(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(fmt.Sprintf("%s-%s", tc.name, tc.host), func(t *testing.T) {
 			filters := []Filter{{ID: 0, Data: []byte(tc.rules)}}
-			d, setts := newForTest(t, nil, filters)
+			d := newForTest(t, nil, filters)
 			t.Cleanup(d.Close)
 
-			res, err := d.CheckHost(tc.host, tc.wantDNSType, setts)
+			res, err := d.CheckHost(tc.host, tc.wantDNSType, &setts)
 			require.NoError(t, err)
 
 			assert.Equalf(t, tc.wantIsFiltered, res.IsFiltered, "Hostname %s has wrong result (%v must be %v)", tc.host, res.IsFiltered, tc.wantIsFiltered)
@@ -706,7 +705,7 @@ func TestWhitelist(t *testing.T) {
 	whiteFilters := []Filter{{
 		ID: 0, Data: []byte(whiteRules),
 	}}
-	d, setts := newForTest(t, nil, filters)
+	d := newForTest(t, nil, filters)
 
 	err := d.SetFilters(filters, whiteFilters, false)
 	require.NoError(t, err)
@@ -714,7 +713,7 @@ func TestWhitelist(t *testing.T) {
 	t.Cleanup(d.Close)
 
 	// Matched by white filter.
-	res, err := d.CheckHost("host1", dns.TypeA, setts)
+	res, err := d.CheckHost("host1", dns.TypeA, &setts)
 	require.NoError(t, err)
 
 	assert.False(t, res.IsFiltered)
@@ -725,7 +724,7 @@ func TestWhitelist(t *testing.T) {
 	assert.Equal(t, "||host1^", res.Rules[0].Text)
 
 	// Not matched by white filter, but matched by block filter.
-	res, err = d.CheckHost("host2", dns.TypeA, setts)
+	res, err = d.CheckHost("host2", dns.TypeA, &setts)
 	require.NoError(t, err)
 
 	assert.True(t, res.IsFiltered)
@@ -751,7 +750,7 @@ func applyClientSettings(setts *Settings) {
 }
 
 func TestClientSettings(t *testing.T) {
-	d, setts := newForTest(t,
+	d := newForTest(t,
 		&Config{
 			ParentalEnabled:     true,
 			SafeBrowsingEnabled: false,
@@ -797,7 +796,7 @@ func TestClientSettings(t *testing.T) {
 		return func(t *testing.T) {
 			t.Helper()
 
-			r, err := d.CheckHost(tc.host, dns.TypeA, setts)
+			r, err := d.CheckHost(tc.host, dns.TypeA, &setts)
 			require.NoError(t, err)
 
 			if before {
@@ -815,7 +814,7 @@ func TestClientSettings(t *testing.T) {
 		t.Run(tc.name, makeTester(tc, tc.before))
 	}
 
-	applyClientSettings(setts)
+	applyClientSettings(&setts)
 
 	for _, tc := range testCases {
 		t.Run(tc.name, makeTester(tc, !tc.before))
@@ -825,13 +824,13 @@ func TestClientSettings(t *testing.T) {
 // Benchmarks.
 
 func BenchmarkSafeBrowsing(b *testing.B) {
-	d, setts := newForTest(b, &Config{SafeBrowsingEnabled: true}, nil)
+	d := newForTest(b, &Config{SafeBrowsingEnabled: true}, nil)
 	b.Cleanup(d.Close)
 
 	d.SetSafeBrowsingUpstream(aghtest.NewBlockUpstream(sbBlocked, true))
 
 	for n := 0; n < b.N; n++ {
-		res, err := d.CheckHost(sbBlocked, dns.TypeA, setts)
+		res, err := d.CheckHost(sbBlocked, dns.TypeA, &setts)
 		require.NoError(b, err)
 
 		assert.Truef(b, res.IsFiltered, "expected hostname %q to match", sbBlocked)
@@ -839,14 +838,14 @@ func BenchmarkSafeBrowsing(b *testing.B) {
 }
 
 func BenchmarkSafeBrowsingParallel(b *testing.B) {
-	d, setts := newForTest(b, &Config{SafeBrowsingEnabled: true}, nil)
+	d := newForTest(b, &Config{SafeBrowsingEnabled: true}, nil)
 	b.Cleanup(d.Close)
 
 	d.SetSafeBrowsingUpstream(aghtest.NewBlockUpstream(sbBlocked, true))
 
 	b.RunParallel(func(pb *testing.PB) {
 		for pb.Next() {
-			res, err := d.CheckHost(sbBlocked, dns.TypeA, setts)
+			res, err := d.CheckHost(sbBlocked, dns.TypeA, &setts)
 			require.NoError(b, err)
 
 			assert.Truef(b, res.IsFiltered, "expected hostname %q to match", sbBlocked)
@@ -855,7 +854,7 @@ func BenchmarkSafeBrowsingParallel(b *testing.B) {
 }
 
 func BenchmarkSafeSearch(b *testing.B) {
-	d, _ := newForTest(b, &Config{SafeSearchEnabled: true}, nil)
+	d := newForTest(b, &Config{SafeSearchEnabled: true}, nil)
 	b.Cleanup(d.Close)
 	for n := 0; n < b.N; n++ {
 		val, ok := d.SafeSearchDomain("www.google.com")
@@ -866,7 +865,7 @@ func BenchmarkSafeSearch(b *testing.B) {
 }
 
 func BenchmarkSafeSearchParallel(b *testing.B) {
-	d, _ := newForTest(b, &Config{SafeSearchEnabled: true}, nil)
+	d := newForTest(b, &Config{SafeSearchEnabled: true}, nil)
 	b.Cleanup(d.Close)
 	b.RunParallel(func(pb *testing.PB) {
 		for pb.Next() {

internal/filtering/rewrites.go

@@ -133,31 +133,34 @@ func matchDomainWildcard(host, wildcard string) (ok bool) {
 //  1. A and AAAA > CNAME
 //  2. wildcard > exact
 //  3. lower level wildcard > higher level wildcard
-//
-// TODO(a.garipov):  Replace with slices.Sort.
 type rewritesSorted []*LegacyRewrite
 
-// Len implements the sort.Interface interface for rewritesSorted.
+// Len implements the sort.Interface interface for legacyRewritesSorted.
 func (a rewritesSorted) Len() (l int) { return len(a) }
 
-// Swap implements the sort.Interface interface for rewritesSorted.
+// Swap implements the sort.Interface interface for legacyRewritesSorted.
 func (a rewritesSorted) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
 
-// Less implements the sort.Interface interface for rewritesSorted.
+// Less implements the sort.Interface interface for legacyRewritesSorted.
 func (a rewritesSorted) Less(i, j int) (less bool) {
-	ith, jth := a[i], a[j]
-	if ith.Type == dns.TypeCNAME && jth.Type != dns.TypeCNAME {
+	if a[i].Type == dns.TypeCNAME && a[j].Type != dns.TypeCNAME {
 		return true
-	} else if ith.Type != dns.TypeCNAME && jth.Type == dns.TypeCNAME {
+	} else if a[i].Type != dns.TypeCNAME && a[j].Type == dns.TypeCNAME {
 		return false
 	}
 
-	if iw, jw := isWildcard(ith.Domain), isWildcard(jth.Domain); iw != jw {
-		return jw
+	if isWildcard(a[i].Domain) {
+		if !isWildcard(a[j].Domain) {
+			return false
+		}
+	} else {
+		if isWildcard(a[j].Domain) {
+			return true
+		}
 	}
 
-	// Both are either wildcards or not.
-	return len(ith.Domain) > len(jth.Domain)
+	// Both are wildcards.
+	return len(a[i].Domain) > len(a[j].Domain)
 }
 
 // prepareRewrites normalizes and validates all legacy DNS rewrites.
@@ -310,3 +313,9 @@ func (d *DNSFilter) handleRewriteDelete(w http.ResponseWriter, r *http.Request)
 
 	d.Config.ConfigModified()
 }
+
+func (d *DNSFilter) registerRewritesHandlers() {
+	d.Config.HTTPRegister(http.MethodGet, "/control/rewrite/list", d.handleRewriteList)
+	d.Config.HTTPRegister(http.MethodPost, "/control/rewrite/add", d.handleRewriteAdd)
+	d.Config.HTTPRegister(http.MethodPost, "/control/rewrite/delete", d.handleRewriteDelete)
+}

internal/filtering/rewrites_test.go

@@ -12,7 +12,7 @@ import (
 // TODO(e.burkov): All the tests in this file may and should me merged together.
 
 func TestRewrites(t *testing.T) {
-	d, _ := newForTest(t, nil, nil)
+	d := newForTest(t, nil, nil)
 	t.Cleanup(d.Close)
 
 	d.Rewrites = []*LegacyRewrite{{
@@ -188,7 +188,7 @@ func TestRewrites(t *testing.T) {
 }
 
 func TestRewritesLevels(t *testing.T) {
-	d, _ := newForTest(t, nil, nil)
+	d := newForTest(t, nil, nil)
 	t.Cleanup(d.Close)
 	// Exact host, wildcard L2, wildcard L3.
 	d.Rewrites = []*LegacyRewrite{{
@@ -235,7 +235,7 @@ func TestRewritesLevels(t *testing.T) {
 }
 
 func TestRewritesExceptionCNAME(t *testing.T) {
-	d, _ := newForTest(t, nil, nil)
+	d := newForTest(t, nil, nil)
 	t.Cleanup(d.Close)
 	// Wildcard and exception for a sub-domain.
 	d.Rewrites = []*LegacyRewrite{{
@@ -286,7 +286,7 @@ func TestRewritesExceptionCNAME(t *testing.T) {
 }
 
 func TestRewritesExceptionIP(t *testing.T) {
-	d, _ := newForTest(t, nil, nil)
+	d := newForTest(t, nil, nil)
 	t.Cleanup(d.Close)
 	// Exception for AAAA record.
 	d.Rewrites = []*LegacyRewrite{{

internal/filtering/safebrowsing.go

@@ -415,3 +415,17 @@ func (d *DNSFilter) handleParentalStatus(w http.ResponseWriter, r *http.Request)
 		aghhttp.Error(r, w, http.StatusInternalServerError, "Unable to write response json: %s", err)
 	}
 }
+
+func (d *DNSFilter) registerSecurityHandlers() {
+	d.Config.HTTPRegister(http.MethodPost, "/control/safebrowsing/enable", d.handleSafeBrowsingEnable)
+	d.Config.HTTPRegister(http.MethodPost, "/control/safebrowsing/disable", d.handleSafeBrowsingDisable)
+	d.Config.HTTPRegister(http.MethodGet, "/control/safebrowsing/status", d.handleSafeBrowsingStatus)
+
+	d.Config.HTTPRegister(http.MethodPost, "/control/parental/enable", d.handleParentalEnable)
+	d.Config.HTTPRegister(http.MethodPost, "/control/parental/disable", d.handleParentalDisable)
+	d.Config.HTTPRegister(http.MethodGet, "/control/parental/status", d.handleParentalStatus)
+
+	d.Config.HTTPRegister(http.MethodPost, "/control/safesearch/enable", d.handleSafeSearchEnable)
+	d.Config.HTTPRegister(http.MethodPost, "/control/safesearch/disable", d.handleSafeSearchDisable)
+	d.Config.HTTPRegister(http.MethodGet, "/control/safesearch/status", d.handleSafeSearchStatus)
+}

internal/filtering/safebrowsing_test.go

@@ -107,7 +107,7 @@ func TestSafeBrowsingCache(t *testing.T) {
 }
 
 func TestSBPC_checkErrorUpstream(t *testing.T) {
-	d, _ := newForTest(t, &Config{SafeBrowsingEnabled: true}, nil)
+	d := newForTest(t, &Config{SafeBrowsingEnabled: true}, nil)
 	t.Cleanup(d.Close)
 
 	ups := aghtest.NewErrorUpstream()
@@ -128,7 +128,7 @@ func TestSBPC_checkErrorUpstream(t *testing.T) {
 }
 
 func TestSBPC(t *testing.T) {
-	d, _ := newForTest(t, &Config{SafeBrowsingEnabled: true}, nil)
+	d := newForTest(t, &Config{SafeBrowsingEnabled: true}, nil)
 	t.Cleanup(d.Close)
 
 	const hostname = "example.org"

internal/home/auth.go

@@ -8,14 +8,12 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"path"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
-	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/timeutil"
@@ -34,8 +32,7 @@ const sessionTokenSize = 16
 
 type session struct {
 	userName string
-	// expire is the expiration time, in seconds.
-	expire uint32
+	expire   uint32 // expiration time (in seconds)
 }
 
 func (s *session) serialize() []byte {
@@ -67,29 +64,29 @@ func (s *session) deserialize(data []byte) bool {
 
 // Auth - global object
 type Auth struct {
-	db          *bbolt.DB
-	raleLimiter *authRateLimiter
-	sessions    map[string]*session
-	users       []webUser
-	lock        sync.Mutex
-	sessionTTL  uint32
+	db         *bbolt.DB
+	blocker    *authRateLimiter
+	sessions   map[string]*session
+	users      []User
+	lock       sync.Mutex
+	sessionTTL uint32
 }
 
-// webUser represents a user of the Web UI.
-type webUser struct {
+// User object
+type User struct {
 	Name         string `yaml:"name"`
-	PasswordHash string `yaml:"password"`
+	PasswordHash string `yaml:"password"` // bcrypt hash
 }
 
 // InitAuth - create a global object
-func InitAuth(dbFilename string, users []webUser, sessionTTL uint32, rateLimiter *authRateLimiter) *Auth {
+func InitAuth(dbFilename string, users []User, sessionTTL uint32, blocker *authRateLimiter) *Auth {
 	log.Info("Initializing auth module: %s", dbFilename)
 
 	a := &Auth{
-		sessionTTL:  sessionTTL,
-		raleLimiter: rateLimiter,
-		sessions:    make(map[string]*session),
-		users:       users,
+		sessionTTL: sessionTTL,
+		blocker:    blocker,
+		sessions:   make(map[string]*session),
+		users:      users,
 	}
 	var err error
 	a.db, err = bbolt.Open(dbFilename, 0o644, nil)
@@ -329,25 +326,35 @@ func newSessionToken() (data []byte, err error) {
 	return randData, nil
 }
 
-// newCookie creates a new authentication cookie.
-func (a *Auth) newCookie(req loginJSON, addr string) (c *http.Cookie, err error) {
-	rateLimiter := a.raleLimiter
-	u, ok := a.findUser(req.Name, req.Password)
-	if !ok {
-		if rateLimiter != nil {
-			rateLimiter.inc(addr)
+// cookieTimeFormat is the format to be used in (time.Time).Format for cookie's
+// expiry field.
+const cookieTimeFormat = "Mon, 02 Jan 2006 15:04:05 GMT"
+
+// cookieExpiryFormat returns the formatted exp to be used in cookie string.
+// It's quite simple for now, but probably will be expanded in the future.
+func cookieExpiryFormat(exp time.Time) (formatted string) {
+	return exp.Format(cookieTimeFormat)
+}
+
+func (a *Auth) httpCookie(req loginJSON, addr string) (cookie string, err error) {
+	blocker := a.blocker
+	u := a.UserFind(req.Name, req.Password)
+	if len(u.Name) == 0 {
+		if blocker != nil {
+			blocker.inc(addr)
 		}
 
-		return nil, errors.Error("invalid username or password")
+		return "", err
 	}
 
-	if rateLimiter != nil {
-		rateLimiter.remove(addr)
+	if blocker != nil {
+		blocker.remove(addr)
 	}
 
-	sess, err := newSessionToken()
+	var sess []byte
+	sess, err = newSessionToken()
 	if err != nil {
-		return nil, fmt.Errorf("generating token: %w", err)
+		return "", err
 	}
 
 	now := time.Now().UTC()
@@ -357,15 +364,11 @@ func (a *Auth) newCookie(req loginJSON, addr string) (c *http.Cookie, err error)
 		expire:   uint32(now.Unix()) + a.sessionTTL,
 	})
 
-	return &http.Cookie{
-		Name:    sessionCookieName,
-		Value:   hex.EncodeToString(sess),
-		Path:    "/",
-		Expires: now.Add(cookieTTL),
-
-		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-	}, nil
+	return fmt.Sprintf(
+		"%s=%s; Path=/; HttpOnly; Expires=%s",
+		sessionCookieName, hex.EncodeToString(sess),
+		cookieExpiryFormat(now.Add(cookieTTL)),
+	), nil
 }
 
 // realIP extracts the real IP address of the client from an HTTP request using
@@ -433,8 +436,8 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if rateLimiter := Context.auth.raleLimiter; rateLimiter != nil {
-		if left := rateLimiter.check(remoteAddr); left > 0 {
+	if blocker := Context.auth.blocker; blocker != nil {
+		if left := blocker.check(remoteAddr); left > 0 {
 			w.Header().Set("Retry-After", strconv.Itoa(int(left.Seconds())))
 			aghhttp.Error(r, w, http.StatusTooManyRequests, "auth: blocked for %s", left)
 
@@ -442,9 +445,10 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	cookie, err := Context.auth.newCookie(req, remoteAddr)
+	var cookie string
+	cookie, err = Context.auth.httpCookie(req, remoteAddr)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusForbidden, "%s", err)
+		aghhttp.Error(r, w, http.StatusBadRequest, "crypto rand reader: %s", err)
 
 		return
 	}
@@ -458,11 +462,20 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 		log.Error("auth: unknown ip")
 	}
 
+	if len(cookie) == 0 {
+		log.Info("auth: failed to login user %q from ip %v", req.Name, ip)
+
+		time.Sleep(1 * time.Second)
+
+		http.Error(w, "invalid username or password", http.StatusBadRequest)
+
+		return
+	}
+
 	log.Info("auth: user %q successfully logged in from ip %v", req.Name, ip)
 
-	http.SetCookie(w, cookie)
-
 	h := w.Header()
+	h.Set("Set-Cookie", cookie)
 	h.Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate")
 	h.Set("Pragma", "no-cache")
 	h.Set("Expires", "0")
@@ -471,31 +484,17 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 }
 
 func handleLogout(w http.ResponseWriter, r *http.Request) {
-	respHdr := w.Header()
-	c, err := r.Cookie(sessionCookieName)
-	if err != nil {
-		// The only error that is returned from r.Cookie is [http.ErrNoCookie].
-		// The user is already logged out.
-		respHdr.Set("Location", "/login.html")
-		w.WriteHeader(http.StatusFound)
+	cookie := r.Header.Get("Cookie")
+	sess := parseCookie(cookie)
 
-		return
-	}
+	Context.auth.RemoveSession(sess)
 
-	Context.auth.RemoveSession(c.Value)
+	w.Header().Set("Location", "/login.html")
 
-	c = &http.Cookie{
-		Name:    sessionCookieName,
-		Value:   "",
-		Path:    "/",
-		Expires: time.Unix(0, 0),
+	s := fmt.Sprintf("%s=; Path=/; HttpOnly; Expires=Thu, 01 Jan 1970 00:00:00 GMT",
+		sessionCookieName)
+	w.Header().Set("Set-Cookie", s)
 
-		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-	}
-
-	respHdr.Set("Location", "/login.html")
-	respHdr.Set("Set-Cookie", c.String())
 	w.WriteHeader(http.StatusFound)
 }
 
@@ -505,108 +504,101 @@ func RegisterAuthHandlers() {
 	httpRegister(http.MethodGet, "/control/logout", handleLogout)
 }
 
-// optionalAuthThird return true if user should authenticate first.
-func optionalAuthThird(w http.ResponseWriter, r *http.Request) (mustAuth bool) {
-	if glProcessCookie(r) {
-		log.Debug("auth: authentication is handled by GL-Inet submodule")
-
-		return false
+func parseCookie(cookie string) string {
+	pairs := strings.Split(cookie, ";")
+	for _, pair := range pairs {
+		pair = strings.TrimSpace(pair)
+		kv := strings.SplitN(pair, "=", 2)
+		if len(kv) != 2 {
+			continue
+		}
+		if kv[0] == sessionCookieName {
+			return kv[1]
+		}
 	}
+	return ""
+}
+
+// optionalAuthThird return true if user should authenticate first.
+func optionalAuthThird(w http.ResponseWriter, r *http.Request) (authFirst bool) {
+	authFirst = false
 
 	// redirect to login page if not authenticated
-	isAuthenticated := false
+	ok := false
 	cookie, err := r.Cookie(sessionCookieName)
-	if err != nil {
-		// The only error that is returned from r.Cookie is [http.ErrNoCookie].
-		// Check Basic authentication.
-		user, pass, hasBasic := r.BasicAuth()
-		if hasBasic {
-			_, isAuthenticated = Context.auth.findUser(user, pass)
-			if !isAuthenticated {
+
+	if glProcessCookie(r) {
+		log.Debug("auth: authentication was handled by GL-Inet submodule")
+		ok = true
+	} else if err == nil {
+		r := Context.auth.checkSession(cookie.Value)
+		if r == checkSessionOK {
+			ok = true
+		} else if r < 0 {
+			log.Debug("auth: invalid cookie value: %s", cookie)
+		}
+	} else {
+		// there's no Cookie, check Basic authentication
+		user, pass, ok2 := r.BasicAuth()
+		if ok2 {
+			u := Context.auth.UserFind(user, pass)
+			if len(u.Name) != 0 {
+				ok = true
+			} else {
 				log.Info("auth: invalid Basic Authorization value")
 			}
 		}
-	} else {
-		res := Context.auth.checkSession(cookie.Value)
-		isAuthenticated = res == checkSessionOK
-		if !isAuthenticated {
-			log.Debug("auth: invalid cookie value: %s", cookie)
-		}
 	}
-
-	if isAuthenticated {
-		return false
-	}
-
-	if p := r.URL.Path; p == "/" || p == "/index.html" {
-		if glProcessRedirect(w, r) {
-			log.Debug("auth: redirected to login page by GL-Inet submodule")
+	if !ok {
+		if r.URL.Path == "/" || r.URL.Path == "/index.html" {
+			if glProcessRedirect(w, r) {
+				log.Debug("auth: redirected to login page by GL-Inet submodule")
+			} else {
+				w.Header().Set("Location", "/login.html")
+				w.WriteHeader(http.StatusFound)
+			}
 		} else {
-			log.Debug("auth: redirected to login page")
-			w.Header().Set("Location", "/login.html")
-			w.WriteHeader(http.StatusFound)
+			w.WriteHeader(http.StatusForbidden)
+			_, _ = w.Write([]byte("Forbidden"))
 		}
-	} else {
-		log.Debug("auth: responded with forbidden to %s %s", r.Method, p)
-		w.WriteHeader(http.StatusForbidden)
-		_, _ = w.Write([]byte("Forbidden"))
+		authFirst = true
 	}
 
-	return true
+	return authFirst
 }
 
-// TODO(a.garipov): Use [http.Handler] consistently everywhere throughout the
-// project.
-func optionalAuth(
-	h func(http.ResponseWriter, *http.Request),
-) (wrapped func(http.ResponseWriter, *http.Request)) {
+func optionalAuth(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		p := r.URL.Path
-		authRequired := Context.auth != nil && Context.auth.AuthRequired()
-		if p == "/login.html" {
+		if r.URL.Path == "/login.html" {
+			// redirect to dashboard if already authenticated
+			authRequired := Context.auth != nil && Context.auth.AuthRequired()
 			cookie, err := r.Cookie(sessionCookieName)
 			if authRequired && err == nil {
-				// Redirect to the dashboard if already authenticated.
-				res := Context.auth.checkSession(cookie.Value)
-				if res == checkSessionOK {
+				r := Context.auth.checkSession(cookie.Value)
+				if r == checkSessionOK {
 					w.Header().Set("Location", "/")
 					w.WriteHeader(http.StatusFound)
 
 					return
+				} else if r == checkSessionNotFound {
+					log.Debug("auth: invalid cookie value: %s", cookie)
 				}
-
-				log.Debug("auth: invalid cookie value: %s", cookie)
 			}
-		} else if isPublicResource(p) {
-			// Process as usual, no additional auth requirements.
-		} else if authRequired {
+
+		} else if strings.HasPrefix(r.URL.Path, "/assets/") ||
+			strings.HasPrefix(r.URL.Path, "/login.") {
+			// process as usual
+			// no additional auth requirements
+		} else if Context.auth != nil && Context.auth.AuthRequired() {
 			if optionalAuthThird(w, r) {
 				return
 			}
 		}
 
-		h(w, r)
+		handler(w, r)
 	}
 }
 
-// isPublicResource returns true if p is a path to a public resource.
-func isPublicResource(p string) (ok bool) {
-	isAsset, err := path.Match("/assets/*", p)
-	if err != nil {
-		// The only error that is returned from path.Match is
-		// [path.ErrBadPattern].  This is a programmer error.
-		panic(fmt.Errorf("bad asset pattern: %w", err))
-	}
-
-	isLogin, err := path.Match("/login.*", p)
-	if err != nil {
-		// Same as above.
-		panic(fmt.Errorf("bad login pattern: %w", err))
-	}
-
-	return isAsset || isLogin
-}
-
 type authHandler struct {
 	handler http.Handler
 }
@@ -620,7 +612,7 @@ func optionalAuthHandler(handler http.Handler) http.Handler {
 }
 
 // UserAdd - add new user
-func (a *Auth) UserAdd(u *webUser, password string) {
+func (a *Auth) UserAdd(u *User, password string) {
 	if len(password) == 0 {
 		return
 	}
@@ -639,35 +631,31 @@ func (a *Auth) UserAdd(u *webUser, password string) {
 	log.Debug("auth: added user: %s", u.Name)
 }
 
-// findUser returns a user if there is one.
-func (a *Auth) findUser(login, password string) (u webUser, ok bool) {
+// UserFind - find a user
+func (a *Auth) UserFind(login, password string) User {
 	a.lock.Lock()
 	defer a.lock.Unlock()
-
-	for _, u = range a.users {
+	for _, u := range a.users {
 		if u.Name == login &&
 			bcrypt.CompareHashAndPassword([]byte(u.PasswordHash), []byte(password)) == nil {
-			return u, true
+			return u
 		}
 	}
-
-	return webUser{}, false
+	return User{}
 }
 
 // getCurrentUser returns the current user.  It returns an empty User if the
 // user is not found.
-func (a *Auth) getCurrentUser(r *http.Request) (u webUser) {
+func (a *Auth) getCurrentUser(r *http.Request) User {
 	cookie, err := r.Cookie(sessionCookieName)
 	if err != nil {
 		// There's no Cookie, check Basic authentication.
 		user, pass, ok := r.BasicAuth()
 		if ok {
-			u, _ = Context.auth.findUser(user, pass)
-
-			return u
+			return Context.auth.UserFind(user, pass)
 		}
 
-		return webUser{}
+		return User{}
 	}
 
 	a.lock.Lock()
@@ -675,20 +663,20 @@ func (a *Auth) getCurrentUser(r *http.Request) (u webUser) {
 
 	s, ok := a.sessions[cookie.Value]
 	if !ok {
-		return webUser{}
+		return User{}
 	}
 
-	for _, u = range a.users {
+	for _, u := range a.users {
 		if u.Name == s.userName {
 			return u
 		}
 	}
 
-	return webUser{}
+	return User{}
 }
 
 // GetUsers - get users
-func (a *Auth) GetUsers() []webUser {
+func (a *Auth) GetUsers() []User {
 	a.lock.Lock()
 	users := a.users
 	a.lock.Unlock()

internal/home/auth_test.go

@@ -43,14 +43,14 @@ func TestAuth(t *testing.T) {
 	dir := t.TempDir()
 	fn := filepath.Join(dir, "sessions.db")
 
-	users := []webUser{{
+	users := []User{{
 		Name:         "name",
 		PasswordHash: "$2y$05$..vyzAECIhJPfaQiOK17IukcQnqEgKJHy0iETyYqxn3YXJl8yZuo2",
 	}}
 	a := InitAuth(fn, nil, 60, nil)
 	s := session{}
 
-	user := webUser{Name: "name"}
+	user := User{Name: "name"}
 	a.UserAdd(&user, "password")
 
 	assert.Equal(t, checkSessionNotFound, a.checkSession("notfound"))
@@ -84,8 +84,7 @@ func TestAuth(t *testing.T) {
 	a.storeSession(sess, &s)
 	a.Close()
 
-	u, ok := a.findUser("name", "password")
-	assert.True(t, ok)
+	u := a.UserFind("name", "password")
 	assert.NotEmpty(t, u.Name)
 
 	time.Sleep(3 * time.Second)
@@ -119,7 +118,7 @@ func TestAuthHTTP(t *testing.T) {
 	dir := t.TempDir()
 	fn := filepath.Join(dir, "sessions.db")
 
-	users := []webUser{
+	users := []User{
 		{Name: "name", PasswordHash: "$2y$05$..vyzAECIhJPfaQiOK17IukcQnqEgKJHy0iETyYqxn3YXJl8yZuo2"},
 	}
 	Context.auth = InitAuth(fn, users, 60, nil)
@@ -151,19 +150,18 @@ func TestAuthHTTP(t *testing.T) {
 	assert.True(t, handlerCalled)
 
 	// perform login
-	cookie, err := Context.auth.newCookie(loginJSON{Name: "name", Password: "password"}, "")
+	cookie, err := Context.auth.httpCookie(loginJSON{Name: "name", Password: "password"}, "")
 	require.NoError(t, err)
-	require.NotNil(t, cookie)
+	assert.NotEmpty(t, cookie)
 
 	// get /
 	handler2 = optionalAuth(handler)
 	w.hdr = make(http.Header)
-	r.Header.Set("Cookie", cookie.String())
+	r.Header.Set("Cookie", cookie)
 	r.URL = &url.URL{Path: "/"}
 	handlerCalled = false
 	handler2(&w, &r)
 	assert.True(t, handlerCalled)
-
 	r.Header.Del("Cookie")
 
 	// get / with basic auth
@@ -179,7 +177,7 @@ func TestAuthHTTP(t *testing.T) {
 	// get login page with a valid cookie - we're redirected to /
 	handler2 = optionalAuth(handler)
 	w.hdr = make(http.Header)
-	r.Header.Set("Cookie", cookie.String())
+	r.Header.Set("Cookie", cookie)
 	r.URL = &url.URL{Path: loginURL}
 	handlerCalled = false
 	handler2(&w, &r)

internal/home/clientshttp.go

@@ -93,7 +93,13 @@ func (clients *clientsContainer) handleGetClients(w http.ResponseWriter, r *http
 
 	data.Tags = clientTags
 
-	_ = aghhttp.WriteJSONResponse(w, r, data)
+	w.Header().Set("Content-Type", "application/json")
+	e := json.NewEncoder(w).Encode(data)
+	if e != nil {
+		aghhttp.Error(r, w, http.StatusInternalServerError, "failed to encode to json: %v", e)
+
+		return
+	}
 }
 
 // Convert JSON object to Client object
@@ -243,7 +249,11 @@ func (clients *clientsContainer) handleFindClient(w http.ResponseWriter, r *http
 		})
 	}
 
-	_ = aghhttp.WriteJSONResponse(w, r, data)
+	w.Header().Set("Content-Type", "application/json")
+	err := json.NewEncoder(w).Encode(data)
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusInternalServerError, "Couldn't write response: %s", err)
+	}
 }
 
 // findRuntime looks up the IP in runtime and temporary storages, like

internal/home/config.go

@@ -14,6 +14,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/querylog"
 	"github.com/AdguardTeam/AdGuardHome/internal/stats"
+	"github.com/AdguardTeam/AdGuardHome/internal/version"
 	"github.com/AdguardTeam/dnsproxy/fastip"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
@@ -22,9 +23,10 @@ import (
 	yaml "gopkg.in/yaml.v3"
 )
 
-// dataDir is the name of a directory under the working one to store some
-// persistent data.
-const dataDir = "data"
+const (
+	dataDir   = "data"    // data storage
+	filterDir = "filters" // cache location for downloaded filters, it's under DataDir
+)
 
 // logSettings are the logging settings part of the configuration file.
 //
@@ -85,10 +87,10 @@ type configuration struct {
 	// It's reset after config is parsed
 	fileData []byte
 
-	BindHost     net.IP    `yaml:"bind_host"`      // BindHost is the IP address of the HTTP server to bind to
-	BindPort     int       `yaml:"bind_port"`      // BindPort is the port the HTTP server
-	BetaBindPort int       `yaml:"beta_bind_port"` // BetaBindPort is the port for new client
-	Users        []webUser `yaml:"users"`          // Users that can access HTTP server
+	BindHost     net.IP `yaml:"bind_host"`      // BindHost is the IP address of the HTTP server to bind to
+	BindPort     int    `yaml:"bind_port"`      // BindPort is the port the HTTP server
+	BetaBindPort int    `yaml:"beta_bind_port"` // BetaBindPort is the port for new client
+	Users        []User `yaml:"users"`          // Users that can access HTTP server
 	// AuthAttempts is the maximum number of failed login attempts a user
 	// can do before being blocked.
 	AuthAttempts uint `yaml:"auth_attempts"`
@@ -106,16 +108,9 @@ type configuration struct {
 	DNS dnsConfig         `yaml:"dns"`
 	TLS tlsConfigSettings `yaml:"tls"`
 
-	// Filters reflects the filters from [filtering.Config].  It's cloned to the
-	// config used in the filtering module at the startup.  Afterwards it's
-	// cloned from the filtering module back here.
-	//
-	// TODO(e.burkov):  Move all the filtering configuration fields into the
-	// only configuration subsection covering the changes with a single
-	// migration.
-	Filters          []filtering.FilterYAML `yaml:"filters"`
-	WhitelistFilters []filtering.FilterYAML `yaml:"whitelist_filters"`
-	UserRules        []string               `yaml:"user_rules"`
+	Filters          []filter `yaml:"filters"`
+	WhitelistFilters []filter `yaml:"whitelist_filters"`
+	UserRules        []string `yaml:"user_rules"`
 
 	DHCP *dhcpd.ServerConfig `yaml:"dhcp"`
 
@@ -150,7 +145,9 @@ type dnsConfig struct {
 
 	dnsforward.FilteringConfig `yaml:",inline"`
 
-	DnsfilterConf *filtering.Config `yaml:",inline"`
+	FilteringEnabled           bool             `yaml:"filtering_enabled"`       // whether or not use filter lists
+	FiltersUpdateIntervalHours uint32           `yaml:"filters_update_interval"` // time period to update filters (in hours)
+	DnsfilterConf              filtering.Config `yaml:",inline"`
 
 	// UpstreamTimeout is the timeout for querying upstream servers.
 	UpstreamTimeout timeutil.Duration `yaml:"upstream_timeout"`
@@ -196,20 +193,15 @@ type tlsConfigSettings struct {
 //
 // TODO(a.garipov, e.burkov): This global is awful and must be removed.
 var config = &configuration{
-	BindPort:           3000,
-	BetaBindPort:       0,
-	BindHost:           net.IP{0, 0, 0, 0},
-	AuthAttempts:       5,
-	AuthBlockMin:       15,
-	WebSessionTTLHours: 30 * 24,
+	BindPort:     3000,
+	BetaBindPort: 0,
+	BindHost:     net.IP{0, 0, 0, 0},
+	AuthAttempts: 5,
+	AuthBlockMin: 15,
 	DNS: dnsConfig{
-		BindHosts:           []net.IP{{0, 0, 0, 0}},
-		Port:                defaultPortDNS,
-		StatsInterval:       1,
-		QueryLogEnabled:     true,
-		QueryLogFileEnabled: true,
-		QueryLogInterval:    timeutil.Duration{Duration: 90 * timeutil.Day},
-		QueryLogMemSize:     1000,
+		BindHosts:     []net.IP{{0, 0, 0, 0}},
+		Port:          defaultPortDNS,
+		StatsInterval: 1,
 		FilteringConfig: dnsforward.FilteringConfig{
 			ProtectionEnabled:  true, // whether or not use any of filtering features
 			BlockingMode:       dnsforward.BlockingModeDefault,
@@ -230,42 +222,18 @@ var config = &configuration{
 			// was later increased to 300 due to https://github.com/AdguardTeam/AdGuardHome/issues/2257
 			MaxGoroutines: 300,
 		},
-		DnsfilterConf: &filtering.Config{
-			SafeBrowsingCacheSize:      1 * 1024 * 1024,
-			SafeSearchCacheSize:        1 * 1024 * 1024,
-			ParentalCacheSize:          1 * 1024 * 1024,
-			CacheTime:                  30,
-			FilteringEnabled:           true,
-			FiltersUpdateIntervalHours: 24,
-		},
-		UpstreamTimeout: timeutil.Duration{Duration: dnsforward.DefaultTimeout},
-		UsePrivateRDNS:  true,
+		FilteringEnabled:           true, // whether or not use filter lists
+		FiltersUpdateIntervalHours: 24,
+		UpstreamTimeout:            timeutil.Duration{Duration: dnsforward.DefaultTimeout},
+		UsePrivateRDNS:             true,
 	},
 	TLS: tlsConfigSettings{
 		PortHTTPS:       defaultPortHTTPS,
 		PortDNSOverTLS:  defaultPortTLS, // needs to be passed through to dnsproxy
 		PortDNSOverQUIC: defaultPortQUIC,
 	},
-	Filters: []filtering.FilterYAML{{
-		Filter:  filtering.Filter{ID: 1},
-		Enabled: true,
-		URL:     "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt",
-		Name:    "AdGuard DNS filter",
-	}, {
-		Filter:  filtering.Filter{ID: 2},
-		Enabled: false,
-		URL:     "https://adaway.org/hosts.txt",
-		Name:    "AdAway Default Blocklist",
-	}},
 	DHCP: &dhcpd.ServerConfig{
 		LocalDomainName: "lan",
-		Conf4: dhcpd.V4ServerConf{
-			LeaseDuration: dhcpd.DefaultDHCPLeaseTTL,
-			ICMPTimeout:   dhcpd.DefaultDHCPTimeoutICMP,
-		},
-		Conf6: dhcpd.V6ServerConf{
-			LeaseDuration: dhcpd.DefaultDHCPLeaseTTL,
-		},
 	},
 	Clients: &clientsConfig{
 		Sources: &clientSourcesConf{
@@ -287,6 +255,31 @@ var config = &configuration{
 	SchemaVersion: currentSchemaVersion,
 }
 
+// initConfig initializes default configuration for the current OS&ARCH
+func initConfig() {
+	config.WebSessionTTLHours = 30 * 24
+
+	config.DNS.QueryLogEnabled = true
+	config.DNS.QueryLogFileEnabled = true
+	config.DNS.QueryLogInterval = timeutil.Duration{Duration: 90 * timeutil.Day}
+	config.DNS.QueryLogMemSize = 1000
+
+	config.DNS.CacheSize = 4 * 1024 * 1024
+	config.DNS.DnsfilterConf.SafeBrowsingCacheSize = 1 * 1024 * 1024
+	config.DNS.DnsfilterConf.SafeSearchCacheSize = 1 * 1024 * 1024
+	config.DNS.DnsfilterConf.ParentalCacheSize = 1 * 1024 * 1024
+	config.DNS.DnsfilterConf.CacheTime = 30
+	config.Filters = defaultFilters()
+
+	config.DHCP.Conf4.LeaseDuration = dhcpd.DefaultDHCPLeaseTTL
+	config.DHCP.Conf4.ICMPTimeout = dhcpd.DefaultDHCPTimeoutICMP
+	config.DHCP.Conf6.LeaseDuration = dhcpd.DefaultDHCPLeaseTTL
+
+	if ch := version.Channel(); ch == version.ChannelEdge || ch == version.ChannelDevelopment {
+		config.BetaBindPort = 3001
+	}
+}
+
 // getConfigFilename returns path to the current config file
 func (c *configuration) getConfigFilename() string {
 	configFile, err := filepath.EvalSymlinks(Context.configFilename)
@@ -355,8 +348,8 @@ func parseConfig() (err error) {
 		return fmt.Errorf("validating udp ports: %w", err)
 	}
 
-	if !filtering.ValidateUpdateIvl(config.DNS.DnsfilterConf.FiltersUpdateIntervalHours) {
-		config.DNS.DnsfilterConf.FiltersUpdateIntervalHours = 24
+	if !checkFiltersUpdateIntervalHours(config.DNS.FiltersUpdateIntervalHours) {
+		config.DNS.FiltersUpdateIntervalHours = 24
 	}
 
 	if config.DNS.UpstreamTimeout.Duration == 0 {
@@ -425,11 +418,10 @@ func (c *configuration) write() (err error) {
 		config.DNS.AnonymizeClientIP = dc.AnonymizeClientIP
 	}
 
-	if Context.filters != nil {
-		Context.filters.WriteDiskConfig(config.DNS.DnsfilterConf)
-		config.Filters = config.DNS.DnsfilterConf.Filters
-		config.WhitelistFilters = config.DNS.DnsfilterConf.WhitelistFilters
-		config.UserRules = config.DNS.DnsfilterConf.UserRules
+	if Context.dnsFilter != nil {
+		c := filtering.Config{}
+		Context.dnsFilter.WriteDiskConfig(&c)
+		config.DNS.DnsfilterConf = c
 	}
 
 	if s := Context.dnsServer; s != nil {

internal/home/control.go

@@ -146,7 +146,13 @@ func handleStatus(w http.ResponseWriter, r *http.Request) {
 		resp.IsDHCPAvailable = Context.dhcpServer != nil
 	}
 
-	_ = aghhttp.WriteJSONResponse(w, r, resp)
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(resp)
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusInternalServerError, "Unable to write response json: %s", err)
+
+		return
+	}
 }
 
 type profileJSON struct {
@@ -156,16 +162,13 @@ type profileJSON struct {
 func handleGetProfile(w http.ResponseWriter, r *http.Request) {
 	pj := profileJSON{}
 	u := Context.auth.getCurrentUser(r)
-
 	pj.Name = u.Name
 
 	data, err := json.Marshal(pj)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusInternalServerError, "json.Marshal: %s", err)
-
 		return
 	}
-
 	_, _ = w.Write(data)
 }
 
@@ -204,24 +207,11 @@ func ensure(method string, handler func(http.ResponseWriter, *http.Request)) fun
 		log.Debug("%s %v", r.Method, r.URL)
 
 		if r.Method != method {
-			aghhttp.Error(r, w, http.StatusMethodNotAllowed, "only %s is allowed", method)
-
+			http.Error(w, "This request must be "+method, http.StatusMethodNotAllowed)
 			return
 		}
 
 		if method == http.MethodPost || method == http.MethodPut || method == http.MethodDelete {
-			if r.Header.Get(aghhttp.HdrNameContentType) != aghhttp.HdrValApplicationJSON {
-				aghhttp.Error(
-					r,
-					w,
-					http.StatusUnsupportedMediaType,
-					"only %s is allowed",
-					aghhttp.HdrValApplicationJSON,
-				)
-
-				return
-			}
-
 			Context.controlLock.Lock()
 			defer Context.controlLock.Unlock()
 		}
@@ -301,7 +291,7 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
 		}
 
 		httpsURL := &url.URL{
-			Scheme:   aghhttp.SchemeHTTPS,
+			Scheme:   schemeHTTPS,
 			Host:     hostPort,
 			Path:     r.URL.Path,
 			RawQuery: r.URL.RawQuery,
@@ -317,7 +307,7 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
 	//
 	// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin.
 	originURL := &url.URL{
-		Scheme: aghhttp.SchemeHTTP,
+		Scheme: schemeHTTP,
 		Host:   r.Host,
 	}
 	w.Header().Set("Access-Control-Allow-Origin", originURL.String())

internal/home/controlfiltering.go

@@ -1,13 +1,15 @@
-package filtering
+package home
 
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
@@ -32,7 +34,7 @@ func validateFilterURL(urlStr string) (err error) {
 		return fmt.Errorf("checking filter url: %w", err)
 	}
 
-	if s := url.Scheme; s != aghhttp.SchemeHTTP && s != aghhttp.SchemeHTTPS {
+	if s := url.Scheme; s != schemeHTTP && s != schemeHTTPS {
 		return fmt.Errorf("checking filter url: invalid scheme %q", s)
 	}
 
@@ -45,7 +47,7 @@ type filterAddJSON struct {
 	Whitelist bool   `json:"whitelist"`
 }
 
-func (d *DNSFilter) handleFilteringAddURL(w http.ResponseWriter, r *http.Request) {
+func (f *Filtering) handleFilteringAddURL(w http.ResponseWriter, r *http.Request) {
 	fj := filterAddJSON{}
 	err := json.NewDecoder(r.Body).Decode(&fj)
 	if err != nil {
@@ -63,14 +65,14 @@ func (d *DNSFilter) handleFilteringAddURL(w http.ResponseWriter, r *http.Request
 	}
 
 	// Check for duplicates
-	if d.filterExists(fj.URL) {
+	if filterExists(fj.URL) {
 		aghhttp.Error(r, w, http.StatusBadRequest, "Filter URL already added -- %s", fj.URL)
 
 		return
 	}
 
 	// Set necessary properties
-	filt := FilterYAML{
+	filt := filter{
 		Enabled: true,
 		URL:     fj.URL,
 		Name:    fj.Name,
@@ -79,7 +81,7 @@ func (d *DNSFilter) handleFilteringAddURL(w http.ResponseWriter, r *http.Request
 	filt.ID = assignUniqueFilterID()
 
 	// Download the filter contents
-	ok, err := d.update(&filt)
+	ok, err := f.update(&filt)
 	if err != nil {
 		aghhttp.Error(
 			r,
@@ -107,14 +109,14 @@ func (d *DNSFilter) handleFilteringAddURL(w http.ResponseWriter, r *http.Request
 
 	// URL is assumed valid so append it to filters, update config, write new
 	// file and reload it to engines.
-	if !d.filterAdd(filt) {
+	if !filterAdd(filt) {
 		aghhttp.Error(r, w, http.StatusBadRequest, "Filter URL already added -- %s", filt.URL)
 
 		return
 	}
 
-	d.ConfigModified()
-	d.EnableFilters(true)
+	onConfigModified()
+	enableFilters(true)
 
 	_, err = fmt.Fprintf(w, "OK %d rules\n", filt.RulesCount)
 	if err != nil {
@@ -122,7 +124,7 @@ func (d *DNSFilter) handleFilteringAddURL(w http.ResponseWriter, r *http.Request
 	}
 }
 
-func (d *DNSFilter) handleFilteringRemoveURL(w http.ResponseWriter, r *http.Request) {
+func (f *Filtering) handleFilteringRemoveURL(w http.ResponseWriter, r *http.Request) {
 	type request struct {
 		URL       string `json:"url"`
 		Whitelist bool   `json:"whitelist"`
@@ -136,23 +138,23 @@ func (d *DNSFilter) handleFilteringRemoveURL(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
-	d.filtersMu.Lock()
-	filters := &d.Filters
+	config.Lock()
+	filters := &config.Filters
 	if req.Whitelist {
-		filters = &d.WhitelistFilters
+		filters = &config.WhitelistFilters
 	}
 
-	var deleted FilterYAML
-	var newFilters []FilterYAML
-	for _, flt := range *filters {
-		if flt.URL != req.URL {
-			newFilters = append(newFilters, flt)
+	var deleted filter
+	var newFilters []filter
+	for _, f := range *filters {
+		if f.URL != req.URL {
+			newFilters = append(newFilters, f)
 
 			continue
 		}
 
-		deleted = flt
-		path := flt.Path(d.DataDir)
+		deleted = f
+		path := f.Path()
 		err = os.Rename(path, path+".old")
 		if err != nil {
 			log.Error("deleting filter %q: %s", path, err)
@@ -160,10 +162,10 @@ func (d *DNSFilter) handleFilteringRemoveURL(w http.ResponseWriter, r *http.Requ
 	}
 
 	*filters = newFilters
-	d.filtersMu.Unlock()
+	config.Unlock()
 
-	d.ConfigModified()
-	d.EnableFilters(true)
+	onConfigModified()
+	enableFilters(true)
 
 	// NOTE: The old files "filter.txt.old" aren't deleted.  It's not really
 	// necessary, but will require the additional complicated code to run
@@ -189,51 +191,55 @@ type filterURLReq struct {
 	Whitelist bool              `json:"whitelist"`
 }
 
-func (d *DNSFilter) handleFilteringSetURL(w http.ResponseWriter, r *http.Request) {
+func (f *Filtering) handleFilteringSetURL(w http.ResponseWriter, r *http.Request) {
 	fj := filterURLReq{}
 	err := json.NewDecoder(r.Body).Decode(&fj)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "decoding request: %s", err)
+		aghhttp.Error(r, w, http.StatusBadRequest, "json decode: %s", err)
 
 		return
 	}
 
 	if fj.Data == nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "%s", errors.Error("data is absent"))
+		err = errors.Error("data cannot be null")
+		aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
 
 		return
 	}
 
 	err = validateFilterURL(fj.Data.URL)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "invalid url: %s", err)
+		err = fmt.Errorf("invalid url: %s", err)
+		aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
 
 		return
 	}
 
-	filt := FilterYAML{
+	filt := filter{
 		Enabled: fj.Data.Enabled,
 		Name:    fj.Data.Name,
 		URL:     fj.Data.URL,
 	}
-	status := d.filterSetProperties(fj.URL, filt, fj.Whitelist)
+	status := f.filterSetProperties(fj.URL, filt, fj.Whitelist)
 	if (status & statusFound) == 0 {
-		aghhttp.Error(r, w, http.StatusBadRequest, "URL doesn't exist")
-
+		http.Error(w, "URL doesn't exist", http.StatusBadRequest)
 		return
 	}
 	if (status & statusURLExists) != 0 {
-		aghhttp.Error(r, w, http.StatusBadRequest, "URL already exists")
-
+		http.Error(w, "URL already exists", http.StatusBadRequest)
 		return
 	}
 
-	d.ConfigModified()
+	onConfigModified()
 
 	restart := (status & statusEnabledChanged) != 0
 	if (status&statusUpdateRequired) != 0 && fj.Data.Enabled {
-		// download new filter and apply its rules.
-		nUpdated := d.refreshFilters(!fj.Whitelist, fj.Whitelist, false)
+		// download new filter and apply its rules
+		flags := filterRefreshBlocklists
+		if fj.Whitelist {
+			flags = filterRefreshAllowlists
+		}
+		nUpdated, _ := f.refreshFilters(flags, true)
 		// if at least 1 filter has been updated, refreshFilters() restarts the filtering automatically
 		// if not - we restart the filtering ourselves
 		restart = false
@@ -243,34 +249,25 @@ func (d *DNSFilter) handleFilteringSetURL(w http.ResponseWriter, r *http.Request
 	}
 
 	if restart {
-		d.EnableFilters(true)
+		enableFilters(true)
 	}
 }
 
-// filteringRulesReq is the JSON structure for settings custom filtering rules.
-type filteringRulesReq struct {
-	Rules []string `json:"rules"`
-}
-
-func (d *DNSFilter) handleFilteringSetRules(w http.ResponseWriter, r *http.Request) {
-	if aghhttp.WriteTextPlainDeprecated(w, r) {
-		return
-	}
-
-	req := &filteringRulesReq{}
-	err := json.NewDecoder(r.Body).Decode(req)
+func (f *Filtering) handleFilteringSetRules(w http.ResponseWriter, r *http.Request) {
+	// This use of ReadAll is safe, because request's body is now limited.
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "reading req: %s", err)
+		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to read request body: %s", err)
 
 		return
 	}
 
-	d.UserRules = req.Rules
-	d.ConfigModified()
-	d.EnableFilters(true)
+	config.UserRules = strings.Split(string(body), "\n")
+	onConfigModified()
+	enableFilters(true)
 }
 
-func (d *DNSFilter) handleFilteringRefresh(w http.ResponseWriter, r *http.Request) {
+func (f *Filtering) handleFilteringRefresh(w http.ResponseWriter, r *http.Request) {
 	type Req struct {
 		White bool `json:"whitelist"`
 	}
@@ -288,27 +285,35 @@ func (d *DNSFilter) handleFilteringRefresh(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	var ok bool
-	resp.Updated, _, ok = d.tryRefreshFilters(!req.White, req.White, true)
-	if !ok {
-		aghhttp.Error(
-			r,
-			w,
-			http.StatusInternalServerError,
-			"filters update procedure is already running",
-		)
+	flags := filterRefreshBlocklists
+	if req.White {
+		flags = filterRefreshAllowlists
+	}
+	func() {
+		// Temporarily unlock the Context.controlLock because the
+		// f.refreshFilters waits for it to be unlocked but it's
+		// actually locked in ensure wrapper.
+		//
+		// TODO(e.burkov):  Reconsider this messy syncing process.
+		Context.controlLock.Unlock()
+		defer Context.controlLock.Lock()
+
+		resp.Updated, err = f.refreshFilters(flags|filterRefreshForce, false)
+	}()
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)
 
 		return
 	}
 
-	w.Header().Set("Content-Type", "application/json")
-
-	err = json.NewEncoder(w).Encode(resp)
+	js, err := json.Marshal(resp)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusInternalServerError, "json encode: %s", err)
 
 		return
 	}
+	w.Header().Set("Content-Type", "application/json")
+	_, _ = w.Write(js)
 }
 
 type filterJSON struct {
@@ -328,7 +333,7 @@ type filteringConfig struct {
 	Enabled          bool         `json:"enabled"`
 }
 
-func filterToJSON(f FilterYAML) filterJSON {
+func filterToJSON(f filter) filterJSON {
 	fj := filterJSON{
 		ID:         f.ID,
 		Enabled:    f.Enabled,
@@ -345,21 +350,21 @@ func filterToJSON(f FilterYAML) filterJSON {
 }
 
 // Get filtering configuration
-func (d *DNSFilter) handleFilteringStatus(w http.ResponseWriter, r *http.Request) {
+func (f *Filtering) handleFilteringStatus(w http.ResponseWriter, r *http.Request) {
 	resp := filteringConfig{}
-	d.filtersMu.RLock()
-	resp.Enabled = d.FilteringEnabled
-	resp.Interval = d.FiltersUpdateIntervalHours
-	for _, f := range d.Filters {
+	config.RLock()
+	resp.Enabled = config.DNS.FilteringEnabled
+	resp.Interval = config.DNS.FiltersUpdateIntervalHours
+	for _, f := range config.Filters {
 		fj := filterToJSON(f)
 		resp.Filters = append(resp.Filters, fj)
 	}
-	for _, f := range d.WhitelistFilters {
+	for _, f := range config.WhitelistFilters {
 		fj := filterToJSON(f)
 		resp.WhitelistFilters = append(resp.WhitelistFilters, fj)
 	}
-	resp.UserRules = d.UserRules
-	d.filtersMu.RUnlock()
+	resp.UserRules = config.UserRules
+	config.RUnlock()
 
 	jsonVal, err := json.Marshal(resp)
 	if err != nil {
@@ -375,7 +380,7 @@ func (d *DNSFilter) handleFilteringStatus(w http.ResponseWriter, r *http.Request
 }
 
 // Set filtering configuration
-func (d *DNSFilter) handleFilteringConfig(w http.ResponseWriter, r *http.Request) {
+func (f *Filtering) handleFilteringConfig(w http.ResponseWriter, r *http.Request) {
 	req := filteringConfig{}
 	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
@@ -384,22 +389,22 @@ func (d *DNSFilter) handleFilteringConfig(w http.ResponseWriter, r *http.Request
 		return
 	}
 
-	if !ValidateUpdateIvl(req.Interval) {
+	if !checkFiltersUpdateIntervalHours(req.Interval) {
 		aghhttp.Error(r, w, http.StatusBadRequest, "Unsupported interval")
 
 		return
 	}
 
 	func() {
-		d.filtersMu.Lock()
-		defer d.filtersMu.Unlock()
+		config.Lock()
+		defer config.Unlock()
 
-		d.FilteringEnabled = req.Enabled
-		d.FiltersUpdateIntervalHours = req.Interval
+		config.DNS.FilteringEnabled = req.Enabled
+		config.DNS.FiltersUpdateIntervalHours = req.Interval
 	}()
 
-	d.ConfigModified()
-	d.EnableFilters(true)
+	onConfigModified()
+	enableFilters(true)
 }
 
 type checkHostRespRule struct {
@@ -430,15 +435,15 @@ type checkHostResp struct {
 	FilterID int64 `json:"filter_id"`
 }
 
-func (d *DNSFilter) handleCheckHost(w http.ResponseWriter, r *http.Request) {
-	host := r.URL.Query().Get("name")
+func (f *Filtering) handleCheckHost(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	host := q.Get("name")
 
-	setts := d.GetConfig()
+	setts := Context.dnsFilter.GetConfig()
 	setts.FilteringEnabled = true
 	setts.ProtectionEnabled = true
-
-	d.ApplyBlockedServices(&setts, nil)
-	result, err := d.CheckHost(host, dns.TypeA, &setts)
+	Context.dnsFilter.ApplyBlockedServices(&setts, nil, true)
+	result, err := Context.dnsFilter.CheckHost(host, dns.TypeA, &setts)
 	if err != nil {
 		aghhttp.Error(
 			r,
@@ -452,20 +457,18 @@ func (d *DNSFilter) handleCheckHost(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	rulesLen := len(result.Rules)
-	resp := checkHostResp{
-		Reason:    result.Reason.String(),
-		SvcName:   result.ServiceName,
-		CanonName: result.CanonName,
-		IPList:    result.IPList,
-		Rules:     make([]*checkHostRespRule, len(result.Rules)),
-	}
+	resp := checkHostResp{}
+	resp.Reason = result.Reason.String()
+	resp.SvcName = result.ServiceName
+	resp.CanonName = result.CanonName
+	resp.IPList = result.IPList
 
-	if rulesLen > 0 {
+	if len(result.Rules) > 0 {
 		resp.FilterID = result.Rules[0].FilterListID
 		resp.Rule = result.Rules[0].Text
 	}
 
+	resp.Rules = make([]*checkHostRespRule, len(result.Rules))
 	for i, r := range result.Rules {
 		resp.Rules[i] = &checkHostRespRule{
 			FilterListID: r.FilterListID,
@@ -473,51 +476,28 @@ func (d *DNSFilter) handleCheckHost(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	w.Header().Set("Content-Type", "application/json")
-	err = json.NewEncoder(w).Encode(resp)
+	js, err := json.Marshal(resp)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusInternalServerError, "encoding response: %s", err)
+		aghhttp.Error(r, w, http.StatusInternalServerError, "json encode: %s", err)
+
+		return
 	}
+	w.Header().Set("Content-Type", "application/json")
+	_, _ = w.Write(js)
 }
 
 // RegisterFilteringHandlers - register handlers
-func (d *DNSFilter) RegisterFilteringHandlers() {
-	registerHTTP := d.HTTPRegister
-	if registerHTTP == nil {
-		return
-	}
-
-	registerHTTP(http.MethodPost, "/control/safebrowsing/enable", d.handleSafeBrowsingEnable)
-	registerHTTP(http.MethodPost, "/control/safebrowsing/disable", d.handleSafeBrowsingDisable)
-	registerHTTP(http.MethodGet, "/control/safebrowsing/status", d.handleSafeBrowsingStatus)
-
-	registerHTTP(http.MethodPost, "/control/parental/enable", d.handleParentalEnable)
-	registerHTTP(http.MethodPost, "/control/parental/disable", d.handleParentalDisable)
-	registerHTTP(http.MethodGet, "/control/parental/status", d.handleParentalStatus)
-
-	registerHTTP(http.MethodPost, "/control/safesearch/enable", d.handleSafeSearchEnable)
-	registerHTTP(http.MethodPost, "/control/safesearch/disable", d.handleSafeSearchDisable)
-	registerHTTP(http.MethodGet, "/control/safesearch/status", d.handleSafeSearchStatus)
-
-	registerHTTP(http.MethodGet, "/control/rewrite/list", d.handleRewriteList)
-	registerHTTP(http.MethodPost, "/control/rewrite/add", d.handleRewriteAdd)
-	registerHTTP(http.MethodPost, "/control/rewrite/delete", d.handleRewriteDelete)
-
-	registerHTTP(http.MethodGet, "/control/blocked_services/services", d.handleBlockedServicesAvailableServices)
-	registerHTTP(http.MethodGet, "/control/blocked_services/list", d.handleBlockedServicesList)
-	registerHTTP(http.MethodPost, "/control/blocked_services/set", d.handleBlockedServicesSet)
-
-	registerHTTP(http.MethodGet, "/control/filtering/status", d.handleFilteringStatus)
-	registerHTTP(http.MethodPost, "/control/filtering/config", d.handleFilteringConfig)
-	registerHTTP(http.MethodPost, "/control/filtering/add_url", d.handleFilteringAddURL)
-	registerHTTP(http.MethodPost, "/control/filtering/remove_url", d.handleFilteringRemoveURL)
-	registerHTTP(http.MethodPost, "/control/filtering/set_url", d.handleFilteringSetURL)
-	registerHTTP(http.MethodPost, "/control/filtering/refresh", d.handleFilteringRefresh)
-	registerHTTP(http.MethodPost, "/control/filtering/set_rules", d.handleFilteringSetRules)
-	registerHTTP(http.MethodGet, "/control/filtering/check_host", d.handleCheckHost)
+func (f *Filtering) RegisterFilteringHandlers() {
+	httpRegister(http.MethodGet, "/control/filtering/status", f.handleFilteringStatus)
+	httpRegister(http.MethodPost, "/control/filtering/config", f.handleFilteringConfig)
+	httpRegister(http.MethodPost, "/control/filtering/add_url", f.handleFilteringAddURL)
+	httpRegister(http.MethodPost, "/control/filtering/remove_url", f.handleFilteringRemoveURL)
+	httpRegister(http.MethodPost, "/control/filtering/set_url", f.handleFilteringSetURL)
+	httpRegister(http.MethodPost, "/control/filtering/refresh", f.handleFilteringRefresh)
+	httpRegister(http.MethodPost, "/control/filtering/set_rules", f.handleFilteringSetRules)
+	httpRegister(http.MethodGet, "/control/filtering/check_host", f.handleCheckHost)
 }
 
-// ValidateUpdateIvl returns false if i is not a valid filters update interval.
-func ValidateUpdateIvl(i uint32) bool {
+func checkFiltersUpdateIntervalHours(i uint32) bool {
 	return i == 0 || i == 1 || i == 12 || i == 1*24 || i == 3*24 || i == 7*24
 }

internal/home/controlinstall.go

@@ -59,7 +59,19 @@ func (web *Web) handleInstallGetAddresses(w http.ResponseWriter, r *http.Request
 		data.Interfaces[iface.Name] = iface
 	}
 
-	_ = aghhttp.WriteJSONResponse(w, r, data)
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(data)
+	if err != nil {
+		aghhttp.Error(
+			r,
+			w,
+			http.StatusInternalServerError,
+			"Unable to marshal default addresses to json: %s",
+			err,
+		)
+
+		return
+	}
 }
 
 type checkConfReqEnt struct {
@@ -189,7 +201,13 @@ func (web *Web) handleInstallCheckConfig(w http.ResponseWriter, r *http.Request)
 		resp.StaticIP = handleStaticIP(req.DNS.IP, req.SetStaticIP)
 	}
 
-	_ = aghhttp.WriteJSONResponse(w, r, resp)
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(resp)
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusInternalServerError, "encoding the response: %s", err)
+
+		return
+	}
 }
 
 // handleStaticIP - handles static IP request
@@ -406,7 +424,7 @@ func (web *Web) handleInstallConfigure(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	u := &webUser{
+	u := &User{
 		Name: req.Username,
 	}
 	Context.auth.UserAdd(u, req.Password)
@@ -670,7 +688,19 @@ func (web *Web) handleInstallGetAddressesBeta(w http.ResponseWriter, r *http.Req
 
 	data.Interfaces = ifaces
 
-	_ = aghhttp.WriteJSONResponse(w, r, data)
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(data)
+	if err != nil {
+		aghhttp.Error(
+			r,
+			w,
+			http.StatusInternalServerError,
+			"Unable to marshal default addresses to json: %s",
+			err,
+		)
+
+		return
+	}
 }
 
 // registerBetaInstallHandlers registers the install handlers for new client

internal/home/controlupdate.go

@@ -28,6 +28,8 @@ type temporaryError interface {
 
 // Get the latest available version from the Internet
 func handleGetVersionJSON(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
 	resp := &versionResponse{}
 	if Context.disableUpdate {
 		resp.Disabled = true
@@ -69,7 +71,10 @@ func handleGetVersionJSON(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	_ = aghhttp.WriteJSONResponse(w, r, resp)
+	err = json.NewEncoder(w).Encode(resp)
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusInternalServerError, "writing body: %s", err)
+	}
 }
 
 // requestVersionInfo sets the VersionInfo field of resp if it can reach the

internal/home/dns.go

@@ -31,10 +31,7 @@ const (
 
 // Called by other modules when configuration is changed
 func onConfigModified() {
-	err := config.write()
-	if err != nil {
-		log.Error("writing config: %s", err)
-	}
+	_ = config.write()
 }
 
 // initDNSServer creates an instance of the dnsforward.Server
@@ -74,11 +71,11 @@ func initDNSServer() (err error) {
 	}
 	Context.queryLog = querylog.New(conf)
 
-	Context.filters, err = filtering.New(config.DNS.DnsfilterConf, nil)
-	if err != nil {
-		// Don't wrap the error, since it's informative enough as is.
-		return err
-	}
+	filterConf := config.DNS.DnsfilterConf
+	filterConf.EtcHosts = Context.etcHosts
+	filterConf.ConfigModified = onConfigModified
+	filterConf.HTTPRegister = httpRegister
+	Context.dnsFilter = filtering.New(&filterConf, nil)
 
 	var privateNets netutil.SubnetSet
 	switch len(config.DNS.PrivateNets) {
@@ -86,10 +83,13 @@ func initDNSServer() (err error) {
 		// Use an optimized locally-served matcher.
 		privateNets = netutil.SubnetSetFunc(netutil.IsLocallyServed)
 	case 1:
-		privateNets, err = netutil.ParseSubnet(config.DNS.PrivateNets[0])
+		var n *net.IPNet
+		n, err = netutil.ParseSubnet(config.DNS.PrivateNets[0])
 		if err != nil {
 			return fmt.Errorf("preparing the set of private subnets: %w", err)
 		}
+
+		privateNets = n
 	default:
 		var nets []*net.IPNet
 		nets, err = netutil.ParseSubnets(config.DNS.PrivateNets...)
@@ -101,13 +101,15 @@ func initDNSServer() (err error) {
 	}
 
 	p := dnsforward.DNSCreateParams{
-		DNSFilter:   Context.filters,
+		DNSFilter:   Context.dnsFilter,
 		Stats:       Context.stats,
 		QueryLog:    Context.queryLog,
 		PrivateNets: privateNets,
 		Anonymizer:  anonymizer,
 		LocalDomain: config.DHCP.LocalDomainName,
-		DHCPServer:  Context.dhcpServer,
+	}
+	if Context.dhcpServer != nil {
+		p.DHCPServer = Context.dhcpServer
 	}
 
 	Context.dnsServer, err = dnsforward.NewServer(p)
@@ -141,6 +143,7 @@ func initDNSServer() (err error) {
 		Context.whois = initWHOIS(&Context.clients)
 	}
 
+	Context.filters.Init()
 	return nil
 }
 
@@ -332,12 +335,9 @@ func getDNSEncryption() (de dnsEncryption) {
 // applyAdditionalFiltering adds additional client information and settings if
 // the client has them.
 func applyAdditionalFiltering(clientIP net.IP, clientID string, setts *filtering.Settings) {
-	// pref is a prefix for logging messages around the scope.
-	const pref = "applying filters"
+	Context.dnsFilter.ApplyBlockedServices(setts, nil, true)
 
-	Context.filters.ApplyBlockedServices(setts, nil)
-
-	log.Debug("%s: looking for client with ip %s and clientid %q", pref, clientIP, clientID)
+	log.Debug("looking up settings for client with ip %s and clientid %q", clientIP, clientID)
 
 	if clientIP == nil {
 		return
@@ -349,16 +349,16 @@ func applyAdditionalFiltering(clientIP net.IP, clientID string, setts *filtering
 	if !ok {
 		c, ok = Context.clients.Find(clientIP.String())
 		if !ok {
-			log.Debug("%s: no clients with ip %s and clientid %q", pref, clientIP, clientID)
+			log.Debug("client with ip %s and clientid %q not found", clientIP, clientID)
 
 			return
 		}
 	}
 
-	log.Debug("%s: using settings for client %q (%s; %q)", pref, c.Name, clientIP, clientID)
+	log.Debug("using settings for client %q with ip %s and clientid %q", c.Name, clientIP, clientID)
 
 	if c.UseOwnBlockedServices {
-		Context.filters.ApplyBlockedServices(setts, c.BlockedServices)
+		Context.dnsFilter.ApplyBlockedServices(setts, c.BlockedServices, false)
 	}
 
 	setts.ClientName = c.Name
@@ -381,7 +381,7 @@ func startDNSServer() error {
 		return fmt.Errorf("unable to start forwarding DNS server: Already running")
 	}
 
-	Context.filters.EnableFilters(false)
+	enableFiltersLocked(false)
 
 	Context.clients.Start()
 
@@ -390,6 +390,7 @@ func startDNSServer() error {
 		return fmt.Errorf("couldn't start forwarding DNS server: %w", err)
 	}
 
+	Context.dnsFilter.Start()
 	Context.filters.Start()
 	Context.stats.Start()
 	Context.queryLog.Start()
@@ -448,7 +449,10 @@ func closeDNSServer() {
 		Context.dnsServer = nil
 	}
 
-	Context.filters.Close()
+	if Context.dnsFilter != nil {
+		Context.dnsFilter.Close()
+		Context.dnsFilter = nil
+	}
 
 	if Context.stats != nil {
 		err := Context.stats.Close()
@@ -465,5 +469,7 @@ func closeDNSServer() {
 		Context.queryLog = nil
 	}
 
-	log.Debug("all dns modules are closed")
+	Context.filters.Close()
+
+	log.Debug("Closed all DNS modules")
 }

internal/home/filter.go

@@ -1,4 +1,4 @@
-package filtering
+package home
 
 import (
 	"bufio"
@@ -8,29 +8,63 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"time"
 
+	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/stringutil"
-	"golang.org/x/exp/slices"
 )
 
-// filterDir is the subdirectory of a data directory to store downloaded
-// filters.
-const filterDir = "filters"
+var nextFilterID = time.Now().Unix() // semi-stable way to generate an unique ID
 
-// nextFilterID is a way to seed a unique ID generation.
-//
-// TODO(e.burkov):  Use more deterministic approach.
-var nextFilterID = time.Now().Unix()
+// Filtering - module object
+type Filtering struct {
+	// conf FilteringConf
+	refreshStatus     uint32 // 0:none; 1:in progress
+	refreshLock       sync.Mutex
+	filterTitleRegexp *regexp.Regexp
+}
 
-// FilterYAML respresents a filter list in the configuration file.
-//
-// TODO(e.burkov):  Investigate if the field oredering is important.
-type FilterYAML struct {
+// Init - initialize the module
+func (f *Filtering) Init() {
+	f.filterTitleRegexp = regexp.MustCompile(`^! Title: +(.*)$`)
+	_ = os.MkdirAll(filepath.Join(Context.getDataDir(), filterDir), 0o755)
+	f.loadFilters(config.Filters)
+	f.loadFilters(config.WhitelistFilters)
+	deduplicateFilters()
+	updateUniqueFilterID(config.Filters)
+	updateUniqueFilterID(config.WhitelistFilters)
+}
+
+// Start - start the module
+func (f *Filtering) Start() {
+	f.RegisterFilteringHandlers()
+
+	// Here we should start updating filters,
+	//  but currently we can't wake up the periodic task to do so.
+	// So for now we just start this periodic task from here.
+	go f.periodicallyRefreshFilters()
+}
+
+// Close - close the module
+func (f *Filtering) Close() {
+}
+
+func defaultFilters() []filter {
+	return []filter{
+		{Filter: filtering.Filter{ID: 1}, Enabled: true, URL: "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt", Name: "AdGuard DNS filter"},
+		{Filter: filtering.Filter{ID: 2}, Enabled: false, URL: "https://adaway.org/hosts.txt", Name: "AdAway Default Blocklist"},
+	}
+}
+
+// field ordering is important -- yaml fields will mirror ordering from here
+type filter struct {
 	Enabled     bool
 	URL         string    // URL or a file path
 	Name        string    `yaml:"name"`
@@ -39,108 +73,91 @@ type FilterYAML struct {
 	checksum    uint32    // checksum of the file data
 	white       bool
 
-	Filter `yaml:",inline"`
-}
-
-// Clear filter rules
-func (filter *FilterYAML) unload() {
-	filter.RulesCount = 0
-	filter.checksum = 0
-}
-
-// Path to the filter contents
-func (filter *FilterYAML) Path(dataDir string) string {
-	return filepath.Join(dataDir, filterDir, strconv.FormatInt(filter.ID, 10)+".txt")
+	filtering.Filter `yaml:",inline"`
 }
 
 const (
-	statusFound = 1 << iota
-	statusEnabledChanged
-	statusURLChanged
-	statusURLExists
-	statusUpdateRequired
+	statusFound          = 1
+	statusEnabledChanged = 2
+	statusURLChanged     = 4
+	statusURLExists      = 8
+	statusUpdateRequired = 0x10
 )
 
 // Update properties for a filter specified by its URL
 // Return status* flags.
-func (d *DNSFilter) filterSetProperties(url string, newf FilterYAML, whitelist bool) int {
+func (f *Filtering) filterSetProperties(url string, newf filter, whitelist bool) int {
 	r := 0
-	d.filtersMu.Lock()
-	defer d.filtersMu.Unlock()
+	config.Lock()
+	defer config.Unlock()
 
-	filters := d.Filters
+	filters := &config.Filters
 	if whitelist {
-		filters = d.WhitelistFilters
+		filters = &config.WhitelistFilters
 	}
 
-	i := slices.IndexFunc(filters, func(filt FilterYAML) bool {
-		return filt.URL == url
-	})
-	if i == -1 {
-		return 0
-	}
-
-	filt := &filters[i]
-
-	log.Debug("filter: set properties: %s: {%s %s %v}", filt.URL, newf.Name, newf.URL, newf.Enabled)
-	filt.Name = newf.Name
-
-	if filt.URL != newf.URL {
-		r |= statusURLChanged | statusUpdateRequired
-		if d.filterExistsNoLock(newf.URL) {
-			return statusURLExists
+	for i := range *filters {
+		filt := &(*filters)[i]
+		if filt.URL != url {
+			continue
 		}
 
-		filt.URL = newf.URL
-		filt.unload()
-		filt.LastUpdated = time.Time{}
-		filt.checksum = 0
-		filt.RulesCount = 0
-	}
+		log.Debug("filter: set properties: %s: {%s %s %v}",
+			filt.URL, newf.Name, newf.URL, newf.Enabled)
+		filt.Name = newf.Name
 
-	if filt.Enabled != newf.Enabled {
-		r |= statusEnabledChanged
-		filt.Enabled = newf.Enabled
-		if filt.Enabled {
-			if (r & statusURLChanged) == 0 {
-				err := d.load(filt)
-				if err != nil {
-					// TODO(e.burkov):  It seems the error is only returned when
-					// the file exists and couldn't be open.  Investigate and
-					// improve.
-					log.Error("loading filter %d: %s", filt.ID, err)
-
-					filt.LastUpdated = time.Time{}
-					filt.checksum = 0
-					filt.RulesCount = 0
-					r |= statusUpdateRequired
-				}
+		if filt.URL != newf.URL {
+			r |= statusURLChanged | statusUpdateRequired
+			if filterExistsNoLock(newf.URL) {
+				return statusURLExists
 			}
-		} else {
+			filt.URL = newf.URL
 			filt.unload()
+			filt.LastUpdated = time.Time{}
+			filt.checksum = 0
+			filt.RulesCount = 0
 		}
-	}
 
-	return r | statusFound
+		if filt.Enabled != newf.Enabled {
+			r |= statusEnabledChanged
+			filt.Enabled = newf.Enabled
+			if filt.Enabled {
+				if (r & statusURLChanged) == 0 {
+					e := f.load(filt)
+					if e != nil {
+						// This isn't a fatal error,
+						//  because it may occur when someone removes the file from disk.
+						filt.LastUpdated = time.Time{}
+						filt.checksum = 0
+						filt.RulesCount = 0
+						r |= statusUpdateRequired
+					}
+				}
+			} else {
+				filt.unload()
+			}
+		}
+
+		return r | statusFound
+	}
+	return 0
 }
 
 // Return TRUE if a filter with this URL exists
-func (d *DNSFilter) filterExists(url string) bool {
-	d.filtersMu.RLock()
-	defer d.filtersMu.RUnlock()
-
-	r := d.filterExistsNoLock(url)
-
+func filterExists(url string) bool {
+	config.RLock()
+	r := filterExistsNoLock(url)
+	config.RUnlock()
 	return r
 }
 
-func (d *DNSFilter) filterExistsNoLock(url string) bool {
-	for _, f := range d.Filters {
+func filterExistsNoLock(url string) bool {
+	for _, f := range config.Filters {
 		if f.URL == url {
 			return true
 		}
 	}
-	for _, f := range d.WhitelistFilters {
+	for _, f := range config.WhitelistFilters {
 		if f.URL == url {
 			return true
 		}
@@ -150,26 +167,26 @@ func (d *DNSFilter) filterExistsNoLock(url string) bool {
 
 // Add a filter
 // Return FALSE if a filter with this URL exists
-func (d *DNSFilter) filterAdd(flt FilterYAML) bool {
-	d.filtersMu.Lock()
-	defer d.filtersMu.Unlock()
+func filterAdd(f filter) bool {
+	config.Lock()
+	defer config.Unlock()
 
 	// Check for duplicates
-	if d.filterExistsNoLock(flt.URL) {
+	if filterExistsNoLock(f.URL) {
 		return false
 	}
 
-	if flt.white {
-		d.WhitelistFilters = append(d.WhitelistFilters, flt)
+	if f.white {
+		config.WhitelistFilters = append(config.WhitelistFilters, f)
 	} else {
-		d.Filters = append(d.Filters, flt)
+		config.Filters = append(config.Filters, f)
 	}
 	return true
 }
 
 // Load filters from the disk
 // And if any filter has zero ID, assign a new one
-func (d *DNSFilter) loadFilters(array []FilterYAML) {
+func (f *Filtering) loadFilters(array []filter) {
 	for i := range array {
 		filter := &array[i] // otherwise we're operating on a copy
 		if filter.ID == 0 {
@@ -181,30 +198,32 @@ func (d *DNSFilter) loadFilters(array []FilterYAML) {
 			continue
 		}
 
-		err := d.load(filter)
+		err := f.load(filter)
 		if err != nil {
 			log.Error("Couldn't load filter %d contents due to %s", filter.ID, err)
 		}
 	}
 }
 
-func deduplicateFilters(filters []FilterYAML) (deduplicated []FilterYAML) {
-	urls := stringutil.NewSet()
-	lastIdx := 0
-
-	for _, filter := range filters {
-		if !urls.Has(filter.URL) {
-			urls.Add(filter.URL)
-			filters[lastIdx] = filter
-			lastIdx++
+func deduplicateFilters() {
+	// Deduplicate filters
+	i := 0 // output index, used for deletion later
+	urls := map[string]bool{}
+	for _, filter := range config.Filters {
+		if _, ok := urls[filter.URL]; !ok {
+			// we didn't see it before, keep it
+			urls[filter.URL] = true // remember the URL
+			config.Filters[i] = filter
+			i++
 		}
 	}
 
-	return filters[:lastIdx]
+	// all entries we want to keep are at front, delete the rest
+	config.Filters = config.Filters[:i]
 }
 
 // Set the next filter ID to max(filter.ID) + 1
-func updateUniqueFilterID(filters []FilterYAML) {
+func updateUniqueFilterID(filters []filter) {
 	for _, filter := range filters {
 		if nextFilterID < filter.ID {
 			nextFilterID = filter.ID + 1
@@ -219,19 +238,22 @@ func assignUniqueFilterID() int64 {
 }
 
 // Sets up a timer that will be checking for filters updates periodically
-func (d *DNSFilter) periodicallyRefreshFilters() {
+func (f *Filtering) periodicallyRefreshFilters() {
 	const maxInterval = 1 * 60 * 60
 	intval := 5 // use a dynamically increasing time interval
 	for {
-		isNetErr, ok := false, false
-		if d.FiltersUpdateIntervalHours != 0 {
-			_, isNetErr, ok = d.tryRefreshFilters(true, true, false)
-			if ok && !isNetErr {
+		isNetworkErr := false
+		if config.DNS.FiltersUpdateIntervalHours != 0 && atomic.CompareAndSwapUint32(&f.refreshStatus, 0, 1) {
+			f.refreshLock.Lock()
+			_, isNetworkErr = f.refreshFiltersIfNecessary(filterRefreshBlocklists | filterRefreshAllowlists)
+			f.refreshLock.Unlock()
+			f.refreshStatus = 0
+			if !isNetworkErr {
 				intval = maxInterval
 			}
 		}
 
-		if isNetErr {
+		if isNetworkErr {
 			intval *= 2
 			if intval > maxInterval {
 				intval = maxInterval
@@ -242,73 +264,51 @@ func (d *DNSFilter) periodicallyRefreshFilters() {
 	}
 }
 
-// tryRefreshFilters is like [refreshFilters], but backs down if the update is
-// already going on.
+// Refresh filters
+// flags: filterRefresh*
+// important:
 //
-// TODO(e.burkov):  Get rid of the concurrency pattern which requires the
-// sync.Mutex.TryLock.
-func (d *DNSFilter) tryRefreshFilters(block, allow, force bool) (updated int, isNetworkErr, ok bool) {
-	if ok = d.refreshLock.TryLock(); !ok {
-		return 0, false, ok
+// TRUE: ignore the fact that we're currently updating the filters
+func (f *Filtering) refreshFilters(flags int, important bool) (int, error) {
+	set := atomic.CompareAndSwapUint32(&f.refreshStatus, 0, 1)
+	if !important && !set {
+		return 0, fmt.Errorf("filters update procedure is already running")
 	}
-	defer d.refreshLock.Unlock()
 
-	updated, isNetworkErr = d.refreshFiltersIntl(block, allow, force)
-
-	return updated, isNetworkErr, ok
+	f.refreshLock.Lock()
+	nUpdated, _ := f.refreshFiltersIfNecessary(flags)
+	f.refreshLock.Unlock()
+	f.refreshStatus = 0
+	return nUpdated, nil
 }
 
-// refreshFilters updates the lists and returns the number of updated ones.
-// It's safe for concurrent use, but blocks at least until the previous
-// refreshing is finished.
-func (d *DNSFilter) refreshFilters(block, allow, force bool) (updated int) {
-	d.refreshLock.Lock()
-	defer d.refreshLock.Unlock()
+func (f *Filtering) refreshFiltersArray(filters *[]filter, force bool) (int, []filter, []bool, bool) {
+	var updateFilters []filter
+	var updateFlags []bool // 'true' if filter data has changed
 
-	updated, _ = d.refreshFiltersIntl(block, allow, force)
-
-	return updated
-}
-
-// listsToUpdate returns the slice of filter lists that could be updated.
-func (d *DNSFilter) listsToUpdate(filters *[]FilterYAML, force bool) (toUpd []FilterYAML) {
 	now := time.Now()
-
-	d.filtersMu.RLock()
-	defer d.filtersMu.RUnlock()
-
+	config.RLock()
 	for i := range *filters {
-		flt := &(*filters)[i] // otherwise we will be operating on a copy
-		log.Debug("checking list at index %d: %v", i, flt)
+		f := &(*filters)[i] // otherwise we will be operating on a copy
 
-		if !flt.Enabled {
+		if !f.Enabled {
 			continue
 		}
 
-		if !force {
-			exp := flt.LastUpdated.Add(time.Duration(d.FiltersUpdateIntervalHours) * time.Hour)
-			if now.Before(exp) {
-				continue
-			}
+		expireTime := f.LastUpdated.Unix() + int64(config.DNS.FiltersUpdateIntervalHours)*60*60
+		if !force && expireTime > now.Unix() {
+			continue
 		}
 
-		toUpd = append(toUpd, FilterYAML{
-			Filter: Filter{
-				ID: flt.ID,
-			},
-			URL:      flt.URL,
-			Name:     flt.Name,
-			checksum: flt.checksum,
-		})
+		var uf filter
+		uf.ID = f.ID
+		uf.URL = f.URL
+		uf.Name = f.Name
+		uf.checksum = f.checksum
+		updateFilters = append(updateFilters, uf)
 	}
+	config.RUnlock()
 
-	return toUpd
-}
-
-func (d *DNSFilter) refreshFiltersArray(filters *[]FilterYAML, force bool) (int, []FilterYAML, []bool, bool) {
-	var updateFlags []bool // 'true' if filter data has changed
-
-	updateFilters := d.listsToUpdate(filters, force)
 	if len(updateFilters) == 0 {
 		return 0, nil, nil, false
 	}
@@ -316,7 +316,7 @@ func (d *DNSFilter) refreshFiltersArray(filters *[]FilterYAML, force bool) (int,
 	nfail := 0
 	for i := range updateFilters {
 		uf := &updateFilters[i]
-		updated, err := d.update(uf)
+		updated, err := f.update(uf)
 		updateFlags = append(updateFlags, updated)
 		if err != nil {
 			nfail++
@@ -334,7 +334,7 @@ func (d *DNSFilter) refreshFiltersArray(filters *[]FilterYAML, force bool) (int,
 		uf := &updateFilters[i]
 		updated := updateFlags[i]
 
-		d.filtersMu.Lock()
+		config.Lock()
 		for k := range *filters {
 			f := &(*filters)[k]
 			if f.ID != uf.ID || f.URL != uf.URL {
@@ -352,14 +352,20 @@ func (d *DNSFilter) refreshFiltersArray(filters *[]FilterYAML, force bool) (int,
 			f.checksum = uf.checksum
 			updateCount++
 		}
-		d.filtersMu.Unlock()
+		config.Unlock()
 	}
 
 	return updateCount, updateFilters, updateFlags, false
 }
 
-// refreshFiltersIntl checks filters and updates them if necessary.  If force is
-// true, it ignores the filter.LastUpdated field value.
+const (
+	filterRefreshForce      = 1 // ignore last file modification date
+	filterRefreshAllowlists = 2 // update allow-lists
+	filterRefreshBlocklists = 4 // update block-lists
+)
+
+// refreshFiltersIfNecessary checks filters and updates them if necessary.  If
+// force is true, it ignores the filter.LastUpdated field value.
 //
 // Algorithm:
 //
@@ -372,49 +378,53 @@ func (d *DNSFilter) refreshFiltersArray(filters *[]FilterYAML, force bool) (int,
 //     that this method works only on Unix systems.  On Windows, don't pass
 //     files to filtering, pass the whole data.
 //
-// refreshFiltersIntl returns the number of updated filters.  It also returns
-// true if there was a network error and nothing could be updated.
+// refreshFiltersIfNecessary returns the number of updated filters.  It also
+// returns true if there was a network error and nothing could be updated.
 //
 // TODO(a.garipov, e.burkov): What the hell?
-func (d *DNSFilter) refreshFiltersIntl(block, allow, force bool) (int, bool) {
-	log.Debug("filtering: updating...")
+func (f *Filtering) refreshFiltersIfNecessary(flags int) (int, bool) {
+	log.Debug("Filters: updating...")
 
-	updNum := 0
-	var lists []FilterYAML
-	var toUpd []bool
-	isNetErr := false
-
-	if block {
-		updNum, lists, toUpd, isNetErr = d.refreshFiltersArray(&d.Filters, force)
+	updateCount := 0
+	var updateFilters []filter
+	var updateFlags []bool
+	netError := false
+	netErrorW := false
+	force := false
+	if (flags & filterRefreshForce) != 0 {
+		force = true
 	}
-	if allow {
-		updNumAl, listsAl, toUpdAl, isNetErrAl := d.refreshFiltersArray(&d.WhitelistFilters, force)
-
-		updNum += updNumAl
-		lists = append(lists, listsAl...)
-		toUpd = append(toUpd, toUpdAl...)
-		isNetErr = isNetErr || isNetErrAl
+	if (flags & filterRefreshBlocklists) != 0 {
+		updateCount, updateFilters, updateFlags, netError = f.refreshFiltersArray(&config.Filters, force)
 	}
-	if isNetErr {
+	if (flags & filterRefreshAllowlists) != 0 {
+		updateCountW := 0
+		var updateFiltersW []filter
+		var updateFlagsW []bool
+		updateCountW, updateFiltersW, updateFlagsW, netErrorW = f.refreshFiltersArray(&config.WhitelistFilters, force)
+		updateCount += updateCountW
+		updateFilters = append(updateFilters, updateFiltersW...)
+		updateFlags = append(updateFlags, updateFlagsW...)
+	}
+	if netError && netErrorW {
 		return 0, true
 	}
 
-	if updNum != 0 {
-		d.EnableFilters(false)
+	if updateCount != 0 {
+		enableFilters(false)
 
-		for i := range lists {
-			uf := &lists[i]
-			updated := toUpd[i]
+		for i := range updateFilters {
+			uf := &updateFilters[i]
+			updated := updateFlags[i]
 			if !updated {
 				continue
 			}
-			_ = os.Remove(uf.Path(d.DataDir) + ".old")
+			_ = os.Remove(uf.Path() + ".old")
 		}
 	}
 
-	log.Debug("filtering: update finished")
-
-	return updNum, false
+	log.Debug("Filters: update finished")
+	return updateCount, false
 }
 
 // Allows printable UTF-8 text with CR, LF, TAB characters
@@ -430,7 +440,7 @@ func isPrintableText(data []byte, len int) bool {
 }
 
 // A helper function that parses filter contents and returns a number of rules and a filter name (if there's any)
-func (d *DNSFilter) parseFilterContents(file io.Reader) (int, uint32, string) {
+func (f *Filtering) parseFilterContents(file io.Reader) (int, uint32, string) {
 	rulesCount := 0
 	name := ""
 	seenTitle := false
@@ -445,7 +455,7 @@ func (d *DNSFilter) parseFilterContents(file io.Reader) (int, uint32, string) {
 		if len(line) == 0 {
 			//
 		} else if line[0] == '!' {
-			m := d.filterTitleRegexp.FindAllStringSubmatch(line, -1)
+			m := f.filterTitleRegexp.FindAllStringSubmatch(line, -1)
 			if len(m) > 0 && len(m[0]) >= 2 && !seenTitle {
 				name = m[0][1]
 				seenTitle = true
@@ -466,11 +476,11 @@ func (d *DNSFilter) parseFilterContents(file io.Reader) (int, uint32, string) {
 }
 
 // Perform upgrade on a filter and update LastUpdated value
-func (d *DNSFilter) update(filter *FilterYAML) (bool, error) {
-	b, err := d.updateIntl(filter)
+func (f *Filtering) update(filter *filter) (bool, error) {
+	b, err := f.updateIntl(filter)
 	filter.LastUpdated = time.Now()
 	if !b {
-		e := os.Chtimes(filter.Path(d.DataDir), filter.LastUpdated, filter.LastUpdated)
+		e := os.Chtimes(filter.Path(), filter.LastUpdated, filter.LastUpdated)
 		if e != nil {
 			log.Error("os.Chtimes(): %v", e)
 		}
@@ -478,7 +488,7 @@ func (d *DNSFilter) update(filter *FilterYAML) (bool, error) {
 	return b, err
 }
 
-func (d *DNSFilter) read(reader io.Reader, tmpFile *os.File, filter *FilterYAML) (int, error) {
+func (f *Filtering) read(reader io.Reader, tmpFile *os.File, filter *filter) (int, error) {
 	htmlTest := true
 	firstChunk := make([]byte, 4*1024)
 	firstChunkLen := 0
@@ -529,20 +539,20 @@ func (d *DNSFilter) read(reader io.Reader, tmpFile *os.File, filter *FilterYAML)
 // finalizeUpdate closes and gets rid of temporary file f with filter's content
 // according to updated.  It also saves new values of flt's name, rules number
 // and checksum if sucсeeded.
-func (d *DNSFilter) finalizeUpdate(
-	file *os.File,
-	flt *FilterYAML,
+func finalizeUpdate(
+	f *os.File,
+	flt *filter,
 	updated bool,
 	name string,
 	rnum int,
 	cs uint32,
 ) (err error) {
-	tmpFileName := file.Name()
+	tmpFileName := f.Name()
 
 	// Close the file before renaming it because it's required on Windows.
 	//
 	// See https://github.com/adguardTeam/adGuardHome/issues/1553.
-	if err = file.Close(); err != nil {
+	if err = f.Close(); err != nil {
 		return fmt.Errorf("closing temporary file: %w", err)
 	}
 
@@ -552,9 +562,9 @@ func (d *DNSFilter) finalizeUpdate(
 		return os.Remove(tmpFileName)
 	}
 
-	log.Printf("saving filter %d contents to: %s", flt.ID, flt.Path(d.DataDir))
+	log.Printf("saving filter %d contents to: %s", flt.ID, flt.Path())
 
-	if err = os.Rename(tmpFileName, flt.Path(d.DataDir)); err != nil {
+	if err = os.Rename(tmpFileName, flt.Path()); err != nil {
 		return errors.WithDeferred(err, os.Remove(tmpFileName))
 	}
 
@@ -568,12 +578,12 @@ func (d *DNSFilter) finalizeUpdate(
 // processUpdate copies filter's content from src to dst and returns the name,
 // rules number, and checksum for it.  It also returns the number of bytes read
 // from src.
-func (d *DNSFilter) processUpdate(
+func (f *Filtering) processUpdate(
 	src io.Reader,
 	dst *os.File,
-	flt *FilterYAML,
+	flt *filter,
 ) (name string, rnum int, cs uint32, n int, err error) {
-	if n, err = d.read(src, dst, flt); err != nil {
+	if n, err = f.read(src, dst, flt); err != nil {
 		return "", 0, 0, 0, err
 	}
 
@@ -581,14 +591,14 @@ func (d *DNSFilter) processUpdate(
 		return "", 0, 0, 0, err
 	}
 
-	rnum, cs, name = d.parseFilterContents(dst)
+	rnum, cs, name = f.parseFilterContents(dst)
 
 	return name, rnum, cs, n, nil
 }
 
 // updateIntl updates the flt rewriting it's actual file.  It returns true if
 // the actual update has been performed.
-func (d *DNSFilter) updateIntl(flt *FilterYAML) (ok bool, err error) {
+func (f *Filtering) updateIntl(flt *filter) (ok bool, err error) {
 	log.Tracef("downloading update for filter %d from %s", flt.ID, flt.URL)
 
 	var name string
@@ -596,12 +606,12 @@ func (d *DNSFilter) updateIntl(flt *FilterYAML) (ok bool, err error) {
 	var cs uint32
 
 	var tmpFile *os.File
-	tmpFile, err = os.CreateTemp(filepath.Join(d.DataDir, filterDir), "")
+	tmpFile, err = os.CreateTemp(filepath.Join(Context.getDataDir(), filterDir), "")
 	if err != nil {
 		return false, err
 	}
 	defer func() {
-		err = errors.WithDeferred(err, d.finalizeUpdate(tmpFile, flt, ok, name, rnum, cs))
+		err = errors.WithDeferred(err, finalizeUpdate(tmpFile, flt, ok, name, rnum, cs))
 		ok = ok && err == nil
 		if ok {
 			log.Printf("updated filter %d: %d bytes, %d rules", flt.ID, n, rnum)
@@ -628,7 +638,7 @@ func (d *DNSFilter) updateIntl(flt *FilterYAML) (ok bool, err error) {
 		r = file
 	} else {
 		var resp *http.Response
-		resp, err = d.HTTPClient.Get(flt.URL)
+		resp, err = Context.client.Get(flt.URL)
 		if err != nil {
 			log.Printf("requesting filter from %s, skip: %s", flt.URL, err)
 
@@ -645,16 +655,16 @@ func (d *DNSFilter) updateIntl(flt *FilterYAML) (ok bool, err error) {
 		r = resp.Body
 	}
 
-	name, rnum, cs, n, err = d.processUpdate(r, tmpFile, flt)
+	name, rnum, cs, n, err = f.processUpdate(r, tmpFile, flt)
 
 	return cs != flt.checksum, err
 }
 
 // loads filter contents from the file in dataDir
-func (d *DNSFilter) load(filter *FilterYAML) (err error) {
-	filterFilePath := filter.Path(d.DataDir)
+func (f *Filtering) load(filter *filter) (err error) {
+	filterFilePath := filter.Path()
 
-	log.Tracef("filtering: loading filter %d from %s", filter.ID, filterFilePath)
+	log.Tracef("filtering: loading filter %d contents to: %s", filter.ID, filterFilePath)
 
 	file, err := os.Open(filterFilePath)
 	if errors.Is(err, os.ErrNotExist) {
@@ -672,7 +682,7 @@ func (d *DNSFilter) load(filter *FilterYAML) (err error) {
 
 	log.Tracef("filtering: File %s, id %d, length %d", filterFilePath, filter.ID, st.Size())
 
-	rulesCount, checksum, _ := d.parseFilterContents(file)
+	rulesCount, checksum, _ := f.parseFilterContents(file)
 
 	filter.RulesCount = rulesCount
 	filter.checksum = checksum
@@ -681,45 +691,56 @@ func (d *DNSFilter) load(filter *FilterYAML) (err error) {
 	return nil
 }
 
-func (d *DNSFilter) EnableFilters(async bool) {
-	d.filtersMu.RLock()
-	defer d.filtersMu.RUnlock()
-
-	d.enableFiltersLocked(async)
+// Clear filter rules
+func (filter *filter) unload() {
+	filter.RulesCount = 0
+	filter.checksum = 0
 }
 
-func (d *DNSFilter) enableFiltersLocked(async bool) {
-	filters := []Filter{{
-		ID:   CustomListID,
-		Data: []byte(strings.Join(d.UserRules, "\n")),
+// Path to the filter contents
+func (filter *filter) Path() string {
+	return filepath.Join(Context.getDataDir(), filterDir, strconv.FormatInt(filter.ID, 10)+".txt")
+}
+
+func enableFilters(async bool) {
+	config.RLock()
+	defer config.RUnlock()
+
+	enableFiltersLocked(async)
+}
+
+func enableFiltersLocked(async bool) {
+	filters := []filtering.Filter{{
+		ID:   filtering.CustomListID,
+		Data: []byte(strings.Join(config.UserRules, "\n")),
 	}}
 
-	for _, filter := range d.Filters {
+	for _, filter := range config.Filters {
 		if !filter.Enabled {
 			continue
 		}
 
-		filters = append(filters, Filter{
+		filters = append(filters, filtering.Filter{
 			ID:       filter.ID,
-			FilePath: filter.Path(d.DataDir),
+			FilePath: filter.Path(),
 		})
 	}
 
-	var allowFilters []Filter
-	for _, filter := range d.WhitelistFilters {
+	var allowFilters []filtering.Filter
+	for _, filter := range config.WhitelistFilters {
 		if !filter.Enabled {
 			continue
 		}
 
-		allowFilters = append(allowFilters, Filter{
+		allowFilters = append(allowFilters, filtering.Filter{
 			ID:       filter.ID,
-			FilePath: filter.Path(d.DataDir),
+			FilePath: filter.Path(),
 		})
 	}
 
-	if err := d.SetFilters(filters, allowFilters, async); err != nil {
+	if err := Context.dnsFilter.SetFilters(filters, allowFilters, async); err != nil {
 		log.Debug("enabling filters: %s", err)
 	}
 
-	d.SetEnabled(d.FilteringEnabled)
+	Context.dnsFilter.SetEnabled(config.DNS.FilteringEnabled)
 }

internal/home/filter_test.go

@@ -1,4 +1,4 @@
-package filtering
+package home
 
 import (
 	"io/fs"
@@ -51,17 +51,15 @@ func TestFilters(t *testing.T) {
 
 	l := testStartFilterListener(t, &fltContent)
 
-	tempDir := t.TempDir()
-
-	filters, err := New(&Config{
-		DataDir: tempDir,
-		HTTPClient: &http.Client{
+	Context = homeContext{
+		workDir: t.TempDir(),
+		client: &http.Client{
 			Timeout: 5 * time.Second,
 		},
-	}, nil)
-	require.NoError(t, err)
+	}
+	Context.filters.Init()
 
-	f := &FilterYAML{
+	f := &filter{
 		URL: (&url.URL{
 			Scheme: "http",
 			Host: (&netutil.IPPort{
@@ -73,22 +71,21 @@ func TestFilters(t *testing.T) {
 	}
 
 	updateAndAssert := func(t *testing.T, want require.BoolAssertionFunc, wantRulesCount int) {
-		var ok bool
-		ok, err = filters.update(f)
+		ok, err := Context.filters.update(f)
 		require.NoError(t, err)
 		want(t, ok)
 
 		assert.Equal(t, wantRulesCount, f.RulesCount)
 
 		var dir []fs.DirEntry
-		dir, err = os.ReadDir(filepath.Join(tempDir, filterDir))
+		dir, err = os.ReadDir(filepath.Join(Context.getDataDir(), filterDir))
 		require.NoError(t, err)
 
 		assert.Len(t, dir, 1)
 
-		require.FileExists(t, f.Path(tempDir))
+		require.FileExists(t, f.Path())
 
-		err = filters.load(f)
+		err = Context.filters.load(f)
 		require.NoError(t, err)
 	}
 
@@ -108,9 +105,11 @@ func TestFilters(t *testing.T) {
 	})
 
 	t.Run("load_unload", func(t *testing.T) {
-		err = filters.load(f)
+		err := Context.filters.load(f)
 		require.NoError(t, err)
 
 		f.unload()
 	})
+
+	require.NoError(t, os.Remove(f.Path()))
 }

internal/home/home.go

@@ -20,7 +20,6 @@ import (
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
@@ -34,7 +33,6 @@ import (
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
-	"golang.org/x/exp/slices"
 	"gopkg.in/natefinch/lumberjack.v2"
 )
 
@@ -54,9 +52,10 @@ type homeContext struct {
 	dnsServer  *dnsforward.Server   // DNS module
 	rdns       *RDNS                // rDNS module
 	whois      *WHOIS               // WHOIS module
+	dnsFilter  *filtering.DNSFilter // DNS filtering module
 	dhcpServer dhcpd.Interface      // DHCP module
 	auth       *Auth                // HTTP authentication module
-	filters    *filtering.DNSFilter // DNS filtering module
+	filters    Filtering            // DNS filtering module
 	web        *Web                 // Web (HTTP, HTTPS) module
 	tls        *TLSMod              // TLS module
 	// etcHosts is an IP-hostname pairs set taken from system configuration
@@ -141,12 +140,7 @@ func setupContext(args options) {
 		checkPermissions()
 	}
 
-	switch version.Channel() {
-	case version.ChannelEdge, version.ChannelDevelopment:
-		config.BetaBindPort = 3001
-	default:
-		// Go on.
-	}
+	initConfig()
 
 	Context.tlsRoots = LoadSystemRootCAs()
 	Context.transport = &http.Transport{
@@ -271,15 +265,6 @@ func setupHostsContainer() (err error) {
 }
 
 func setupConfig(args options) (err error) {
-	config.DNS.DnsfilterConf.EtcHosts = Context.etcHosts
-	config.DNS.DnsfilterConf.ConfigModified = onConfigModified
-	config.DNS.DnsfilterConf.HTTPRegister = httpRegister
-	config.DNS.DnsfilterConf.DataDir = Context.getDataDir()
-	config.DNS.DnsfilterConf.Filters = slices.Clone(config.Filters)
-	config.DNS.DnsfilterConf.WhitelistFilters = slices.Clone(config.WhitelistFilters)
-	config.DNS.DnsfilterConf.UserRules = slices.Clone(config.UserRules)
-	config.DNS.DnsfilterConf.HTTPClient = Context.client
-
 	config.DHCP.WorkDir = Context.workDir
 	config.DHCP.HTTPRegister = httpRegister
 	config.DHCP.ConfigModified = onConfigModified
@@ -399,6 +384,8 @@ func fatalOnError(err error) {
 
 // run configures and starts AdGuard Home.
 func run(args options, clientBuildFS fs.FS) {
+	var err error
+
 	// configure config filename
 	initConfigFilename(args)
 
@@ -409,7 +396,7 @@ func run(args options, clientBuildFS fs.FS) {
 	configureLogger(args)
 
 	// Print the first message after logger is configured.
-	log.Info(version.Full())
+	log.Println(version.Full())
 	log.Debug("current working directory is %s", Context.workDir)
 	if args.runningAsService {
 		log.Info("AdGuard Home is running as a service")
@@ -417,7 +404,7 @@ func run(args options, clientBuildFS fs.FS) {
 
 	setupContext(args)
 
-	err := configureOS(config)
+	err = configureOS(config)
 	fatalOnError(err)
 
 	// clients package uses filtering package's static data (filtering.BlockedSvcKnown()),
@@ -455,9 +442,9 @@ func run(args options, clientBuildFS fs.FS) {
 
 	sessFilename := filepath.Join(Context.getDataDir(), "sessions.db")
 	GLMode = args.glinetMode
-	var rateLimiter *authRateLimiter
+	var arl *authRateLimiter
 	if config.AuthAttempts > 0 && config.AuthBlockMin > 0 {
-		rateLimiter = newAuthRateLimiter(
+		arl = newAuthRateLimiter(
 			time.Duration(config.AuthBlockMin)*time.Minute,
 			config.AuthAttempts,
 		)
@@ -469,7 +456,7 @@ func run(args options, clientBuildFS fs.FS) {
 		sessFilename,
 		config.Users,
 		config.WebSessionTTLHours*60*60,
-		rateLimiter,
+		arl,
 	)
 	if Context.auth == nil {
 		log.Fatalf("Couldn't initialize Auth module")
@@ -776,12 +763,12 @@ func printHTTPAddresses(proto string) {
 	}
 
 	port := config.BindPort
-	if proto == aghhttp.SchemeHTTPS {
+	if proto == schemeHTTPS {
 		port = tlsConf.PortHTTPS
 	}
 
 	// TODO(e.burkov): Inspect and perhaps merge with the previous condition.
-	if proto == aghhttp.SchemeHTTPS && tlsConf.ServerName != "" {
+	if proto == schemeHTTPS && tlsConf.ServerName != "" {
 		printWebAddrs(proto, tlsConf.ServerName, tlsConf.PortHTTPS, 0)
 
 		return

internal/home/i18n.go

@@ -1,8 +1,10 @@
 package home
 
 import (
-	"encoding/json"
+	"fmt"
+	"io"
 	"net/http"
+	"strings"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/golibs/log"
@@ -49,35 +51,43 @@ var allowedLanguages = stringutil.NewSet(
 	"zh-tw",
 )
 
-// languageJSON is the JSON structure for language requests and responses.
-type languageJSON struct {
-	Language string `json:"language"`
-}
+func handleI18nCurrentLanguage(w http.ResponseWriter, _ *http.Request) {
+	w.Header().Set("Content-Type", "text/plain")
+	log.Printf("config.Language is %s", config.Language)
+	_, err := fmt.Fprintf(w, "%s\n", config.Language)
+	if err != nil {
+		msg := fmt.Sprintf("Unable to write response json: %s", err)
+		log.Println(msg)
+		http.Error(w, msg, http.StatusInternalServerError)
 
-func handleI18nCurrentLanguage(w http.ResponseWriter, r *http.Request) {
-	log.Printf("home: language is %s", config.Language)
-
-	_ = aghhttp.WriteJSONResponse(w, r, &languageJSON{
-		Language: config.Language,
-	})
+		return
+	}
 }
 
 func handleI18nChangeLanguage(w http.ResponseWriter, r *http.Request) {
-	if aghhttp.WriteTextPlainDeprecated(w, r) {
-		return
-	}
-
-	langReq := &languageJSON{}
-	err := json.NewDecoder(r.Body).Decode(langReq)
+	// This use of ReadAll is safe, because request's body is now limited.
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusInternalServerError, "reading req: %s", err)
+		msg := fmt.Sprintf("failed to read request body: %s", err)
+		log.Println(msg)
+		http.Error(w, msg, http.StatusBadRequest)
 
 		return
 	}
 
-	lang := langReq.Language
-	if !allowedLanguages.Has(lang) {
-		aghhttp.Error(r, w, http.StatusBadRequest, "unknown language: %q", lang)
+	language := strings.TrimSpace(string(body))
+	if language == "" {
+		msg := "empty language specified"
+		log.Println(msg)
+		http.Error(w, msg, http.StatusBadRequest)
+
+		return
+	}
+
+	if !allowedLanguages.Has(language) {
+		msg := fmt.Sprintf("unknown language specified: %s", language)
+		log.Println(msg)
+		http.Error(w, msg, http.StatusBadRequest)
 
 		return
 	}
@@ -86,8 +96,7 @@ func handleI18nChangeLanguage(w http.ResponseWriter, r *http.Request) {
 		config.Lock()
 		defer config.Unlock()
 
-		config.Language = lang
-		log.Printf("home: language is set to %s", lang)
+		config.Language = language
 	}()
 
 	onConfigModified()

internal/home/mobileconfig.go

@@ -8,7 +8,6 @@ import (
 	"net/url"
 	"path"
 
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
@@ -83,7 +82,7 @@ func encodeMobileConfig(d *dnsSettings, clientID string) ([]byte, error) {
 	case dnsProtoHTTPS:
 		dspName = fmt.Sprintf("%s DoH", d.ServerName)
 		u := &url.URL{
-			Scheme: aghhttp.SchemeHTTPS,
+			Scheme: schemeHTTPS,
 			Host:   d.ServerName,
 			Path:   path.Join("/dns-query", clientID),
 		}

internal/home/service.go

@@ -11,7 +11,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/version"
 	"github.com/AdguardTeam/golibs/errors"
@@ -176,8 +175,7 @@ func handleServiceControlAction(opts options, clientBuildFS fs.FS) {
 	chooseSystem()
 
 	action := opts.serviceControlAction
-	log.Info(version.Full())
-	log.Info("service: control action: %s", action)
+	log.Printf("service: control action: %s", action)
 
 	if action == "reload" {
 		sendSigReload()
@@ -279,7 +277,7 @@ AdGuard Home is successfully installed and will automatically start on boot.
 There are a few more things that must be configured before you can use it.
 Click on the link below and follow the Installation Wizard steps to finish setup.
 AdGuard Home is now available at the following addresses:`)
-		printHTTPAddresses(aghhttp.SchemeHTTP)
+		printHTTPAddresses(schemeHTTP)
 	}
 }
 

internal/home/tls.go

@@ -680,6 +680,8 @@ func unmarshalTLS(r *http.Request) (tlsConfigSettingsExt, error) {
 }
 
 func marshalTLS(w http.ResponseWriter, r *http.Request, data tlsConfig) {
+	w.Header().Set("Content-Type", "application/json")
+
 	if data.CertificateChain != "" {
 		encoded := base64.StdEncoding.EncodeToString([]byte(data.CertificateChain))
 		data.CertificateChain = encoded
@@ -690,7 +692,16 @@ func marshalTLS(w http.ResponseWriter, r *http.Request, data tlsConfig) {
 		data.PrivateKey = ""
 	}
 
-	_ = aghhttp.WriteJSONResponse(w, r, data)
+	err := json.NewEncoder(w).Encode(data)
+	if err != nil {
+		aghhttp.Error(
+			r,
+			w,
+			http.StatusInternalServerError,
+			"Failed to marshal json with TLS status: %s",
+			err,
+		)
+	}
 }
 
 // registerWebHandlers registers HTTP handlers for TLS configuration

internal/home/upgrade.go

@@ -278,11 +278,11 @@ func upgradeSchema4to5(diskConf yobj) error {
 		log.Fatalf("Can't use password \"%s\": bcrypt.GenerateFromPassword: %s", passStr, err)
 		return nil
 	}
-	u := webUser{
+	u := User{
 		Name:         nameStr,
 		PasswordHash: string(hash),
 	}
-	users := []webUser{u}
+	users := []User{u}
 	diskConf["users"] = users
 	return nil
 }

internal/home/upgrade_test.go

@@ -4,7 +4,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/AdguardTeam/golibs/timeutil"
 	"github.com/stretchr/testify/assert"
@@ -161,7 +160,7 @@ func assertEqualExcept(t *testing.T, oldConf, newConf yobj, oldKeys, newKeys []s
 }
 
 func testDiskConf(schemaVersion int) (diskConf yobj) {
-	filters := []filtering.FilterYAML{{
+	filters := []filter{{
 		URL:        "https://filters.adtidy.org/android/filters/111_optimized.txt",
 		Name:       "Latvian filter",
 		RulesCount: 100,

internal/home/web.go

@@ -9,7 +9,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/golibs/errors"
@@ -20,6 +19,12 @@ import (
 	"golang.org/x/net/http2/h2c"
 )
 
+// HTTP scheme constants.
+const (
+	schemeHTTP  = "http"
+	schemeHTTPS = "https"
+)
+
 const (
 	// readTimeout is the maximum duration for reading the entire request,
 	// including the body.
@@ -161,7 +166,7 @@ func (web *Web) Start() {
 
 	// this loop is used as an ability to change listening host and/or port
 	for !web.httpsServer.shutdown {
-		printHTTPAddresses(aghhttp.SchemeHTTP)
+		printHTTPAddresses(schemeHTTP)
 		errs := make(chan error, 2)
 
 		// Use an h2c handler to support unencrypted HTTP/2, e.g. for proxies.
@@ -281,7 +286,7 @@ func (web *Web) tlsServerLoop() {
 			WriteTimeout:      web.conf.WriteTimeout,
 		}
 
-		printHTTPAddresses(aghhttp.SchemeHTTPS)
+		printHTTPAddresses(schemeHTTPS)
 		err := web.httpsServer.server.ListenAndServeTLS("", "")
 		if err != http.ErrServerClosed {
 			cleanupAlways()

internal/tools/go.mod

@@ -9,8 +9,8 @@ require (
 	github.com/kisielk/errcheck v1.6.2
 	github.com/kyoh86/looppointer v0.1.7
 	github.com/securego/gosec/v2 v2.13.1
-	golang.org/x/tools v0.1.13-0.20220921142454-16b974289fe5
-	golang.org/x/vuln v0.0.0-20220921153644-d9be10b6cc84
+	golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3
+	golang.org/x/vuln v0.0.0-20220912202342-0ed43f12cb05
 	honnef.co/go/tools v0.3.3
 	mvdan.cc/gofumpt v0.3.1
 	mvdan.cc/unparam v0.0.0-20220831102321-2fc90a84c7ec
@@ -25,10 +25,10 @@ require (
 	github.com/kyoh86/nolint v0.0.1 // indirect
 	github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 // indirect
 	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
-	golang.org/x/exp v0.0.0-20220921023135-46d9e7742f1e // indirect
+	golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20220827204233-334a2380cb91 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220907135952-02c991387e35 // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde // indirect
-	golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 // indirect
+	golang.org/x/sys v0.0.0-20220909162455-aba9fc2a8ff2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

internal/tools/go.sum

@@ -55,15 +55,15 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/exp v0.0.0-20220921023135-46d9e7742f1e h1:Ctm9yurWsg7aWwIpH9Bnap/IdSVxixymIb3MhiMEQQA=
-golang.org/x/exp v0.0.0-20220921023135-46d9e7742f1e/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
+golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
+golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
 golang.org/x/exp/typeparams v0.0.0-20220827204233-334a2380cb91 h1:Ic/qN6TEifvObMGQy72k0n1LlJr7DjWWEi+MOsDOiSk=
 golang.org/x/exp/typeparams v0.0.0-20220827204233-334a2380cb91/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
-golang.org/x/mod v0.6.0-dev.0.20220907135952-02c991387e35 h1:CZP0Rbk/s1EIiUMx5DS2MhK2ct52xpQxqddVD0FmF+o=
-golang.org/x/mod v0.6.0-dev.0.20220907135952-02c991387e35/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
@@ -86,8 +86,8 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 h1:h+EGohizhe9XlX18rfpa8k8RAc5XyaeamM+0VHRd4lc=
-golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220909162455-aba9fc2a8ff2 h1:wM1k/lXfpc5HdkJJyW9GELpd8ERGdnh8sMGL6Gzq3Ho=
+golang.org/x/sys v0.0.0-20220909162455-aba9fc2a8ff2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -100,10 +100,10 @@ golang.org/x/tools v0.0.0-20200710042808-f1c4188a97a1/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20201007032633-0806396f153e/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
-golang.org/x/tools v0.1.13-0.20220921142454-16b974289fe5 h1:o1LhIiY5L+hLK9DWqfFlilCrpZnw/s7WU4iCUkb/bao=
-golang.org/x/tools v0.1.13-0.20220921142454-16b974289fe5/go.mod h1:VsjNM1dMo+Ofkp5d7y7fOdQZD8MTXSQ4w3EPk65AvKU=
-golang.org/x/vuln v0.0.0-20220921153644-d9be10b6cc84 h1:L0qUjdplndgX880fozFRGC242wAtfsViyRXWGlpZQ54=
-golang.org/x/vuln v0.0.0-20220921153644-d9be10b6cc84/go.mod h1:7tDfEDtOLlzHQRi4Yzfg5seVBSvouUIjyPzBx4q5CxQ=
+golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3 h1:aE4T3aJwdCNz+s35ScSQYUzeGu7BOLDHZ1bBHVurqqY=
+golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/vuln v0.0.0-20220912202342-0ed43f12cb05 h1:NWQHMTdThZhCArzUbnu1Bh+l3LdwUfjZws+ivBR2sxM=
+golang.org/x/vuln v0.0.0-20220912202342-0ed43f12cb05/go.mod h1:7tDfEDtOLlzHQRi4Yzfg5seVBSvouUIjyPzBx4q5CxQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

internal/v1/agh/agh.go

@@ -0,0 +1,33 @@
+// Package agh contains common entities and interfaces of AdGuard Home.
+//
+// TODO(a.garipov): Move to the upper-level internal/.
+package agh
+
+import "context"
+
+// Service is the interface for API servers.
+//
+// TODO(a.garipov): Consider adding a context to Start.
+//
+// TODO(a.garipov): Consider adding a Wait method or making an extension
+// interface for that.
+type Service interface {
+	// Start starts the service.  It does not block.
+	Start() (err error)
+
+	// Shutdown gracefully stops the service.  ctx is used to determine
+	// a timeout before trying to stop the service less gracefully.
+	Shutdown(ctx context.Context) (err error)
+}
+
+// type check
+var _ Service = EmptyService{}
+
+// EmptyService is a Service that does nothing.
+type EmptyService struct{}
+
+// Start implements the Service interface for EmptyService.
+func (EmptyService) Start() (err error) { return nil }
+
+// Shutdown implements the Service interface for EmptyService.
+func (EmptyService) Shutdown(_ context.Context) (err error) { return nil }

internal/v1/cmd/cmd.go

@@ -0,0 +1,67 @@
+// Package cmd is the AdGuard Home entry point.  It contains the on-disk
+// configuration file utilities, signal processing logic, and so on.
+//
+// TODO(a.garipov): Move to the upper-level internal/.
+package cmd
+
+import (
+	"context"
+	"io/fs"
+	"math/rand"
+	"net/netip"
+	"time"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/v1/websvc"
+	"github.com/AdguardTeam/golibs/log"
+)
+
+// Main is the entry point of application.
+func Main(clientBuildFS fs.FS) {
+	// # Initial Configuration
+
+	start := time.Now()
+	rand.Seed(start.UnixNano())
+
+	// TODO(a.garipov): Set up logging.
+
+	// # Web Service
+
+	// TODO(a.garipov): Use in the Web service.
+	_ = clientBuildFS
+
+	// TODO(a.garipov): Make configurable.
+	web := websvc.New(&websvc.Config{
+		Addresses: []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:3001")},
+		Start:     start,
+		Timeout:   60 * time.Second,
+	})
+
+	err := web.Start()
+	fatalOnError(err)
+
+	sigHdlr := newSignalHandler(
+		web,
+	)
+
+	go sigHdlr.handle()
+
+	select {}
+}
+
+// defaultTimeout is the timeout used for some operations where another timeout
+// hasn't been defined yet.
+const defaultTimeout = 15 * time.Second
+
+// ctxWithDefaultTimeout is a helper function that returns a context with
+// timeout set to defaultTimeout.
+func ctxWithDefaultTimeout() (ctx context.Context, cancel context.CancelFunc) {
+	return context.WithTimeout(context.Background(), defaultTimeout)
+}
+
+// fatalOnError is a helper that exits the program with an error code if err is
+// not nil.  It must only be used within Main.
+func fatalOnError(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
+}

internal/v1/cmd/signal.go

@@ -0,0 +1,70 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
+	"github.com/AdguardTeam/AdGuardHome/internal/v1/agh"
+	"github.com/AdguardTeam/golibs/log"
+)
+
+// signalHandler processes incoming signals and shuts services down.
+type signalHandler struct {
+	signal chan os.Signal
+
+	// services are the services that are shut down before application
+	// exiting.
+	services []agh.Service
+}
+
+// handle processes OS signals.
+func (h *signalHandler) handle() {
+	defer log.OnPanic("signalHandler.handle")
+
+	for sig := range h.signal {
+		log.Info("sighdlr: received signal %q", sig)
+
+		if aghos.IsShutdownSignal(sig) {
+			h.shutdown()
+		}
+	}
+}
+
+// Exit status constants.
+const (
+	statusSuccess = 0
+	statusError   = 1
+)
+
+// shutdown gracefully shuts down all services.
+func (h *signalHandler) shutdown() {
+	ctx, cancel := ctxWithDefaultTimeout()
+	defer cancel()
+
+	status := statusSuccess
+
+	log.Info("sighdlr: shutting down services")
+	for i, service := range h.services {
+		err := service.Shutdown(ctx)
+		if err != nil {
+			log.Error("sighdlr: shutting down service at index %d: %s", i, err)
+			status = statusError
+		}
+	}
+
+	log.Info("sighdlr: shutting down adguard home")
+
+	os.Exit(status)
+}
+
+// newSignalHandler returns a new signalHandler that shuts down svcs.
+func newSignalHandler(svcs ...agh.Service) (h *signalHandler) {
+	h = &signalHandler{
+		signal:   make(chan os.Signal, 1),
+		services: svcs,
+	}
+
+	aghos.NotifyShutdownSignal(h.signal)
+
+	return h
+}

internal/v1/dnssvc/dnssvc.go

@@ -0,0 +1,193 @@
+// Package dnssvc contains the AdGuard Home DNS service.
+//
+// TODO(a.garipov): Define, if all methods of a *Service should work with a nil
+// receiver.
+package dnssvc
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"time"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/v1/agh"
+	// TODO(a.garipov): Add a “dnsproxy proxy” package to shield us from changes
+	// and replacement of module dnsproxy.
+	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/dnsproxy/upstream"
+)
+
+// Config is the AdGuard Home DNS service configuration structure.
+//
+// TODO(a.garipov): Add timeout for incoming requests.
+type Config struct {
+	// Addresses are the addresses on which to serve plain DNS queries.
+	Addresses []netip.AddrPort
+
+	// Upstreams are the DNS upstreams to use.  If not set, upstreams are
+	// created using data from BootstrapServers, UpstreamServers, and
+	// UpstreamTimeout.
+	//
+	// TODO(a.garipov): Think of a better scheme.  Those other three parameters
+	// are here only to make Config work properly.
+	Upstreams []upstream.Upstream
+
+	// BootstrapServers are the addresses for bootstrapping the upstream DNS
+	// server addresses.
+	BootstrapServers []string
+
+	// UpstreamServers are the upstream DNS server addresses to use.
+	UpstreamServers []string
+
+	// UpstreamTimeout is the timeout for upstream requests.
+	UpstreamTimeout time.Duration
+}
+
+// Service is the AdGuard Home DNS service.  A nil *Service is a valid
+// [agh.Service] that does nothing.
+type Service struct {
+	proxy      *proxy.Proxy
+	bootstraps []string
+	upstreams  []string
+	upsTimeout time.Duration
+}
+
+// New returns a new properly initialized *Service.  If c is nil, svc is a nil
+// *Service that does nothing.  The fields of c must not be modified after
+// calling New.
+func New(c *Config) (svc *Service, err error) {
+	if c == nil {
+		return nil, nil
+	}
+
+	svc = &Service{
+		bootstraps: c.BootstrapServers,
+		upstreams:  c.UpstreamServers,
+		upsTimeout: c.UpstreamTimeout,
+	}
+
+	var upstreams []upstream.Upstream
+	if len(c.Upstreams) > 0 {
+		upstreams = c.Upstreams
+	} else {
+		upstreams, err = addressesToUpstreams(
+			c.UpstreamServers,
+			c.BootstrapServers,
+			c.UpstreamTimeout,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("converting upstreams: %w", err)
+		}
+	}
+
+	svc.proxy = &proxy.Proxy{
+		Config: proxy.Config{
+			UDPListenAddr: udpAddrs(c.Addresses),
+			TCPListenAddr: tcpAddrs(c.Addresses),
+			UpstreamConfig: &proxy.UpstreamConfig{
+				Upstreams: upstreams,
+			},
+		},
+	}
+
+	err = svc.proxy.Init()
+	if err != nil {
+		return nil, fmt.Errorf("proxy: %w", err)
+	}
+
+	return svc, nil
+}
+
+// addressesToUpstreams is a wrapper around [upstream.AddressToUpstream].  It
+// accepts a slice of addresses and other upstream parameters, and returns a
+// slice of upstreams.
+func addressesToUpstreams(
+	upsStrs []string,
+	bootstraps []string,
+	timeout time.Duration,
+) (upstreams []upstream.Upstream, err error) {
+	upstreams = make([]upstream.Upstream, len(upsStrs))
+	for i, upsStr := range upsStrs {
+		upstreams[i], err = upstream.AddressToUpstream(upsStr, &upstream.Options{
+			Bootstrap: bootstraps,
+			Timeout:   timeout,
+		})
+		if err != nil {
+			return nil, fmt.Errorf("upstream at index %d: %w", i, err)
+		}
+	}
+
+	return upstreams, nil
+}
+
+// tcpAddrs converts []netip.AddrPort into []*net.TCPAddr.
+func tcpAddrs(addrPorts []netip.AddrPort) (tcpAddrs []*net.TCPAddr) {
+	if addrPorts == nil {
+		return nil
+	}
+
+	tcpAddrs = make([]*net.TCPAddr, len(addrPorts))
+	for i, a := range addrPorts {
+		tcpAddrs[i] = net.TCPAddrFromAddrPort(a)
+	}
+
+	return tcpAddrs
+}
+
+// udpAddrs converts []netip.AddrPort into []*net.UDPAddr.
+func udpAddrs(addrPorts []netip.AddrPort) (udpAddrs []*net.UDPAddr) {
+	if addrPorts == nil {
+		return nil
+	}
+
+	udpAddrs = make([]*net.UDPAddr, len(addrPorts))
+	for i, a := range addrPorts {
+		udpAddrs[i] = net.UDPAddrFromAddrPort(a)
+	}
+
+	return udpAddrs
+}
+
+// type check
+var _ agh.Service = (*Service)(nil)
+
+// Start implements the [agh.Service] interface for *Service.  svc may be nil.
+// After Start exits, all DNS servers have tried to start, but there is no
+// guarantee that they did.  Errors from the servers are written to the log.
+func (svc *Service) Start() (err error) {
+	if svc == nil {
+		return nil
+	}
+
+	return svc.proxy.Start()
+}
+
+// Shutdown implements the [agh.Service] interface for *Service.  svc may be
+// nil.
+func (svc *Service) Shutdown(ctx context.Context) (err error) {
+	if svc == nil {
+		return nil
+	}
+
+	return svc.proxy.Stop()
+}
+
+// Config returns the current configuration of the web service.
+func (svc *Service) Config() (c *Config) {
+	// TODO(a.garipov): Do we need to get the TCP addresses separately?
+	udpAddrs := svc.proxy.Addrs(proxy.ProtoUDP)
+	addrs := make([]netip.AddrPort, len(udpAddrs))
+	for i, a := range udpAddrs {
+		addrs[i] = a.(*net.UDPAddr).AddrPort()
+	}
+
+	c = &Config{
+		Addresses:        addrs,
+		BootstrapServers: svc.bootstraps,
+		UpstreamServers:  svc.upstreams,
+		UpstreamTimeout:  svc.upsTimeout,
+	}
+
+	return c
+}

internal/v1/dnssvc/dnssvc_test.go

@@ -0,0 +1,89 @@
+package dnssvc_test
+
+import (
+	"context"
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
+	"github.com/AdguardTeam/AdGuardHome/internal/v1/dnssvc"
+	"github.com/AdguardTeam/dnsproxy/upstream"
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMain(m *testing.M) {
+	aghtest.DiscardLogOutput(m)
+}
+
+// testTimeout is the common timeout for tests.
+const testTimeout = 100 * time.Millisecond
+
+func TestService(t *testing.T) {
+	const (
+		bootstrapAddr = "bootstrap.example"
+		upstreamAddr  = "upstream.example"
+	)
+
+	ups := &aghtest.UpstreamMock{
+		OnAddress: func() (addr string) {
+			return upstreamAddr
+		},
+		OnExchange: func(req *dns.Msg) (resp *dns.Msg, err error) {
+			resp = (&dns.Msg{}).SetReply(req)
+
+			return resp, nil
+		},
+	}
+
+	c := &dnssvc.Config{
+		Addresses:        []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:0")},
+		Upstreams:        []upstream.Upstream{ups},
+		BootstrapServers: []string{bootstrapAddr},
+		UpstreamServers:  []string{upstreamAddr},
+		UpstreamTimeout:  testTimeout,
+	}
+
+	svc, err := dnssvc.New(c)
+	require.NoError(t, err)
+
+	err = svc.Start()
+	require.NoError(t, err)
+
+	gotConf := svc.Config()
+	require.NotNil(t, gotConf)
+	require.Len(t, gotConf.Addresses, 1)
+
+	addr := gotConf.Addresses[0]
+
+	t.Run("dns", func(t *testing.T) {
+		req := &dns.Msg{
+			MsgHdr: dns.MsgHdr{
+				Id:               dns.Id(),
+				RecursionDesired: true,
+			},
+			Question: []dns.Question{{
+				Name:   "example.com.",
+				Qtype:  dns.TypeA,
+				Qclass: dns.ClassINET,
+			}},
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), testTimeout)
+		defer cancel()
+
+		cli := &dns.Client{}
+		resp, _, excErr := cli.ExchangeContext(ctx, req, addr.String())
+		require.NoError(t, excErr)
+
+		assert.NotNil(t, resp)
+	})
+
+	ctx, cancel := context.WithTimeout(context.Background(), testTimeout)
+	defer cancel()
+
+	err = svc.Shutdown(ctx)
+	require.NoError(t, err)
+}

internal/v1/websvc/json.go

@@ -0,0 +1,61 @@
+package websvc
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/AdguardTeam/golibs/log"
+)
+
+// JSON Utilities
+
+// jsonTime is a time.Time that can be decoded from JSON and encoded into JSON
+// according to our API conventions.
+type jsonTime time.Time
+
+// type check
+var _ json.Marshaler = jsonTime{}
+
+// nsecPerMsec is the number of nanoseconds in a millisecond.
+const nsecPerMsec = float64(time.Millisecond / time.Nanosecond)
+
+// MarshalJSON implements the json.Marshaler interface for jsonTime.  err is
+// always nil.
+func (t jsonTime) MarshalJSON() (b []byte, err error) {
+	msec := float64(time.Time(t).UnixNano()) / nsecPerMsec
+	b = strconv.AppendFloat(nil, msec, 'f', 3, 64)
+
+	return b, nil
+}
+
+// type check
+var _ json.Unmarshaler = (*jsonTime)(nil)
+
+// UnmarshalJSON implements the json.Marshaler interface for *jsonTime.
+func (t *jsonTime) UnmarshalJSON(b []byte) (err error) {
+	if t == nil {
+		return fmt.Errorf("json time is nil")
+	}
+
+	msec, err := strconv.ParseFloat(string(b), 64)
+	if err != nil {
+		return fmt.Errorf("parsing json time: %w", err)
+	}
+
+	*t = jsonTime(time.Unix(0, int64(msec*nsecPerMsec)).UTC())
+
+	return nil
+}
+
+// writeJSONResponse encodes v into w and logs any errors it encounters.  r is
+// used to get additional information from the request.
+func writeJSONResponse(w io.Writer, r *http.Request, v any) {
+	err := json.NewEncoder(w).Encode(v)
+	if err != nil {
+		log.Error("websvc: writing resp to %s %s: %s", r.Method, r.URL.Path, err)
+	}
+}

internal/v1/websvc/middleware.go

@@ -0,0 +1,16 @@
+package websvc
+
+import "net/http"
+
+// Middlewares
+
+// jsonMw sets the content type of the response to application/json.
+func jsonMw(h http.Handler) (wrapped http.HandlerFunc) {
+	f := func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+
+		h.ServeHTTP(w, r)
+	}
+
+	return http.HandlerFunc(f)
+}

internal/v1/websvc/path.go

@@ -0,0 +1,8 @@
+package websvc
+
+// Path constants
+const (
+	PathHealthCheck = "/health-check"
+
+	PathV1SystemInfo = "/api/v1/system/info"
+)

internal/v1/websvc/system.go

@@ -0,0 +1,35 @@
+package websvc
+
+import (
+	"net/http"
+	"runtime"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/version"
+)
+
+// System Handlers
+
+// RespGetV1SystemInfo describes the response of the GET /api/v1/system/info
+// HTTP API.
+type RespGetV1SystemInfo struct {
+	Arch       string   `json:"arch"`
+	Channel    string   `json:"channel"`
+	OS         string   `json:"os"`
+	NewVersion string   `json:"new_version,omitempty"`
+	Start      jsonTime `json:"start"`
+	Version    string   `json:"version"`
+}
+
+// handleGetV1SystemInfo is the handler for the GET /api/v1/system/info HTTP
+// API.
+func (svc *Service) handleGetV1SystemInfo(w http.ResponseWriter, r *http.Request) {
+	writeJSONResponse(w, r, &RespGetV1SystemInfo{
+		Arch:    runtime.GOARCH,
+		Channel: version.Channel(),
+		OS:      runtime.GOOS,
+		// TODO(a.garipov): Fill this when we have an updater.
+		NewVersion: "",
+		Start:      jsonTime(svc.start),
+		Version:    version.Version(),
+	})
+}

internal/v1/websvc/system_test.go

@@ -0,0 +1,36 @@
+package websvc_test
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"runtime"
+	"testing"
+	"time"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/v1/websvc"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestService_handleGetV1SystemInfo(t *testing.T) {
+	_, addr := newTestServer(t)
+	u := &url.URL{
+		Scheme: "http",
+		Host:   addr,
+		Path:   websvc.PathV1SystemInfo,
+	}
+
+	body := httpGet(t, u, http.StatusOK)
+	resp := &websvc.RespGetV1SystemInfo{}
+	err := json.Unmarshal(body, resp)
+	require.NoError(t, err)
+
+	// TODO(a.garipov): Consider making version.Channel and version.Version
+	// testable and test these better.
+	assert.NotEmpty(t, resp.Channel)
+
+	assert.Equal(t, resp.Arch, runtime.GOARCH)
+	assert.Equal(t, resp.OS, runtime.GOOS)
+	assert.Equal(t, testStart, time.Time(resp.Start))
+}

internal/v1/websvc/websvc.go

@@ -0,0 +1,228 @@
+// Package websvc contains the AdGuard Home web service.
+//
+// TODO(a.garipov): Add tests.
+package websvc
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/netip"
+	"sync"
+	"time"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/v1/agh"
+	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/log"
+	httptreemux "github.com/dimfeld/httptreemux/v5"
+)
+
+// Config is the AdGuard Home web service configuration structure.
+type Config struct {
+	// TLS is the optional TLS configuration.  If TLS is not nil,
+	// SecureAddresses must not be empty.
+	TLS *tls.Config
+
+	// Addresses are the addresses on which to serve the plain HTTP API.
+	Addresses []netip.AddrPort
+
+	// SecureAddresses are the addresses on which to serve the HTTPS API.  If
+	// SecureAddresses is not empty, TLS must not be nil.
+	SecureAddresses []netip.AddrPort
+
+	// Start is the time of start of AdGuard Home.
+	Start time.Time
+
+	// Timeout is the timeout for all server operations.
+	Timeout time.Duration
+}
+
+// Service is the AdGuard Home web service.  A nil *Service is a valid
+// [agh.Service] that does nothing.
+type Service struct {
+	tls     *tls.Config
+	servers []*http.Server
+	start   time.Time
+	timeout time.Duration
+}
+
+// New returns a new properly initialized *Service.  If c is nil, svc is a nil
+// *Service that does nothing.
+func New(c *Config) (svc *Service) {
+	if c == nil {
+		return nil
+	}
+
+	svc = &Service{
+		tls:     c.TLS,
+		start:   c.Start,
+		timeout: c.Timeout,
+	}
+
+	mux := newMux(svc)
+
+	for _, a := range c.Addresses {
+		addr := a.String()
+		errLog := log.StdLog("websvc: http: "+addr, log.ERROR)
+		svc.servers = append(svc.servers, &http.Server{
+			Addr:              addr,
+			Handler:           mux,
+			ErrorLog:          errLog,
+			ReadTimeout:       c.Timeout,
+			WriteTimeout:      c.Timeout,
+			IdleTimeout:       c.Timeout,
+			ReadHeaderTimeout: c.Timeout,
+		})
+	}
+
+	for _, a := range c.SecureAddresses {
+		addr := a.String()
+		errLog := log.StdLog("websvc: https: "+addr, log.ERROR)
+		svc.servers = append(svc.servers, &http.Server{
+			Addr:              addr,
+			Handler:           mux,
+			TLSConfig:         c.TLS,
+			ErrorLog:          errLog,
+			ReadTimeout:       c.Timeout,
+			WriteTimeout:      c.Timeout,
+			IdleTimeout:       c.Timeout,
+			ReadHeaderTimeout: c.Timeout,
+		})
+	}
+
+	return svc
+}
+
+// newMux returns a new HTTP request multiplexor for the AdGuard Home web
+// service.
+func newMux(svc *Service) (mux *httptreemux.ContextMux) {
+	mux = httptreemux.NewContextMux()
+
+	routes := []struct {
+		handler http.HandlerFunc
+		method  string
+		path    string
+		isJSON  bool
+	}{{
+		handler: svc.handleGetHealthCheck,
+		method:  http.MethodGet,
+		path:    PathHealthCheck,
+		isJSON:  false,
+	}, {
+		handler: svc.handleGetV1SystemInfo,
+		method:  http.MethodGet,
+		path:    PathV1SystemInfo,
+		isJSON:  true,
+	}}
+
+	for _, r := range routes {
+		var h http.HandlerFunc
+		if r.isJSON {
+			// TODO(a.garipov): Consider using httptreemux's MiddlewareFunc.
+			h = jsonMw(r.handler)
+		} else {
+			h = r.handler
+		}
+
+		mux.Handle(r.method, r.path, h)
+	}
+
+	return mux
+}
+
+// Addrs returns all addresses on which this server serves the HTTP API.  Addrs
+// must not be called until Start returns.
+func (svc *Service) Addrs() (addrs []string) {
+	addrs = make([]string, 0, len(svc.servers))
+	for _, srv := range svc.servers {
+		addrs = append(addrs, srv.Addr)
+	}
+
+	return addrs
+}
+
+// handleGetHealthCheck is the handler for the GET /health-check HTTP API.
+func (svc *Service) handleGetHealthCheck(w http.ResponseWriter, _ *http.Request) {
+	_, _ = io.WriteString(w, "OK")
+}
+
+// unit is a convenient alias for struct{}.
+type unit = struct{}
+
+// type check
+var _ agh.Service = (*Service)(nil)
+
+// Start implements the [agh.Service] interface for *Service.  svc may be nil.
+// After Start exits, all HTTP servers have tried to start, possibly failing and
+// writing error messages to the log.
+func (svc *Service) Start() (err error) {
+	if svc == nil {
+		return nil
+	}
+
+	srvs := svc.servers
+
+	wg := &sync.WaitGroup{}
+	wg.Add(len(srvs))
+	for _, srv := range srvs {
+		go serve(srv, wg)
+	}
+
+	wg.Wait()
+
+	return nil
+}
+
+// serve starts and runs srv and writes all errors into its log.
+func serve(srv *http.Server, wg *sync.WaitGroup) {
+	addr := srv.Addr
+	defer log.OnPanic(addr)
+
+	var l net.Listener
+	var err error
+	if srv.TLSConfig == nil {
+		l, err = net.Listen("tcp", addr)
+	} else {
+		l, err = tls.Listen("tcp", addr, srv.TLSConfig)
+	}
+	if err != nil {
+		srv.ErrorLog.Printf("starting srv %s: binding: %s", addr, err)
+	}
+
+	// Update the server's address in case the address had the port zero, which
+	// would mean that a random available port was automatically chosen.
+	srv.Addr = l.Addr().String()
+
+	log.Info("websvc: starting srv http://%s", srv.Addr)
+	wg.Done()
+
+	err = srv.Serve(l)
+	if err != nil && !errors.Is(err, http.ErrServerClosed) {
+		srv.ErrorLog.Printf("starting srv %s: %s", addr, err)
+	}
+}
+
+// Shutdown implements the [agh.Service] interface for *Service.  svc may be
+// nil.
+func (svc *Service) Shutdown(ctx context.Context) (err error) {
+	if svc == nil {
+		return nil
+	}
+
+	var errs []error
+	for _, srv := range svc.servers {
+		serr := srv.Shutdown(ctx)
+		if serr != nil {
+			errs = append(errs, fmt.Errorf("shutting down srv %s: %w", srv.Addr, serr))
+		}
+	}
+
+	if len(errs) > 0 {
+		return errors.List("shutting down")
+	}
+
+	return nil
+}

internal/v1/websvc/websvc_test.go

@@ -0,0 +1,93 @@
+package websvc_test
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/netip"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/v1/websvc"
+	"github.com/AdguardTeam/golibs/testutil"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const testTimeout = 1 * time.Second
+
+// testStart is the server start value for tests.
+var testStart = time.Date(2022, 1, 1, 0, 0, 0, 0, time.UTC)
+
+// newTestServer creates and starts a new web service instance as well as its
+// sole address.  It also registers a cleanup procedure, which shuts the
+// instance down.
+//
+// TODO(a.garipov): Use svc or remove it.
+func newTestServer(t testing.TB) (svc *websvc.Service, addr string) {
+	t.Helper()
+
+	c := &websvc.Config{
+		TLS:             nil,
+		Addresses:       []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:0")},
+		SecureAddresses: nil,
+		Timeout:         testTimeout,
+		Start:           testStart,
+	}
+
+	svc = websvc.New(c)
+
+	err := svc.Start()
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		ctx, cancel := context.WithTimeout(context.Background(), testTimeout)
+		t.Cleanup(cancel)
+
+		err = svc.Shutdown(ctx)
+		require.NoError(t, err)
+	})
+
+	addrs := svc.Addrs()
+	require.Len(t, addrs, 1)
+
+	return svc, addrs[0]
+}
+
+// httpGet is a helper that performs an HTTP GET request and returns the body of
+// the response as well as checks that the status code is correct.
+//
+// TODO(a.garipov): Add helpers for other methods.
+func httpGet(t testing.TB, u *url.URL, wantCode int) (body []byte) {
+	t.Helper()
+
+	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
+	require.NoErrorf(t, err, "creating req")
+
+	httpCli := &http.Client{
+		Timeout: testTimeout,
+	}
+	resp, err := httpCli.Do(req)
+	require.NoErrorf(t, err, "performing req")
+	require.Equal(t, wantCode, resp.StatusCode)
+
+	testutil.CleanupAndRequireSuccess(t, resp.Body.Close)
+
+	body, err = io.ReadAll(resp.Body)
+	require.NoErrorf(t, err, "reading body")
+
+	return body
+}
+
+func TestService_Start_getHealthCheck(t *testing.T) {
+	_, addr := newTestServer(t)
+	u := &url.URL{
+		Scheme: "http",
+		Host:   addr,
+		Path:   websvc.PathHealthCheck,
+	}
+
+	body := httpGet(t, u, http.StatusOK)
+
+	assert.Equal(t, []byte("OK"), body)
+}

main.go

@@ -1,3 +1,6 @@
+//go:build !v1
+// +build !v1
+
 package main
 
 import (

main_v1.go

@@ -0,0 +1,21 @@
+//go:build v1
+// +build v1
+
+package main
+
+import (
+	"embed"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/v1/cmd"
+)
+
+// Embed the prebuilt client here since we strive to keep .go files inside the
+// internal directory and the embed package is unable to embed files located
+// outside of the same or underlying directory.
+
+//go:embed build2
+var clientBuildFS embed.FS
+
+func main() {
+	cmd.Main(clientBuildFS)
+}

openapi/CHANGELOG.md

@@ -4,64 +4,6 @@
 
 ## v0.108.0: API changes
 
-
-
-## v0.107.14: BREAKING API CHANGES
-
-A Cross-Site Request Forgery (CSRF) vulnerability has been discovered.  We have
-implemented several measures to prevent such vulnerabilities in the future, but
-some of these measures break backwards compatibility for the sake of better
-protection.
-
-All new formats for the request and response bodies are documented in
-`openapi.yaml`.
-
-### `POST /control/filtering/set_rules` And Other Plain-Text APIs
-
-The following APIs, which previously accepted or returned `text/plain` data,
-now accept or return data as JSON.
-
-#### `POST /control/filtering/set_rules`
-
-Previously, the API accepted a raw list of filters as a plain-text file.  Now,
-the filters must be presented in a JSON object with the following format:
-
-```json
-{
-  "rules":
-  [
-    "||example.com^",
-    "# comment",
-    "@@||www.example.com^"
-  ]
-}
-```
-
-#### `GET /control/i18n/current_language` And `POST /control/i18n/change_language`
-
-Previously, these APIs accepted and returned the language code in plain text.
-Now, they accept and return them in a JSON object with the following format:
-
-```json
-{
-  "language": "en"
-}
-```
-
-#### `POST /control/dhcp/find_active_dhcp`
-
-Previously, the API accepted the name of the network interface as a plain-text
-string.  Now, it must be contained within a JSON object with the following
-format:
-
-```json
-{
-  "interface": "eth0"
-}
-```
-
-
-
 ## v0.107.12: API changes
 
 ### `GET /control/blocked_services/services`
@@ -69,8 +11,6 @@ format:
 * The new `GET /control/blocked_services/services` HTTP API allows inspecting
   all available services.
 
-
-
 ## v0.107.7: API changes
 
 ### The new optional field `"ecs"` in `QueryLogItem`
@@ -84,8 +24,6 @@ format:
   `POST /install/configure` which means that the specified password does not
   meet the strength requirements.
 
-
-
 ## v0.107.3: API changes
 
 ### The new field `"version"` in `AddressesInfo`
@@ -93,8 +31,6 @@ format:
 * The new field `"version"` in `GET /install/get_addresses` is the version of
   the AdGuard Home instance.
 
-
-
 ## v0.107.0: API changes
 
 ### The new field `"cached"` in `QueryLogItem`

openapi/openapi.yaml

@@ -413,11 +413,6 @@
       - 'dhcp'
       'operationId': 'checkActiveDhcp'
       'summary': 'Searches for an active DHCP server on the network'
-      'requestBody':
-        'content':
-          'application/json':
-            'schema':
-              '$ref': '#/components/schemas/DhcpFindActiveReq'
       'responses':
         '200':
           'description': 'OK.'
@@ -672,6 +667,24 @@
       - 'parental'
       'operationId': 'parentalEnable'
       'summary': 'Enable parental filtering'
+      'requestBody':
+        'content':
+          'text/plain':
+            'schema':
+              'type': 'string'
+              'enum':
+              - 'EARLY_CHILDHOOD'
+              - 'YOUNG'
+              - 'TEEN'
+              - 'MATURE'
+              'example': 'sensitivity=TEEN'
+        'description': |
+          Age sensitivity for parental filtering,
+          EARLY_CHILDHOOD is 3
+          YOUNG is 10
+          TEEN is 13
+          MATURE is 17
+        'required': true
       'responses':
         '200':
           'description': 'OK.'
@@ -945,9 +958,10 @@
         Change current language.  Argument must be an ISO 639-1 two-letter code.
       'requestBody':
         'content':
-          'application/json':
+          'text/plain':
             'schema':
-              '$ref': '#/components/schemas/LanguageSettings'
+              'type': 'string'
+              'example': 'en'
         'description': >
           New language.  It must be known to the server and must be an ISO 639-1
           two-letter code.
@@ -966,9 +980,10 @@
         '200':
           'description': 'OK.'
           'content':
-            'application/json':
-              'schema':
-                '$ref': '#/components/schemas/LanguageSettings'
+            'text/plain':
+              'examples':
+                'response':
+                  'value': 'en'
   '/install/get_addresses_beta':
     'get':
       'tags':
@@ -1762,16 +1777,6 @@
       'additionalProperties':
         '$ref': '#/components/schemas/NetInterface'
 
-    'DhcpFindActiveReq':
-      'description': >
-        Request for checking for other DHCP servers in the network.
-      'properties':
-        'interface':
-          'description': 'The name of the network interface'
-          'example': 'eth0'
-          'type': 'string'
-      'type': 'object'
-
     'DhcpSearchResult':
       'type': 'object'
       'description': >
@@ -2687,15 +2692,6 @@
           'description': 'The error message, an opaque string.'
           'type': 'string'
       'type': 'object'
-    'LanguageSettings':
-      'description': 'Language settings object.'
-      'properties':
-        'language':
-          'description': 'The current language or the language to set.'
-          'type': 'string'
-      'required':
-      - 'language'
-      'type': 'object'
   'securitySchemes':
     'basicAuth':
       'type': 'http'

scripts/make/go-build.sh

@@ -123,4 +123,14 @@ CGO_ENABLED="$cgo_enabled"
 GO111MODULE='on'
 export CGO_ENABLED GO111MODULE
 
-"$go" build --ldflags "$ldflags" "$race_flags" --trimpath "$o_flags" "$v_flags" "$x_flags"
+# Build the new binary if requested.
+if [ "${V1API:-0}" -eq '0' ]
+then
+	tags_flags='--tags='
+else
+	tags_flags='--tags=v1'
+fi
+readonly tags_flags
+
+"$go" build --ldflags "$ldflags" "$race_flags" "$tags_flags" --trimpath "$o_flags" "$v_flags"\
+	"$x_flags"

scripts/make/go-lint.sh

@@ -140,6 +140,7 @@ underscores() {
 			-e '_others.go'\
 			-e '_test.go'\
 			-e '_unix.go'\
+			-e '_v1.go'\
 			-e '_windows.go' \
 			-v\
 			| sed -e 's/./\t\0/'
@@ -218,7 +219,10 @@ exit_on_output gofumpt --extra -e -l .
 
 "$GO" vet ./...
 
-govulncheck ./...
+# TODO(a.garipov): Reenable this once https://github.com/golang/go/issues/55035
+# is fixed.
+#
+#	govulncheck ./...
 
 # Apply more lax standards to the code we haven't properly refactored yet.
 gocyclo --over 17 ./internal/querylog/
@@ -228,7 +232,8 @@ gocyclo --over 13 ./internal/filtering/
 # Apply stricter standards to new or somewhat refactored code.
 gocyclo --over 10 ./internal/aghio/ ./internal/aghnet/ ./internal/aghos/\
 	./internal/aghtest/ ./internal/dnsforward/ ./internal/stats/\
-	./internal/tools/ ./internal/updater/ ./internal/version/ ./main.go
+	./internal/tools/ ./internal/updater/ ./internal/v1/ ./internal/version/\
+	./main.go
 
 ineffassign ./...
 

scripts/make/version.sh

@@ -85,7 +85,11 @@ in
 	# num_commits_since_minor is the number of commits since the last new
 	# minor release.  If the current commit is the new minor release,
 	# num_commits_since_minor is zero.
-	num_commits_since_minor="$( git rev-list --count "${last_minor_zero}..HEAD" )"
+	num_commits_since_minor="$( git rev-list "${last_minor_zero}..HEAD" | wc -l )"
+
+	# The output of darwin's implementation of wc needs to be trimmed from
+	# redundant spaces.
+	num_commits_since_minor="$( echo "$num_commits_since_minor" | tr -d '[:space:]' )"
 	readonly num_commits_since_minor
 
 	# next_minor is the next minor release version.