all: log changes

Squashed commit of the following:

commit 284190f748345c7556e60b67f051ec5f6f080948
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Dec 6 19:36:00 2023 +0300

    all: sync with master; upd chlog

CHANGELOG.md

@@ -9,14 +9,21 @@ The format is based on [*Keep a Changelog*](https://keepachangelog.com/en/1.0.0/
 <!--
 ## [v0.108.0] – TBA
 
-## [v0.107.61] - 2025-04-22 (APPROX.)
+## [v0.107.62] - 2025-04-30 (APPROX.)
 
-See also the [v0.107.61 GitHub milestone][ms-v0.107.61].
+See also the [v0.107.62 GitHub milestone][ms-v0.107.62].
 
-[ms-v0.107.61]: https://github.com/AdguardTeam/AdGuardHome/milestone/96?closed=1
+[ms-v0.107.62]: https://github.com/AdguardTeam/AdGuardHome/milestone/97?closed=1
 
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
+<!--
+NOTE: Add new changes ABOVE THIS COMMENT.
+-->
+
+## [v0.107.61] - 2025-04-22
+
+See also the [v0.107.61 GitHub milestone][ms-v0.107.61].
 
 ### Security
 
@@ -25,10 +32,7 @@ NOTE: Add new changes BELOW THIS COMMENT.
     **NOTE:** We thank [Xiang Li][mr-xiang-li] for reporting this security issue.  It's strongly recommended to leave it enabled, otherwise AdGuard Home will be vulnerable to untrusted clients.
 
 [mr-xiang-li]:  https://lixiang521.com/
-
-<!--
-NOTE: Add new changes ABOVE THIS COMMENT.
--->
+[ms-v0.107.61]: https://github.com/AdguardTeam/AdGuardHome/milestone/96?closed=1
 
 ## [v0.107.60] - 2025-04-14
 
@@ -73,8 +77,6 @@ See also the [v0.107.59 GitHub milestone][ms-v0.107.59].
 
 ### Fixed
 
-- Validation process for the DNS-over-TLS, DNS-over-QUIC, and HTTPS ports on the *Encryption Settings* page.
-
 - Rules with the `client` modifier not working ([#7708]).
 
 - The search form not working in the query log ([#7704]).
@@ -3115,11 +3117,12 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
 [ms-v0.104.2]: https://github.com/AdguardTeam/AdGuardHome/milestone/28?closed=1
 
 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.61...HEAD
-[v0.107.61]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.60...v0.107.61
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.62...HEAD
+[v0.107.62]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.61...v0.107.62
 -->
 
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.60...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.61...HEAD
+[v0.107.61]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.60...v0.107.61
 [v0.107.60]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.59...v0.107.60
 [v0.107.59]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.58...v0.107.59
 [v0.107.58]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.57...v0.107.58

client/src/helpers/filters/filters.ts

@@ -28,12 +28,6 @@ export default {
             "homepage": "https://badmojr.github.io/1Hosts/",
             "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt"
         },
-        "1hosts_pro": {
-            "name": "1Hosts (Pro)",
-            "categoryId": "general",
-            "homepage": "https://badmojr.github.io/1Hosts/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_64.txt"
-        },
         "CHN_adrules": {
             "name": "CHN: AdRules DNS List",
             "categoryId": "regional",

internal/aghuser/aghuser.go

@@ -10,8 +10,7 @@ import (
 // Login is the type for web user logins.
 type Login string
 
-// NewLogin returns a web user login.  The length of s must not be greater than
-// [math.MaxUint16].
+// NewLogin returns a web user login.
 //
 // TODO(s.chzhen): Add more constraints as needed.
 func NewLogin(s string) (l Login, err error) {

internal/aghuser/session.go

@@ -1,35 +0,0 @@
-package aghuser
-
-import (
-	"crypto/rand"
-	"time"
-)
-
-// SessionToken is the type for the web user session token.
-type SessionToken [16]byte
-
-// NewSessionToken returns a cryptographically secure randomly generated web
-// user session token.  If an error occurs during random generation, it will
-// cause the program to crash.
-func NewSessionToken() (t SessionToken) {
-	_, _ = rand.Read(t[:])
-
-	return t
-}
-
-// Session represents a web user session.
-type Session struct {
-	// Expire indicates when the session will expire.
-	Expire time.Time
-
-	// UserLogin is the login of the web user associated with the session.
-	//
-	// TODO(s.chzhen):  Remove this field and associate the user by UserID.
-	UserLogin Login
-
-	// Token is the session token.
-	Token SessionToken
-
-	// UserID is the identifier of the web user associated with the session.
-	UserID UserID
-}

internal/aghuser/sessionstorage.go

@@ -1,449 +0,0 @@
-package aghuser
-
-import (
-	"context"
-	"encoding/binary"
-	"fmt"
-	"log/slog"
-	"sync"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
-	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/logutil/slogutil"
-	"github.com/AdguardTeam/golibs/timeutil"
-	"go.etcd.io/bbolt"
-	berrors "go.etcd.io/bbolt/errors"
-)
-
-// SessionStorage is an interface that defines methods for handling web user
-// sessions.  All methods must be safe for concurrent use.
-//
-// TODO(s.chzhen):  Add DeleteAll method.
-type SessionStorage interface {
-	// New creates a new session for the web user.
-	New(ctx context.Context, u *User) (s *Session, err error)
-
-	// FindByToken returns the stored session for the web user based on the session
-	// token.
-	//
-	// TODO(s.chzhen):  Consider function signature change to reflect the
-	// in-memory implementation, as it currently always returns nil for error.
-	FindByToken(ctx context.Context, t SessionToken) (s *Session, err error)
-
-	// DeleteByToken removes a stored web user session by the provided token.
-	DeleteByToken(ctx context.Context, t SessionToken) (err error)
-
-	// Close releases the web user sessions database resources.
-	Close() (err error)
-}
-
-// DefaultSessionStorageConfig represents the web user session storage
-// configuration structure.
-type DefaultSessionStorageConfig struct {
-	// Logger is used for logging the operation of the session storage.  It must
-	// not be nil.
-	Logger *slog.Logger
-
-	// Clock is used to get the current time.  It must not be nil.
-	Clock timeutil.Clock
-
-	// UserDB contains the web user information such as ID, login, and password.
-	// It must not be nil.
-	UserDB DB
-
-	// DBPath is the path to the database file where session data is stored.  It
-	// must not be empty.
-	DBPath string
-
-	// SessionTTL is the default Time-To-Live duration for web user sessions.
-	// It specifies how long a session should last and is a required field.
-	SessionTTL time.Duration
-}
-
-// DefaultSessionStorage is the default bbolt database implementation of the
-// [SessionStorage] interface.
-type DefaultSessionStorage struct {
-	// db is an instance of the bbolt database where web user sessions are
-	// stored by [SessionToken] in the [bucketNameSessions] bucket.
-	db *bbolt.DB
-
-	// logger is used for logging the operation of the session storage.
-	logger *slog.Logger
-
-	// mu protects sessions.
-	mu *sync.Mutex
-
-	// clock is used to get the current time.
-	clock timeutil.Clock
-
-	// userDB contains the web user information such as ID, login, and password.
-	userDB DB
-
-	// sessions maps a session token to a web user session.
-	sessions map[SessionToken]*Session
-
-	// sessionTTL is the default Time-To-Live value for web user sessions.
-	sessionTTL time.Duration
-}
-
-// NewDefaultSessionStorage returns the new properly initialized
-// *DefaultSessionStorage.
-func NewDefaultSessionStorage(
-	ctx context.Context,
-	conf *DefaultSessionStorageConfig,
-) (ds *DefaultSessionStorage, err error) {
-	ds = &DefaultSessionStorage{
-		clock:      conf.Clock,
-		userDB:     conf.UserDB,
-		logger:     conf.Logger,
-		mu:         &sync.Mutex{},
-		sessions:   map[SessionToken]*Session{},
-		sessionTTL: conf.SessionTTL,
-	}
-
-	dbFilename := conf.DBPath
-	// TODO(s.chzhen):  Pass logger with options.
-	ds.db, err = bbolt.Open(dbFilename, aghos.DefaultPermFile, nil)
-	if err != nil {
-		ds.logger.ErrorContext(ctx, "opening db %q: %w", dbFilename, err)
-		if errors.Is(err, berrors.ErrInvalid) {
-			const s = "AdGuard Home cannot be initialized due to an incompatible file system.\n" +
-				"Please read the explanation here: https://adguard-dns.io/kb/adguard-home/getting-started/#limitations"
-			slogutil.PrintLines(ctx, ds.logger, slog.LevelError, "", s)
-		}
-
-		return nil, err
-	}
-
-	err = ds.loadSessions(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("loading sessions: %w", err)
-	}
-
-	return ds, nil
-}
-
-// loadSessions loads web user sessions from the bbolt database.
-func (ds *DefaultSessionStorage) loadSessions(ctx context.Context) (err error) {
-	tx, err := ds.db.Begin(true)
-	if err != nil {
-		return fmt.Errorf("starting transaction: %w", err)
-	}
-
-	needRollback := true
-	defer func() {
-		if needRollback {
-			err = errors.WithDeferred(err, tx.Rollback())
-		}
-	}()
-
-	bkt := tx.Bucket([]byte(bboltBucketSessions))
-	if bkt == nil {
-		return nil
-	}
-
-	removed, err := ds.processSessions(ctx, bkt)
-	if err != nil {
-		return fmt.Errorf("processing sessions: %w", err)
-	}
-
-	if removed == 0 {
-		ds.logger.DebugContext(ctx, "loading sessions from db", "stored", len(ds.sessions))
-
-		return nil
-	}
-
-	needRollback = false
-	err = tx.Commit()
-	if err != nil {
-		return fmt.Errorf("committing transaction: %w", err)
-	}
-
-	ds.logger.DebugContext(
-		ctx,
-		"loading sessions from db",
-		"stored", len(ds.sessions),
-		"removed", removed,
-	)
-
-	return nil
-}
-
-// processSessions iterates over the sessions bucket and loads or removes
-// sessions as needed.
-func (ds *DefaultSessionStorage) processSessions(
-	ctx context.Context,
-	bkt *bbolt.Bucket,
-) (removed int, err error) {
-	invalidSessions := [][]byte{}
-
-	err = bkt.ForEach(ds.bboltSessionHandler(ctx, &invalidSessions))
-	if err != nil {
-		return 0, fmt.Errorf("iterating over sessions: %w", err)
-	}
-
-	var errs []error
-	for _, s := range invalidSessions {
-		if err = bkt.Delete(s); err != nil {
-			errs = append(errs, err)
-		}
-	}
-
-	if err = errors.Join(errs...); err != nil {
-		return 0, fmt.Errorf("deleting sessions: %w", err)
-	}
-
-	return len(invalidSessions), nil
-}
-
-// bboltSessionHandler returns a function for [bbolt.Bucket.ForEach] that
-// iterates over stored sessions, deserializes them, and logs any errors
-// encountered.  The returned error is always nil, as these errors are
-// considered non-critical to stop the iteration process.
-func (ds *DefaultSessionStorage) bboltSessionHandler(
-	ctx context.Context,
-	invalidSessions *[][]byte,
-) (fn func(k, v []byte) (err error)) {
-	now := ds.clock.Now()
-
-	return func(k, v []byte) (err error) {
-		s, err := bboltDecode(v)
-		if err != nil {
-			*invalidSessions = append(*invalidSessions, k)
-			ds.logger.DebugContext(ctx, "deserializing session", slogutil.KeyError, err)
-
-			return nil
-		}
-
-		if now.After(s.Expire) {
-			*invalidSessions = append(*invalidSessions, k)
-
-			return nil
-		}
-
-		u, err := ds.userDB.ByLogin(ctx, s.UserLogin)
-		if err != nil {
-			// Should not happen, as it currently always returns nil for error.
-			panic(err)
-		}
-
-		if u == nil {
-			*invalidSessions = append(*invalidSessions, k)
-			ds.logger.DebugContext(ctx, "no saved user by name", "name", s.UserLogin)
-
-			return nil
-		}
-
-		t := SessionToken(k)
-		s.Token = t
-		s.UserID = u.ID
-		ds.sessions[t] = s
-
-		return nil
-	}
-}
-
-// bboltBucketSessions is the name of the bucket storing web user sessions in
-// the bbolt database.
-const bboltBucketSessions = "sessions-2"
-
-const (
-	// bboltSessionExpireLen is the length of the expire field in the binary
-	// entry stored in bbolt.
-	bboltSessionExpireLen = 4
-
-	// bboltSessionNameLen is the length of the name field in the binary entry
-	// stored in bbolt.
-	bboltSessionNameLen = 2
-)
-
-// bboltDecode deserializes decodes a binary data into a session.
-func bboltDecode(data []byte) (s *Session, err error) {
-	if len(data) < bboltSessionExpireLen+bboltSessionNameLen {
-		return nil, fmt.Errorf("length of the data is less than expected: got %d", len(data))
-	}
-
-	expireData := data[:bboltSessionExpireLen]
-	nameLenData := data[bboltSessionExpireLen : bboltSessionExpireLen+bboltSessionNameLen]
-	nameData := data[bboltSessionExpireLen+bboltSessionNameLen:]
-
-	nameLen := binary.BigEndian.Uint16(nameLenData)
-	if len(nameData) != int(nameLen) {
-		return nil, fmt.Errorf("login: expected length %d, got %d", nameLen, len(nameData))
-	}
-
-	expire := binary.BigEndian.Uint32(expireData)
-
-	return &Session{
-		Expire:    time.Unix(int64(expire), 0),
-		UserLogin: Login(nameData),
-	}, nil
-}
-
-// bboltEncode serializes a session properties into a binary data.
-func bboltEncode(s *Session) (data []byte) {
-	data = make([]byte, bboltSessionExpireLen+bboltSessionNameLen+len(s.UserLogin))
-
-	expireData := data[:bboltSessionExpireLen]
-	nameLenData := data[bboltSessionExpireLen : bboltSessionExpireLen+bboltSessionNameLen]
-	nameData := data[bboltSessionExpireLen+bboltSessionNameLen:]
-
-	expire := uint32(s.Expire.Unix())
-	binary.BigEndian.PutUint32(expireData, expire)
-	binary.BigEndian.PutUint16(nameLenData, uint16(len(s.UserLogin)))
-	copy(nameData, []byte(s.UserLogin))
-
-	return data
-}
-
-// type check
-var _ SessionStorage = (*DefaultSessionStorage)(nil)
-
-// New implements the [SessionStorage] interface for *DefaultSessionStorage.
-func (ds *DefaultSessionStorage) New(ctx context.Context, u *User) (s *Session, err error) {
-	s = &Session{
-		Token:     NewSessionToken(),
-		UserID:    u.ID,
-		UserLogin: u.Login,
-		Expire:    ds.clock.Now().Add(ds.sessionTTL),
-	}
-
-	err = ds.store(s)
-	if err != nil {
-		return nil, fmt.Errorf("storing session: %w", err)
-	}
-
-	ds.mu.Lock()
-	defer ds.mu.Unlock()
-
-	ds.sessions[s.Token] = s
-
-	return s, nil
-}
-
-// store saves a web user session in the bbolt database.
-func (ds *DefaultSessionStorage) store(s *Session) (err error) {
-	tx, err := ds.db.Begin(true)
-	if err != nil {
-		return fmt.Errorf("starting transaction: %w", err)
-	}
-
-	needRollback := true
-	defer func() {
-		if needRollback {
-			err = errors.WithDeferred(err, tx.Rollback())
-		}
-	}()
-
-	bkt, err := tx.CreateBucketIfNotExists([]byte(bboltBucketSessions))
-	if err != nil {
-		return fmt.Errorf("creating bucket: %w", err)
-	}
-
-	err = bkt.Put(s.Token[:], bboltEncode(s))
-	if err != nil {
-		return fmt.Errorf("putting data: %w", err)
-	}
-
-	needRollback = false
-	err = tx.Commit()
-	if err != nil {
-		return fmt.Errorf("committing transaction: %w", err)
-	}
-
-	return nil
-}
-
-// FindByToken implements the [SessionStorage] interface for *DefaultSessionStorage.
-func (ds *DefaultSessionStorage) FindByToken(ctx context.Context, t SessionToken) (s *Session, err error) {
-	ds.mu.Lock()
-	defer ds.mu.Unlock()
-
-	s, ok := ds.sessions[t]
-	if !ok {
-		return nil, nil
-	}
-
-	now := ds.clock.Now()
-	if now.After(s.Expire) {
-		err = ds.deleteByToken(ctx, t)
-		if err != nil {
-			return nil, fmt.Errorf("expired session: %w", err)
-		}
-
-		return nil, nil
-	}
-
-	return s, nil
-}
-
-// DeleteByToken implements the [SessionStorage] interface for
-// *DefaultSessionStorage.
-func (ds *DefaultSessionStorage) DeleteByToken(ctx context.Context, t SessionToken) (err error) {
-	ds.mu.Lock()
-	defer ds.mu.Unlock()
-
-	// Don't wrap the error because it's informative enough as is.
-	return ds.deleteByToken(ctx, t)
-}
-
-// deleteByToken removes stored session by token.  ds.mu is expected to be
-// locked.
-func (ds *DefaultSessionStorage) deleteByToken(ctx context.Context, t SessionToken) (err error) {
-	err = ds.remove(ctx, t)
-	if err != nil {
-		ds.logger.ErrorContext(ctx, "deleting session", slogutil.KeyError, err)
-
-		return err
-	}
-
-	delete(ds.sessions, t)
-
-	return nil
-}
-
-// remove deletes a web user session from the bbolt database.
-func (ds *DefaultSessionStorage) remove(ctx context.Context, t SessionToken) (err error) {
-	tx, err := ds.db.Begin(true)
-	if err != nil {
-		return fmt.Errorf("starting transaction: %w", err)
-	}
-
-	needRollback := true
-	defer func() {
-		if needRollback {
-			err = errors.WithDeferred(err, tx.Rollback())
-		}
-	}()
-
-	bkt := tx.Bucket([]byte(bboltBucketSessions))
-	if bkt == nil {
-		return errors.Error("no bucket")
-	}
-
-	err = bkt.Delete(t[:])
-	if err != nil {
-		return fmt.Errorf("removing data: %w", err)
-	}
-
-	needRollback = false
-	err = tx.Commit()
-	if err != nil {
-		return fmt.Errorf("committing transaction: %w", err)
-	}
-
-	ds.logger.DebugContext(ctx, "removed session from db")
-
-	return err
-}
-
-// Close implements the [SessionStorage] interface for *DefaultSessionStorage.
-func (ds *DefaultSessionStorage) Close() (err error) {
-	err = ds.db.Close()
-	if err != nil {
-		return fmt.Errorf("closing db: %w", err)
-	}
-
-	return nil
-}

internal/aghuser/sessionstorage_test.go

@@ -1,162 +0,0 @@
-package aghuser_test
-
-import (
-	"context"
-	"os"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghuser"
-	"github.com/AdguardTeam/golibs/logutil/slogutil"
-	"github.com/AdguardTeam/golibs/testutil"
-	"github.com/AdguardTeam/golibs/testutil/faketime"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// addSession is a helper function that saves and returns a session for a newly
-// generated [aghuser.User] by login.
-func addSession(
-	tb testing.TB,
-	ctx context.Context,
-	ds aghuser.SessionStorage,
-	login aghuser.Login,
-) (s *aghuser.Session) {
-	tb.Helper()
-
-	s, err := ds.New(ctx, &aghuser.User{
-		ID:    aghuser.MustNewUserID(),
-		Login: login,
-	})
-	require.NoError(tb, err)
-	require.NotNil(tb, s)
-
-	var got *aghuser.Session
-	got, err = ds.FindByToken(ctx, s.Token)
-	require.NoError(tb, err)
-	require.NotNil(tb, got)
-
-	assert.Equal(tb, login, got.UserLogin)
-
-	return s
-}
-
-func TestDefaultSessionStorage(t *testing.T) {
-	const (
-		userLoginFirst  aghuser.Login = "user_one"
-		userLoginSecond aghuser.Login = "user_two"
-	)
-
-	var (
-		ctx    = testutil.ContextWithTimeout(t, testTimeout)
-		logger = slogutil.NewDiscardLogger()
-	)
-
-	const (
-		sessionTTL = time.Minute
-		timeStep   = time.Second
-	)
-
-	// Set up a mock clock to test expired sessions. Each call to [clock.Now]
-	// will return the [date] incremented by [timeStep].
-	date := time.Now()
-	clock := &faketime.Clock{
-		OnNow: func() (now time.Time) {
-			date = date.Add(timeStep)
-
-			return date
-		},
-	}
-
-	dbFile, err := os.CreateTemp(t.TempDir(), "sessions.db")
-	require.NoError(t, err)
-	testutil.CleanupAndRequireSuccess(t, dbFile.Close)
-
-	userDB := aghuser.NewDefaultDB()
-
-	err = userDB.Create(ctx, &aghuser.User{
-		Login: userLoginFirst,
-		ID:    aghuser.MustNewUserID(),
-	})
-	require.NoError(t, err)
-
-	err = userDB.Create(ctx, &aghuser.User{
-		Login: userLoginSecond,
-		ID:    aghuser.MustNewUserID(),
-	})
-	require.NoError(t, err)
-
-	var (
-		ds *aghuser.DefaultSessionStorage
-
-		sessionFirst  *aghuser.Session
-		sessionSecond *aghuser.Session
-	)
-
-	require.True(t, t.Run("prepare_session_storage", func(t *testing.T) {
-		ds, err = aghuser.NewDefaultSessionStorage(ctx, &aghuser.DefaultSessionStorageConfig{
-			Clock:      clock,
-			UserDB:     userDB,
-			Logger:     logger,
-			DBPath:     dbFile.Name(),
-			SessionTTL: sessionTTL,
-		})
-		require.NoError(t, err)
-
-		sessionFirst = addSession(t, ctx, ds, userLoginFirst)
-
-		// Advance time to ensure the first session expires before creating the
-		// second session.
-		date = date.Add(time.Hour)
-
-		sessionSecond = addSession(t, ctx, ds, userLoginSecond)
-
-		err = ds.Close()
-		require.NoError(t, err)
-	}))
-
-	require.True(t, t.Run("load_sessions", func(t *testing.T) {
-		ds, err = aghuser.NewDefaultSessionStorage(ctx, &aghuser.DefaultSessionStorageConfig{
-			Clock:      clock,
-			UserDB:     userDB,
-			Logger:     logger,
-			DBPath:     dbFile.Name(),
-			SessionTTL: sessionTTL,
-		})
-		require.NoError(t, err)
-
-		var got *aghuser.Session
-		got, err = ds.FindByToken(ctx, sessionFirst.Token)
-		require.NoError(t, err)
-
-		assert.Nil(t, got)
-
-		got, err = ds.FindByToken(ctx, sessionSecond.Token)
-		require.NoError(t, err)
-		require.NotNil(t, got)
-
-		assert.Equal(t, userLoginSecond, got.UserLogin)
-
-		err = ds.DeleteByToken(ctx, sessionSecond.Token)
-		require.NoError(t, err)
-
-		got, err = ds.FindByToken(ctx, sessionSecond.Token)
-		require.NoError(t, err)
-
-		assert.Nil(t, got)
-	}))
-
-	require.True(t, t.Run("expired_session", func(t *testing.T) {
-		testutil.CleanupAndRequireSuccess(t, ds.Close)
-
-		sessionFirst = addSession(t, ctx, ds, userLoginFirst)
-
-		date = date.Add(time.Hour)
-
-		var got *aghuser.Session
-		got, err = ds.FindByToken(ctx, sessionFirst.Token)
-		require.NoError(t, err)
-
-		assert.Nil(t, got)
-	}))
-}

internal/aghuser/user.go

@@ -32,13 +32,13 @@ func MustNewUserID() (uid UserID) {
 
 // User represents a web user.
 type User struct {
-	// Password stores the password information for the web user.  It must not
-	// be nil.
-	Password Password
+	// ID is the unique identifier for the web user.  It must not be empty.
+	ID UserID
 
 	// Login is the login name of the web user.  It must not be empty.
 	Login Login
 
-	// ID is the unique identifier for the web user.  It must not be empty.
-	ID UserID
+	// Password stores the password information for the web user.  It must not
+	// be nil.
+	Password Password
 }

internal/dnsforward/beforerequest.go

@@ -74,7 +74,7 @@ func (s *Server) clientIDFromDNSContext(pctx *proxy.DNSContext) (clientID string
 		return "", nil
 	}
 
-	hostSrvName := s.conf.TLSConf.ServerName
+	hostSrvName := s.conf.ServerName
 	if hostSrvName == "" {
 		return "", nil
 	}
@@ -87,7 +87,7 @@ func (s *Server) clientIDFromDNSContext(pctx *proxy.DNSContext) (clientID string
 	clientID, err = clientIDFromClientServerName(
 		hostSrvName,
 		cliSrvName,
-		s.conf.TLSConf.StrictSNICheck,
+		s.conf.StrictSNICheck,
 	)
 	if err != nil {
 		return "", fmt.Errorf("clientid check: %w", err)

internal/dnsforward/beforerequest_internal_test.go

@@ -121,7 +121,7 @@ func TestServer_HandleBefore_tls(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 
-			s, _ := createTestTLS(t, &TLSConfig{
+			s, _ := createTestTLS(t, TLSConfig{
 				TLSListenAddrs: []*net.TCPAddr{{}},
 				ServerName:     tlsServerName,
 			})
@@ -259,7 +259,6 @@ func TestServer_HandleBefore_udp(t *testing.T) {
 			}, ServerConfig{
 				UDPListenAddrs: []*net.UDPAddr{{}},
 				TCPListenAddrs: []*net.TCPAddr{{}},
-				TLSConf:        &TLSConfig{},
 				Config: Config{
 					AllowedClients:    tc.allowedClients,
 					DisallowedClients: tc.disallowedClients,

internal/dnsforward/clientid_internal_test.go

@@ -212,13 +212,13 @@ func TestServer_clientIDFromDNSContext(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			tlsConf := &TLSConfig{
+			tlsConf := TLSConfig{
 				ServerName:     tc.confSrvName,
 				StrictSNICheck: tc.strictSNI,
 			}
 
 			srv := &Server{
-				conf:       ServerConfig{TLSConf: tlsConf},
+				conf:       ServerConfig{TLSConfig: tlsConf},
 				baseLogger: slogutil.NewDiscardLogger(),
 			}
 

internal/dnsforward/config.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
@@ -167,34 +168,43 @@ type EDNSClientSubnet struct {
 	UseCustom bool `yaml:"use_custom"`
 }
 
-// TLSConfig contains the TLS configuration settings for DNS-over-HTTPS (DoH),
-// DNS-over-TLS (DoT), DNS-over-QUIC (DoQ), and Discovery of Designated
-// Resolvers (DDR).
+// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
 type TLSConfig struct {
-	// Cert is the TLS certificate used for TLS connections.  It is nil if
-	// encryption is disabled.
-	Cert *tls.Certificate
+	cert tls.Certificate
 
-	// TLSListenAddrs are the addresses to listen on for DoT connections.  Each
-	// item in the list must be non-nil if Cert is not nil.
-	TLSListenAddrs []*net.TCPAddr
+	TLSListenAddrs   []*net.TCPAddr `yaml:"-" json:"-"`
+	QUICListenAddrs  []*net.UDPAddr `yaml:"-" json:"-"`
+	HTTPSListenAddrs []*net.TCPAddr `yaml:"-" json:"-"`
 
-	// QUICListenAddrs are the addresses to listen on for DoQ connections.  Each
-	// item in the list must be non-nil if Cert is not nil.
-	QUICListenAddrs []*net.UDPAddr
+	// PEM-encoded certificates chain
+	CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"`
+	// PEM-encoded private key
+	PrivateKey string `yaml:"private_key" json:"private_key"`
 
-	// HTTPSListenAddrs should be the addresses AdGuard Home is listening on for
-	// DoH connections.  These addresses are announced with DDR.  Each item in
-	// the list must be non-nil.
-	HTTPSListenAddrs []*net.TCPAddr
+	CertificatePath string `yaml:"certificate_path" json:"certificate_path"`
+	PrivateKeyPath  string `yaml:"private_key_path" json:"private_key_path"`
+
+	CertificateChainData []byte `yaml:"-" json:"-"`
+	PrivateKeyData       []byte `yaml:"-" json:"-"`
 
 	// ServerName is the hostname of the server.  Currently, it is only being
 	// used for ClientID checking and Discovery of Designated Resolvers (DDR).
-	ServerName string
+	ServerName string `yaml:"-" json:"-"`
+
+	// DNS names from certificate (SAN) or CN value from Subject
+	dnsNames []string
+
+	// OverrideTLSCiphers, when set, contains the names of the cipher suites to
+	// use.  If the slice is empty, the default safe suites are used.
+	OverrideTLSCiphers []string `yaml:"override_tls_ciphers,omitempty" json:"-"`
 
 	// StrictSNICheck controls if the connections with SNI mismatching the
 	// certificate's ones should be rejected.
-	StrictSNICheck bool
+	StrictSNICheck bool `yaml:"strict_sni_check" json:"-"`
+
+	// hasIPAddrs is set during the certificate parsing and is true if the
+	// configured certificate contains at least a single IP address.
+	hasIPAddrs bool
 }
 
 // DNSCryptConfig is the DNSCrypt server configuration struct.
@@ -229,11 +239,8 @@ type ServerConfig struct {
 	// Remove that.
 	AddrProcConf *client.DefaultAddrProcConfig
 
-	// TLSConf is the TLS configuration for DNS-over-TLS, DNS-over-QUIC, and
-	// HTTPS.  It must not be nil.
-	TLSConf *TLSConfig
-
 	Config
+	TLSConfig
 	DNSCryptConfig
 	TLSAllowUnencryptedDoH bool
 
@@ -608,33 +615,45 @@ func (conf *ServerConfig) ourAddrsSet() (m addrPortSet, err error) {
 	}
 }
 
-// prepareTLS sets up the TLS configuration for the DNS proxy.
+// prepareTLS - prepares TLS configuration for the DNS proxy
 func (s *Server) prepareTLS(proxyConfig *proxy.Config) (err error) {
-	if s.conf.TLSConf.Cert == nil {
-		return
-	}
-
-	if s.conf.TLSConf.TLSListenAddrs == nil && s.conf.TLSConf.QUICListenAddrs == nil {
+	if len(s.conf.CertificateChainData) == 0 || len(s.conf.PrivateKeyData) == 0 {
 		return nil
 	}
 
-	proxyConfig.TLSListenAddr = s.conf.TLSConf.TLSListenAddrs
-	proxyConfig.QUICListenAddr = s.conf.TLSConf.QUICListenAddrs
+	if s.conf.TLSListenAddrs == nil && s.conf.QUICListenAddrs == nil {
+		return nil
+	}
 
-	cert, err := x509.ParseCertificate(s.conf.TLSConf.Cert.Certificate[0])
+	proxyConfig.TLSListenAddr = aghalg.CoalesceSlice(
+		s.conf.TLSListenAddrs,
+		proxyConfig.TLSListenAddr,
+	)
+
+	proxyConfig.QUICListenAddr = aghalg.CoalesceSlice(
+		s.conf.QUICListenAddrs,
+		proxyConfig.QUICListenAddr,
+	)
+
+	s.conf.cert, err = tls.X509KeyPair(s.conf.CertificateChainData, s.conf.PrivateKeyData)
+	if err != nil {
+		return fmt.Errorf("failed to parse TLS keypair: %w", err)
+	}
+
+	cert, err := x509.ParseCertificate(s.conf.cert.Certificate[0])
 	if err != nil {
 		return fmt.Errorf("x509.ParseCertificate(): %w", err)
 	}
 
-	s.hasIPAddrs = aghtls.CertificateHasIP(cert)
+	s.conf.hasIPAddrs = aghtls.CertificateHasIP(cert)
 
-	if s.conf.TLSConf.StrictSNICheck {
+	if s.conf.StrictSNICheck {
 		if len(cert.DNSNames) != 0 {
-			s.dnsNames = cert.DNSNames
+			s.conf.dnsNames = cert.DNSNames
 			log.Debug("dns: using certificate's SAN as DNS names: %v", cert.DNSNames)
-			slices.Sort(s.dnsNames)
+			slices.Sort(s.conf.dnsNames)
 		} else {
-			s.dnsNames = []string{cert.Subject.CommonName}
+			s.conf.dnsNames = append(s.conf.dnsNames, cert.Subject.CommonName)
 			log.Debug("dns: using certificate's CN as DNS name: %s", cert.Subject.CommonName)
 		}
 	}
@@ -683,11 +702,11 @@ func anyNameMatches(dnsNames []string, sni string) (ok bool) {
 // Called by 'tls' package when Client Hello is received
 // If the server name (from SNI) supplied by client is incorrect - we terminate the ongoing TLS handshake.
 func (s *Server) onGetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if s.conf.TLSConf.StrictSNICheck && !anyNameMatches(s.dnsNames, ch.ServerName) {
+	if s.conf.StrictSNICheck && !anyNameMatches(s.conf.dnsNames, ch.ServerName) {
 		log.Info("dns: tls: unknown SNI in Client Hello: %s", ch.ServerName)
 		return nil, fmt.Errorf("invalid SNI")
 	}
-	return s.conf.TLSConf.Cert, nil
+	return &s.conf.cert, nil
 }
 
 // preparePlain prepares the plain-DNS configuration for the DNS proxy.

internal/dnsforward/dns64_internal_test.go

@@ -296,7 +296,6 @@ func TestServer_HandleDNSRequest_dns64(t *testing.T) {
 				UDPListenAddrs: []*net.UDPAddr{{}},
 				TCPListenAddrs: []*net.TCPAddr{{}},
 				UseDNS64:       true,
-				TLSConf:        &TLSConfig{},
 				Config: Config{
 					UpstreamMode:     UpstreamModeLoadBalance,
 					EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
@@ -336,7 +335,6 @@ func TestServer_dns64WithDisabledRDNS(t *testing.T) {
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
 		UseDNS64:       true,
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode:     UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},

internal/dnsforward/dnsforward.go

@@ -103,26 +103,16 @@ type SystemResolvers interface {
 //
 // The zero Server is empty and ready for use.
 type Server struct {
-	// addrProc, if not nil, is used to process clients' IP addresses with rDNS,
-	// WHOIS, etc.
-	addrProc client.AddressProcessor
+	// dnsProxy is the DNS proxy for forwarding client's DNS requests.
+	dnsProxy *proxy.Proxy
 
-	// bootstrap is the resolver for upstreams' hostnames.
-	bootstrap upstream.Resolver
-
-	// clientIDCache is a temporary storage for ClientIDs that were extracted
-	// during the BeforeRequestHandler stage.
-	clientIDCache cache.Cache
+	// dnsFilter is the DNS filter for filtering client's DNS requests and
+	// responses.
+	dnsFilter *filtering.DNSFilter
 
 	// dhcpServer is the DHCP server for accessing lease data.
 	dhcpServer DHCP
 
-	// etcHosts contains the current data from the system's hosts files.
-	etcHosts upstream.Resolver
-
-	// privateNets is the configured set of IP networks considered private.
-	privateNets netutil.SubnetSet
-
 	// queryLog is the query log for client's DNS requests, responses and
 	// filtering results.
 	queryLog querylog.QueryLog
@@ -130,43 +120,37 @@ type Server struct {
 	// stats is the statistics collector for client's DNS usage data.
 	stats stats.Interface
 
-	// sysResolvers used to fetch system resolvers to use by default for private
-	// PTR resolving.
-	sysResolvers SystemResolvers
-
 	// access drops disallowed clients.
 	access *accessManager
 
-	// anonymizer masks the client's IP addresses if needed.
-	anonymizer *aghnet.IPMut
-
 	// baseLogger is used to create loggers for other entities.  It should not
 	// have a prefix and must not be nil.
 	baseLogger *slog.Logger
 
-	// dnsFilter is the DNS filter for filtering client's DNS requests and
-	// responses.
-	dnsFilter *filtering.DNSFilter
-
-	// dnsProxy is the DNS proxy for forwarding client's DNS requests.
-	dnsProxy *proxy.Proxy
-
-	// internalProxy resolves internal requests from the application itself.  It
-	// isn't started and so no listen ports are required.
-	internalProxy *proxy.Proxy
+	// localDomainSuffix is the suffix used to detect internal hosts.  It
+	// must be a valid domain name plus dots on each side.
+	localDomainSuffix string
 
 	// ipset processes DNS requests using ipset data.  It must not be nil after
 	// initialization.  See [newIpsetHandler].
 	ipset *ipsetHandler
 
-	// dns64Pref is the NAT64 prefix used for DNS64 response mapping.  The major
-	// part of DNS64 happens inside the [proxy] package, but there still are
-	// some places where response mapping is needed (e.g. DHCP).
-	dns64Pref netip.Prefix
+	// privateNets is the configured set of IP networks considered private.
+	privateNets netutil.SubnetSet
 
-	// localDomainSuffix is the suffix used to detect internal hosts.  It
-	// must be a valid domain name plus dots on each side.
-	localDomainSuffix string
+	// addrProc, if not nil, is used to process clients' IP addresses with rDNS,
+	// WHOIS, etc.
+	addrProc client.AddressProcessor
+
+	// sysResolvers used to fetch system resolvers to use by default for private
+	// PTR resolving.
+	sysResolvers SystemResolvers
+
+	// etcHosts contains the current data from the system's hosts files.
+	etcHosts upstream.Resolver
+
+	// bootstrap is the resolver for upstreams' hostnames.
+	bootstrap upstream.Resolver
 
 	// bootResolvers are the resolvers that should be used for
 	// bootstrapping along with [etcHosts].
@@ -175,26 +159,34 @@ type Server struct {
 	// [upstream.Resolver] interface.
 	bootResolvers []*upstream.UpstreamResolver
 
-	// dnsNames are the DNS names from certificate (SAN) or CN value from
-	// Subject.
-	dnsNames []string
+	// dns64Pref is the NAT64 prefix used for DNS64 response mapping.  The major
+	// part of DNS64 happens inside the [proxy] package, but there still are
+	// some places where response mapping is needed (e.g. DHCP).
+	dns64Pref netip.Prefix
+
+	// anonymizer masks the client's IP addresses if needed.
+	anonymizer *aghnet.IPMut
+
+	// clientIDCache is a temporary storage for ClientIDs that were extracted
+	// during the BeforeRequestHandler stage.
+	clientIDCache cache.Cache
+
+	// internalProxy resolves internal requests from the application itself.  It
+	// isn't started and so no listen ports are required.
+	internalProxy *proxy.Proxy
+
+	// isRunning is true if the DNS server is running.
+	isRunning bool
+
+	// protectionUpdateInProgress is used to make sure that only one goroutine
+	// updating the protection configuration after a pause is running at a time.
+	protectionUpdateInProgress atomic.Bool
 
 	// conf is the current configuration of the server.
 	conf ServerConfig
 
 	// serverLock protects Server.
 	serverLock sync.RWMutex
-
-	// protectionUpdateInProgress is used to make sure that only one goroutine
-	// updating the protection configuration after a pause is running at a time.
-	protectionUpdateInProgress atomic.Bool
-
-	// isRunning is true if the DNS server is running.
-	isRunning bool
-
-	// hasIPAddrs is set during the certificate parsing and is true if the
-	// configured certificate contains at least a single IP address.
-	hasIPAddrs bool
 }
 
 // defaultLocalDomainSuffix is the default suffix used to detect internal hosts

internal/dnsforward/dnsforward_internal_test.go

@@ -213,23 +213,17 @@ func createServerTLSConfig(t *testing.T) (*tls.Config, []byte, []byte) {
 	}, certPem, keyPem
 }
 
-func createTestTLS(t *testing.T, tlsConf *TLSConfig) (s *Server, certPem []byte) {
+func createTestTLS(t *testing.T, tlsConf TLSConfig) (s *Server, certPem []byte) {
 	t.Helper()
 
 	var keyPem []byte
 	_, certPem, keyPem = createServerTLSConfig(t)
 
-	cert, err := tls.X509KeyPair(certPem, keyPem)
-	require.NoError(t, err)
-
-	tlsConf.Cert = &cert
-
 	s = createTestServer(t, &filtering.Config{
 		BlockingMode: filtering.BlockingModeDefault,
 	}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        tlsConf,
 		Config: Config{
 			UpstreamMode:     UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
@@ -238,7 +232,10 @@ func createTestTLS(t *testing.T, tlsConf *TLSConfig) (s *Server, certPem []byte)
 		ServePlainDNS: true,
 	})
 
-	err = s.Prepare(&s.conf)
+	tlsConf.CertificateChainData, tlsConf.PrivateKeyData = certPem, keyPem
+	s.conf.TLSConfig = tlsConf
+
+	err := s.Prepare(&s.conf)
 	require.NoErrorf(t, err, "failed to prepare server: %s", err)
 
 	return s, certPem
@@ -357,7 +354,6 @@ func TestServer(t *testing.T) {
 	}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode:     UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
@@ -399,7 +395,6 @@ func TestServer_timeout(t *testing.T) {
 	t.Run("custom", func(t *testing.T) {
 		srvConf := &ServerConfig{
 			UpstreamTimeout: testTimeout,
-			TLSConf:         &TLSConfig{},
 			Config: Config{
 				UpstreamMode:     UpstreamModeLoadBalance,
 				EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
@@ -427,7 +422,6 @@ func TestServer_timeout(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		s.conf.TLSConf = &TLSConfig{}
 		s.conf.Config.UpstreamMode = UpstreamModeLoadBalance
 		s.conf.Config.EDNSClientSubnet = &EDNSClientSubnet{
 			Enabled: false,
@@ -442,7 +436,6 @@ func TestServer_timeout(t *testing.T) {
 
 func TestServer_Prepare_fallbacks(t *testing.T) {
 	srvConf := &ServerConfig{
-		TLSConf: &TLSConfig{},
 		Config: Config{
 			FallbackDNS: []string{
 				"#tls://1.1.1.1",
@@ -473,7 +466,6 @@ func TestServerWithProtectionDisabled(t *testing.T) {
 	}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode:     UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
@@ -495,7 +487,7 @@ func TestServerWithProtectionDisabled(t *testing.T) {
 }
 
 func TestDoTServer(t *testing.T) {
-	s, certPem := createTestTLS(t, &TLSConfig{
+	s, certPem := createTestTLS(t, TLSConfig{
 		TLSListenAddrs: []*net.TCPAddr{{}},
 	})
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{newGoogleUpstream()}
@@ -519,7 +511,7 @@ func TestDoTServer(t *testing.T) {
 }
 
 func TestDoQServer(t *testing.T) {
-	s, _ := createTestTLS(t, &TLSConfig{
+	s, _ := createTestTLS(t, TLSConfig{
 		QUICListenAddrs: []*net.UDPAddr{{IP: net.IP{127, 0, 0, 1}}},
 	})
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{newGoogleUpstream()}
@@ -604,7 +596,6 @@ func TestSafeSearch(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{
@@ -699,7 +690,6 @@ func TestInvalidRequest(t *testing.T) {
 	}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{
@@ -731,7 +721,6 @@ func TestBlockedRequest(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{
@@ -769,7 +758,6 @@ func TestServerCustomClientUpstream(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			CacheSize:    defaultCacheSize,
 			UpstreamMode: UpstreamModeLoadBalance,
@@ -850,7 +838,6 @@ func TestBlockCNAMEProtectionEnabled(t *testing.T) {
 	}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{
@@ -886,7 +873,6 @@ func TestBlockCNAME(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{
@@ -961,7 +947,6 @@ func TestClientRulesForCNAMEMatching(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{
@@ -1009,7 +994,6 @@ func TestNullBlockedRequest(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{
@@ -1080,7 +1064,6 @@ func TestBlockedCustomIP(t *testing.T) {
 	conf := &ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamDNS:  []string{"8.8.8.8:53", "8.8.4.4:53"},
 			UpstreamMode: UpstreamModeLoadBalance,
@@ -1136,7 +1119,6 @@ func TestBlockedByHosts(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{
@@ -1190,7 +1172,6 @@ func TestBlockedBySafeBrowsing(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{
@@ -1254,7 +1235,6 @@ func TestRewrite(t *testing.T) {
 	assert.NoError(t, s.Prepare(&ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamDNS:  []string{"8.8.8.8:53"},
 			UpstreamMode: UpstreamModeLoadBalance,
@@ -1389,7 +1369,6 @@ func TestPTRResponseFromDHCPLeases(t *testing.T) {
 	s.conf.UDPListenAddrs = []*net.UDPAddr{{}}
 	s.conf.TCPListenAddrs = []*net.TCPAddr{{}}
 	s.conf.UpstreamDNS = []string{"127.0.0.1:53"}
-	s.conf.TLSConf = &TLSConfig{}
 	s.conf.Config.EDNSClientSubnet = &EDNSClientSubnet{Enabled: false}
 	s.conf.Config.ClientsContainer = EmptyClientsContainer{}
 	s.conf.Config.UpstreamMode = UpstreamModeLoadBalance
@@ -1478,7 +1457,6 @@ func TestPTRResponseFromHosts(t *testing.T) {
 	s.conf.UDPListenAddrs = []*net.UDPAddr{{}}
 	s.conf.TCPListenAddrs = []*net.TCPAddr{{}}
 	s.conf.UpstreamDNS = []string{"127.0.0.1:53"}
-	s.conf.TLSConf = &TLSConfig{}
 	s.conf.Config.EDNSClientSubnet = &EDNSClientSubnet{Enabled: false}
 	s.conf.Config.ClientsContainer = EmptyClientsContainer{}
 	s.conf.Config.UpstreamMode = UpstreamModeLoadBalance
@@ -1745,7 +1723,6 @@ func TestServer_Exchange(t *testing.T) {
 			srv := createTestServer(t, &filtering.Config{
 				BlockingMode: filtering.BlockingModeDefault,
 			}, ServerConfig{
-				TLSConf: &TLSConfig{},
 				Config: Config{
 					UpstreamDNS:      []string{upsAddr},
 					UpstreamMode:     UpstreamModeLoadBalance,
@@ -1769,7 +1746,6 @@ func TestServer_Exchange(t *testing.T) {
 		srv := createTestServer(t, &filtering.Config{
 			BlockingMode: filtering.BlockingModeDefault,
 		}, ServerConfig{
-			TLSConf: &TLSConfig{},
 			Config: Config{
 				UpstreamDNS:      []string{upsAddr},
 				UpstreamMode:     UpstreamModeLoadBalance,

internal/dnsforward/dnsrewrite_internal_test.go

@@ -37,7 +37,6 @@ func TestServer_FilterDNSRewrite(t *testing.T) {
 	srv := createTestServer(t, &filtering.Config{
 		BlockingMode: filtering.BlockingModeDefault,
 	}, ServerConfig{
-		TLSConf: &TLSConfig{},
 		Config: Config{
 			UpstreamMode:     UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},

internal/dnsforward/filter_internal_test.go

@@ -31,7 +31,6 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{

internal/dnsforward/http_internal_test.go

@@ -76,7 +76,6 @@ func TestDNSForwardHTTP_handleGetConfig(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{},
 		TCPListenAddrs: []*net.TCPAddr{},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamDNS:            []string{"8.8.8.8:53", "8.8.4.4:53"},
 			FallbackDNS:            []string{"9.9.9.10"},
@@ -160,7 +159,6 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) {
 	forwardConf := ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{},
 		TCPListenAddrs: []*net.TCPAddr{},
-		TLSConf:        &TLSConfig{},
 		Config: Config{
 			UpstreamDNS:            []string{"8.8.8.8:53", "8.8.4.4:53"},
 			RatelimitSubnetLenIPv4: 24,
@@ -371,7 +369,6 @@ func TestServer_HandleTestUpstreamDNS(t *testing.T) {
 		UDPListenAddrs:  []*net.UDPAddr{{}},
 		TCPListenAddrs:  []*net.TCPAddr{{}},
 		UpstreamTimeout: upsTimeout,
-		TLSConf:         &TLSConfig{},
 		Config: Config{
 			UpstreamMode:     UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},

internal/dnsforward/process.go

@@ -246,9 +246,9 @@ func (s *Server) makeDDRResponse(req *dns.Msg) (resp *dns.Msg) {
 
 	// TODO(e.burkov):  Think about storing the FQDN version of the server's
 	// name somewhere.
-	domainName := dns.Fqdn(s.conf.TLSConf.ServerName)
+	domainName := dns.Fqdn(s.conf.ServerName)
 
-	for _, addr := range s.conf.TLSConf.HTTPSListenAddrs {
+	for _, addr := range s.conf.HTTPSListenAddrs {
 		values := []dns.SVCBKeyValue{
 			&dns.SVCBAlpn{Alpn: []string{"h2"}},
 			&dns.SVCBPort{Port: uint16(addr.Port)},
@@ -265,7 +265,7 @@ func (s *Server) makeDDRResponse(req *dns.Msg) (resp *dns.Msg) {
 		resp.Answer = append(resp.Answer, ans)
 	}
 
-	if s.hasIPAddrs {
+	if s.conf.hasIPAddrs {
 		// Only add DNS-over-TLS resolvers in case the certificate contains IP
 		// addresses.
 		//

internal/dnsforward/process_internal_test.go

@@ -3,7 +3,6 @@ package dnsforward
 import (
 	"cmp"
 	"context"
-	"crypto/tls"
 	"net"
 	"net/netip"
 	"testing"
@@ -78,7 +77,6 @@ func TestServer_ProcessInitial(t *testing.T) {
 			t.Parallel()
 
 			c := ServerConfig{
-				TLSConf: &TLSConfig{},
 				Config: Config{
 					AAAADisabled:     tc.aaaaDisabled,
 					UpstreamMode:     UpstreamModeLoadBalance,
@@ -179,7 +177,6 @@ func TestServer_ProcessFilteringAfterResponse(t *testing.T) {
 			t.Parallel()
 
 			c := ServerConfig{
-				TLSConf: &TLSConfig{},
 				Config: Config{
 					AAAADisabled:     tc.aaaaDisabled,
 					UpstreamMode:     UpstreamModeLoadBalance,
@@ -319,8 +316,6 @@ func TestServer_ProcessDDRQuery(t *testing.T) {
 	}}
 
 	_, certPem, keyPem := createServerTLSConfig(t)
-	cert, err := tls.X509KeyPair(certPem, keyPem)
-	require.NoError(t, err)
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -333,18 +328,19 @@ func TestServer_ProcessDDRQuery(t *testing.T) {
 					EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
 					ClientsContainer: EmptyClientsContainer{},
 				},
-				TLSConf: &TLSConfig{
-					ServerName:       ddrTestDomainName,
-					Cert:             &cert,
-					TLSListenAddrs:   tc.addrsDoT,
-					HTTPSListenAddrs: tc.addrsDoH,
-					QUICListenAddrs:  tc.addrsDoQ,
+				TLSConfig: TLSConfig{
+					ServerName:           ddrTestDomainName,
+					CertificateChainData: certPem,
+					PrivateKeyData:       keyPem,
+					TLSListenAddrs:       tc.addrsDoT,
+					HTTPSListenAddrs:     tc.addrsDoH,
+					QUICListenAddrs:      tc.addrsDoQ,
 				},
 				ServePlainDNS: true,
 			})
 			// TODO(e.burkov):  Generate a certificate actually containing the
 			// IP addresses.
-			s.hasIPAddrs = true
+			s.conf.hasIPAddrs = true
 
 			req := createTestMessageWithType(tc.host, tc.qtype)
 
@@ -661,7 +657,6 @@ func TestServer_HandleDNSRequest_restrictLocal(t *testing.T) {
 	}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-		TLSConf:        &TLSConfig{},
 		// TODO(s.chzhen):  Add tests where EDNSClientSubnet.Enabled is true.
 		// Improve Config declaration for tests.
 		Config: Config{
@@ -794,7 +789,6 @@ func TestServer_ProcessUpstream_localPTR(t *testing.T) {
 			ServerConfig{
 				UDPListenAddrs: []*net.UDPAddr{{}},
 				TCPListenAddrs: []*net.TCPAddr{{}},
-				TLSConf:        &TLSConfig{},
 				Config: Config{
 					UpstreamMode:     UpstreamModeLoadBalance,
 					EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
@@ -824,7 +818,6 @@ func TestServer_ProcessUpstream_localPTR(t *testing.T) {
 			ServerConfig{
 				UDPListenAddrs: []*net.UDPAddr{{}},
 				TCPListenAddrs: []*net.TCPAddr{{}},
-				TLSConf:        &TLSConfig{},
 				Config: Config{
 					UpstreamMode:     UpstreamModeLoadBalance,
 					EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},

internal/dnsforward/svcbmsg_internal_test.go

@@ -16,7 +16,6 @@ func TestGenAnswerHTTPS_andSVCB(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{
 		BlockingMode: filtering.BlockingModeDefault,
 	}, ServerConfig{
-		TLSConf: &TLSConfig{},
 		Config: Config{
 			UpstreamMode:     UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},

internal/home/config.go

@@ -6,7 +6,6 @@ import (
 	"net/netip"
 	"os"
 	"path/filepath"
-	"slices"
 	"sync"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
@@ -24,7 +23,6 @@ import (
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/timeutil"
-	"github.com/google/go-cmp/cmp"
 	"github.com/google/renameio/v2/maybe"
 	yaml "gopkg.in/yaml.v3"
 )
@@ -275,116 +273,28 @@ type pendingRequests struct {
 	Enabled bool `yaml:"enabled"`
 }
 
-// tlsConfigSettings is the TLS configuration for DNS-over-TLS, DNS-over-QUIC,
-// and HTTPS.  When adding new properties, update the [tlsConfigSettings.clone]
-// and [tlsConfigSettings.setPrivateFieldsAndCompare] methods as necessary.
 type tlsConfigSettings struct {
-	// Enabled indicates whether encryption (DoT/DoH/HTTPS) is enabled.
-	Enabled bool `yaml:"enabled" json:"enabled"`
+	Enabled         bool   `yaml:"enabled" json:"enabled"`                                 // Enabled is the encryption (DoT/DoH/HTTPS) status
+	ServerName      string `yaml:"server_name" json:"server_name,omitempty"`               // ServerName is the hostname of your HTTPS/TLS server
+	ForceHTTPS      bool   `yaml:"force_https" json:"force_https"`                         // ForceHTTPS: if true, forces HTTP->HTTPS redirect
+	PortHTTPS       uint16 `yaml:"port_https" json:"port_https,omitempty"`                 // HTTPS port. If 0, HTTPS will be disabled
+	PortDNSOverTLS  uint16 `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"`   // DNS-over-TLS port. If 0, DoT will be disabled
+	PortDNSOverQUIC uint16 `yaml:"port_dns_over_quic" json:"port_dns_over_quic,omitempty"` // DNS-over-QUIC port. If 0, DoQ will be disabled
 
-	// ServerName is the hostname of the HTTPS/TLS server.
-	ServerName string `yaml:"server_name" json:"server_name,omitempty"`
-
-	// ForceHTTPS, if true, forces an HTTP to HTTPS redirect.
-	ForceHTTPS bool `yaml:"force_https" json:"force_https"`
-
-	// PortHTTPS is the HTTPS port.  If 0, HTTPS will be disabled.
-	PortHTTPS uint16 `yaml:"port_https" json:"port_https,omitempty"`
-
-	// PortDNSOverTLS is the DNS-over-TLS port.  If 0, DoT will be disabled.
-	PortDNSOverTLS uint16 `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"`
-
-	// PortDNSOverQUIC is the DNS-over-QUIC port.  If 0, DoQ will be disabled.
-	PortDNSOverQUIC uint16 `yaml:"port_dns_over_quic" json:"port_dns_over_quic,omitempty"`
-
-	// PortDNSCrypt is the port for DNSCrypt requests.  If it's zero, DNSCrypt
-	// is disabled.
+	// PortDNSCrypt is the port for DNSCrypt requests.  If it's zero,
+	// DNSCrypt is disabled.
 	PortDNSCrypt uint16 `yaml:"port_dnscrypt" json:"port_dnscrypt"`
-
-	// DNSCryptConfigFile is the path to the DNSCrypt config file.  Must be set
-	// if PortDNSCrypt is not zero.
+	// DNSCryptConfigFile is the path to the DNSCrypt config file.  Must be
+	// set if PortDNSCrypt is not zero.
 	//
 	// See https://github.com/AdguardTeam/dnsproxy and
 	// https://github.com/ameshkov/dnscrypt.
 	DNSCryptConfigFile string `yaml:"dnscrypt_config_file" json:"dnscrypt_config_file"`
 
-	// AllowUnencryptedDoH allows DoH queries via unencrypted HTTP (e.g. for
-	// reverse proxying).
-	//
-	// TODO(s.chzhen):  Add this option into the Web UI.
+	// Allow DoH queries via unencrypted HTTP (e.g. for reverse proxying)
 	AllowUnencryptedDoH bool `yaml:"allow_unencrypted_doh" json:"allow_unencrypted_doh"`
 
-	// CertificateChain is the PEM-encoded certificate chain.  Must be empty if
-	// [tlsConfigSettings.CertificatePath] is provided.
-	CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"`
-
-	// PrivateKey is the PEM-encoded private key.  Must be empty if
-	// [tlsConfigSettings.PrivateKeyPath] is provided.
-	PrivateKey string `yaml:"private_key" json:"private_key"`
-
-	// CertificatePath is the path to the certificate file.  Must be empty if
-	// [tlsConfigSettings.CertificateChain] is provided.
-	CertificatePath string `yaml:"certificate_path" json:"certificate_path"`
-
-	// PrivateKeyPath is the path to the private key file.  Must be empty if
-	// [tlsConfigSettings.PrivateKey] is provided.
-	PrivateKeyPath string `yaml:"private_key_path" json:"private_key_path"`
-
-	// OverrideTLSCiphers, when set, contains the names of the cipher suites to
-	// use.  If the slice is empty, the default safe suites are used.
-	OverrideTLSCiphers []string `yaml:"override_tls_ciphers,omitempty" json:"-"`
-
-	// CertificateChainData is the PEM-encoded byte data for the certificate
-	// chain.
-	CertificateChainData []byte `yaml:"-" json:"-"`
-
-	// PrivateKeyData is the PEM-encoded byte data for the private key.
-	PrivateKeyData []byte `yaml:"-" json:"-"`
-
-	// StrictSNICheck controls if the connections with SNI mismatching the
-	// certificate's ones should be rejected.
-	StrictSNICheck bool `yaml:"strict_sni_check" json:"-"`
-}
-
-// clone returns a deep copy of c.
-func (c *tlsConfigSettings) clone() (clone *tlsConfigSettings) {
-	clone = &tlsConfigSettings{}
-	*clone = *c
-
-	clone.OverrideTLSCiphers = slices.Clone(c.OverrideTLSCiphers)
-	clone.CertificateChainData = slices.Clone(c.CertificateChainData)
-	clone.PrivateKeyData = slices.Clone(c.PrivateKeyData)
-
-	return clone
-}
-
-// setPrivateFieldsAndCompare sets any missing properties in conf to match those
-// in c and returns true if TLS configurations are equal.  conf must not be be
-// nil.
-// It sets the following properties because these are not accepted from the
-// frontend:
-//
-//	[tlsConfigSettings.AllowUnencryptedDoH]
-//	[tlsConfigSettings.DNSCryptConfigFile]
-//	[tlsConfigSettings.OverrideTLSCiphers]
-//	[tlsConfigSettings.PortDNSCrypt]
-//
-// The following properties are skipped as they are set by
-// [tlsManager.loadTLSConfig]:
-//
-//	[tlsConfigSettings.CertificateChainData]
-//	[tlsConfigSettings.PrivateKeyData]
-func (c *tlsConfigSettings) setPrivateFieldsAndCompare(conf *tlsConfigSettings) (equal bool) {
-	conf.OverrideTLSCiphers = slices.Clone(c.OverrideTLSCiphers)
-
-	// TODO(s.chzhen):  Remove this once the frontend supports it.
-	conf.AllowUnencryptedDoH = c.AllowUnencryptedDoH
-
-	conf.DNSCryptConfigFile = c.DNSCryptConfigFile
-	conf.PortDNSCrypt = c.PortDNSCrypt
-
-	// TODO(a.garipov): Define a custom comparer.
-	return cmp.Equal(c, conf)
+	dnsforward.TLSConfig `yaml:",inline" json:",inline"`
 }
 
 type queryLogConfig struct {
@@ -752,8 +662,9 @@ func (c *configuration) write(tlsMgr *tlsManager) (err error) {
 	}
 
 	if tlsMgr != nil {
-		tlsConf := tlsMgr.config()
-		config.TLS = *tlsConf
+		tlsConf := tlsConfigSettings{}
+		tlsMgr.WriteDiskConfig(&tlsConf)
+		config.TLS = tlsConf
 	}
 
 	if globalContext.stats != nil {

internal/home/controlupdate.go

@@ -164,8 +164,11 @@ func (vr *versionResponse) setAllowedToAutoUpdate(tlsMgr *tlsManager) (err error
 		return nil
 	}
 
+	tlsConf := &tlsConfigSettings{}
+	tlsMgr.WriteDiskConfig(tlsConf)
+
 	canUpdate := true
-	if tlsConfUsesPrivilegedPorts(tlsMgr.config()) ||
+	if tlsConfUsesPrivilegedPorts(tlsConf) ||
 		config.HTTPConfig.Address.Port() < 1024 ||
 		config.DNS.Port < 1024 {
 		canUpdate, err = aghnet.CanBindPrivilegedPorts()

internal/home/dns.go

@@ -2,7 +2,6 @@ package home
 
 import (
 	"context"
-	"crypto/tls"
 	"fmt"
 	"log/slog"
 	"net"
@@ -112,6 +111,9 @@ func initDNS(
 		return err
 	}
 
+	tlsConf := &tlsConfigSettings{}
+	tlsMgr.WriteDiskConfig(tlsConf)
+
 	return initDNSServer(
 		globalContext.filters,
 		globalContext.stats,
@@ -119,7 +121,7 @@ func initDNS(
 		globalContext.dhcpServer,
 		anonymizer,
 		httpRegister,
-		tlsMgr.config(),
+		tlsConf,
 		tlsMgr,
 		baseLogger,
 	)
@@ -253,16 +255,11 @@ func newServerConfig(
 	fwdConf := dnsConf.Config
 	fwdConf.ClientsContainer = clientsContainer
 
-	intTLSConf, err := newDNSTLSConfig(tlsConf, hosts)
-	if err != nil {
-		return nil, fmt.Errorf("constructing tls config: %w", err)
-	}
-
 	newConf = &dnsforward.ServerConfig{
 		UDPListenAddrs:         ipsToUDPAddrs(hosts, dnsConf.Port),
 		TCPListenAddrs:         ipsToTCPAddrs(hosts, dnsConf.Port),
 		Config:                 fwdConf,
-		TLSConf:                intTLSConf,
+		TLSConfig:              newDNSTLSConfig(tlsConf, hosts),
 		TLSAllowUnencryptedDoH: tlsConf.AllowUnencryptedDoH,
 		UpstreamTimeout:        time.Duration(dnsConf.UpstreamTimeout),
 		TLSv12Roots:            tlsMgr.rootCerts,
@@ -308,19 +305,14 @@ func newServerConfig(
 }
 
 // newDNSTLSConfig converts values from the configuration file into the internal
-// TLS settings for the DNS server.  conf must not be nil.
-func newDNSTLSConfig(
-	conf *tlsConfigSettings,
-	addrs []netip.Addr,
-) (dnsConf *dnsforward.TLSConfig, err error) {
+// TLS settings for the DNS server.  tlsConf must not be nil.
+func newDNSTLSConfig(conf *tlsConfigSettings, addrs []netip.Addr) (dnsConf dnsforward.TLSConfig) {
 	if !conf.Enabled {
-		return &dnsforward.TLSConfig{}, nil
+		return dnsforward.TLSConfig{}
 	}
 
-	dnsConf = &dnsforward.TLSConfig{
-		ServerName:     conf.ServerName,
-		StrictSNICheck: conf.StrictSNICheck,
-	}
+	dnsConf = conf.TLSConfig
+	dnsConf.ServerName = conf.ServerName
 
 	if conf.PortHTTPS != 0 {
 		dnsConf.HTTPSListenAddrs = ipsToTCPAddrs(addrs, conf.PortHTTPS)
@@ -334,29 +326,7 @@ func newDNSTLSConfig(
 		dnsConf.QUICListenAddrs = ipsToUDPAddrs(addrs, conf.PortDNSOverQUIC)
 	}
 
-	cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
-	if err != nil {
-		const format = "parsing tls key pair: %w"
-		if conf.AllowUnencryptedDoH {
-			// TODO(s.chzhen):  Use [slog.Logger].
-			log.Info("warning: %s: %s", format, err)
-
-			return dnsConf, nil
-		}
-
-		return nil, fmt.Errorf(format, err)
-	}
-
-	// Unencrypted DoH is managed by AdGuard Home itself, not by dnsproxy.
-	// Therefore, avoid setting the certificate property to prevent dnsproxy
-	// from starting encrypted listeners.  See [dnsforward.Server.prepareTLS].
-	if conf.AllowUnencryptedDoH {
-		return dnsConf, nil
-	}
-
-	dnsConf.Cert = &cert
-
-	return dnsConf, nil
+	return dnsConf
 }
 
 // newDNSCryptConfig converts values from the configuration file into the
@@ -409,7 +379,8 @@ type dnsEncryption struct {
 // getDNSEncryption returns the TLS encryption addresses that AdGuard Home
 // listens on.  tlsMgr must not be nil.
 func getDNSEncryption(tlsMgr *tlsManager) (de dnsEncryption) {
-	tlsConf := tlsMgr.config()
+	tlsConf := tlsConfigSettings{}
+	tlsMgr.WriteDiskConfig(&tlsConf)
 
 	if !tlsConf.Enabled || len(tlsConf.ServerName) == 0 {
 		return dnsEncryption{}

internal/home/home.go

@@ -991,9 +991,9 @@ func printWebAddrs(proto, addr string, port uint16) {
 //
 // TODO(s.chzhen):  Implement separate functions for HTTP and HTTPS.
 func printHTTPAddresses(proto string, tlsMgr *tlsManager) {
-	var tlsConf *tlsConfigSettings
+	tlsConf := tlsConfigSettings{}
 	if tlsMgr != nil {
-		tlsConf = tlsMgr.config()
+		tlsMgr.WriteDiskConfig(&tlsConf)
 	}
 
 	port := config.HTTPConfig.Address.Port()

internal/home/tls.go

@@ -24,9 +24,11 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
+	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
 	"github.com/c2h5oh/datasize"
+	"github.com/google/go-cmp/cmp"
 )
 
 // tlsManager contains the current configuration and state of AdGuard Home TLS
@@ -35,9 +37,6 @@ type tlsManager struct {
 	// logger is used for logging the operation of the TLS Manager.
 	logger *slog.Logger
 
-	// mu protects status, certLastMod, conf, and servePlainDNS.
-	mu *sync.Mutex
-
 	// status is the current status of the configuration.  It is never nil.
 	status *tlsConfigStatus
 
@@ -53,9 +52,6 @@ type tlsManager struct {
 	// Resolve it.
 	web *webAPI
 
-	// conf contains the TLS configuration settings.  It must not be nil.
-	conf *tlsConfigSettings
-
 	// configModified is called when the TLS configuration is changed via an
 	// HTTP request.
 	configModified func()
@@ -63,6 +59,9 @@ type tlsManager struct {
 	// customCipherIDs are the ID of the cipher suites that AdGuard Home must use.
 	customCipherIDs []uint16
 
+	confLock sync.Mutex
+	conf     tlsConfigSettings
+
 	// servePlainDNS defines if plain DNS is allowed for incoming requests.
 	servePlainDNS bool
 }
@@ -92,10 +91,9 @@ type tlsManagerConfig struct {
 func newTLSManager(ctx context.Context, conf *tlsManagerConfig) (m *tlsManager, err error) {
 	m = &tlsManager{
 		logger:         conf.logger,
-		mu:             &sync.Mutex{},
 		configModified: conf.configModified,
 		status:         &tlsConfigStatus{},
-		conf:           &conf.tlsSettings,
+		conf:           conf.tlsSettings,
 		servePlainDNS:  conf.servePlainDNS,
 	}
 
@@ -114,22 +112,17 @@ func newTLSManager(ctx context.Context, conf *tlsManagerConfig) (m *tlsManager,
 		m.logger.InfoContext(ctx, "using default ciphers")
 	}
 
-	m.mu.Lock()
-	defer m.mu.Unlock()
+	if m.conf.Enabled {
+		err = m.load(ctx)
+		if err != nil {
+			m.conf.Enabled = false
 
-	if !m.conf.Enabled {
-		return m, nil
+			return m, err
+		}
+
+		m.setCertFileTime(ctx)
 	}
 
-	err = m.load(ctx)
-	if err != nil {
-		m.conf.Enabled = false
-
-		return m, err
-	}
-
-	m.setCertFileTime(ctx)
-
 	return m, nil
 }
 
@@ -143,9 +136,8 @@ func (m *tlsManager) setWebAPI(webAPI *webAPI) {
 }
 
 // load reloads the TLS configuration from files or data from the config file.
-// m.mu is expected to be locked.
 func (m *tlsManager) load(ctx context.Context) (err error) {
-	err = m.loadTLSConfig(ctx, m.conf, m.status)
+	err = m.loadTLSConf(ctx, &m.conf, m.status)
 	if err != nil {
 		return fmt.Errorf("loading config: %w", err)
 	}
@@ -153,16 +145,15 @@ func (m *tlsManager) load(ctx context.Context) (err error) {
 	return nil
 }
 
-// config returns a deep copy of the stored TLS configuration.
-func (m *tlsManager) config() (conf *tlsConfigSettings) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	return m.conf.clone()
+// WriteDiskConfig - write config
+func (m *tlsManager) WriteDiskConfig(conf *tlsConfigSettings) {
+	m.confLock.Lock()
+	*conf = m.conf
+	m.confLock.Unlock()
 }
 
 // setCertFileTime sets [tlsManager.certLastMod] from the certificate.  If there
-// are errors, setCertFileTime logs them.  m.mu is expected to be locked.
+// are errors, setCertFileTime logs them.
 func (m *tlsManager) setCertFileTime(ctx context.Context) {
 	if len(m.conf.CertificatePath) == 0 {
 		return
@@ -184,21 +175,21 @@ func (m *tlsManager) setCertFileTime(ctx context.Context) {
 func (m *tlsManager) start(_ context.Context) {
 	m.registerWebHandlers()
 
-	m.mu.Lock()
-	defer m.mu.Unlock()
+	m.confLock.Lock()
+	tlsConf := m.conf
+	m.confLock.Unlock()
 
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request.
-	m.web.tlsConfigChanged(context.Background(), m.conf)
+	m.web.tlsConfigChanged(context.Background(), tlsConf)
 }
 
 // reload updates the configuration and restarts the TLS manager.
 func (m *tlsManager) reload(ctx context.Context) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
+	m.confLock.Lock()
 	tlsConf := m.conf
+	m.confLock.Unlock()
 
 	if !tlsConf.Enabled || len(tlsConf.CertificatePath) == 0 {
 		return
@@ -220,7 +211,9 @@ func (m *tlsManager) reload(ctx context.Context) {
 
 	m.logger.InfoContext(ctx, "certificate file is modified")
 
+	m.confLock.Lock()
 	err = m.load(ctx)
+	m.confLock.Unlock()
 	if err != nil {
 		m.logger.ErrorContext(ctx, "reloading", slogutil.KeyError, err)
 
@@ -234,6 +227,10 @@ func (m *tlsManager) reload(ctx context.Context) {
 		m.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
 	}
 
+	m.confLock.Lock()
+	tlsConf = m.conf
+	m.confLock.Unlock()
+
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request.
@@ -241,12 +238,15 @@ func (m *tlsManager) reload(ctx context.Context) {
 }
 
 // reconfigureDNSServer updates the DNS server configuration using the stored
-// TLS settings.  m.mu is expected to be locked.
+// TLS settings.
 func (m *tlsManager) reconfigureDNSServer() (err error) {
+	tlsConf := &tlsConfigSettings{}
+	m.WriteDiskConfig(tlsConf)
+
 	newConf, err := newServerConfig(
 		&config.DNS,
 		config.Clients.Sources,
-		m.conf,
+		tlsConf,
 		m,
 		httpRegister,
 		globalContext.clients.storage,
@@ -263,11 +263,9 @@ func (m *tlsManager) reconfigureDNSServer() (err error) {
 	return nil
 }
 
-// loadTLSConfig loads and validates the TLS configuration.  It also sets
-// [tlsConfigSettings.CertificateChainData] and
-// [tlsConfigSettings.PrivateKeyData] properties.  The returned error is also
-// set in status.WarningValidation.
-func (m *tlsManager) loadTLSConfig(
+// loadTLSConf loads and validates the TLS configuration.  The returned error is
+// also set in status.WarningValidation.
+func (m *tlsManager) loadTLSConf(
 	ctx context.Context,
 	tlsConf *tlsConfigSettings,
 	status *tlsConfigStatus,
@@ -359,10 +357,10 @@ type tlsConfigStatus struct {
 	KeyType string `json:"key_type,omitempty"`
 
 	// NotBefore is the NotBefore field of the first certificate in the chain.
-	NotBefore time.Time `json:"not_before"`
+	NotBefore time.Time `json:"not_before,omitempty"`
 
 	// NotAfter is the NotAfter field of the first certificate in the chain.
-	NotAfter time.Time `json:"not_after"`
+	NotAfter time.Time `json:"not_after,omitempty"`
 
 	// WarningValidation is a validation warning message with the issue
 	// description.
@@ -412,23 +410,15 @@ type tlsConfigSettingsExt struct {
 
 // handleTLSStatus is the handler for the GET /control/tls/status HTTP API.
 func (m *tlsManager) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
-	var tlsConf *tlsConfigSettings
-	var servePlainDNS bool
-	func() {
-		m.mu.Lock()
-		defer m.mu.Unlock()
-
-		tlsConf = m.conf.clone()
-		servePlainDNS = m.servePlainDNS
-	}()
-
+	m.confLock.Lock()
 	data := tlsConfig{
 		tlsConfigSettingsExt: tlsConfigSettingsExt{
-			tlsConfigSettings: *tlsConf,
-			ServePlainDNS:     aghalg.BoolToNullBool(servePlainDNS),
+			tlsConfigSettings: m.conf,
+			ServePlainDNS:     aghalg.BoolToNullBool(m.servePlainDNS),
 		},
 		tlsConfigStatus: m.status,
 	}
+	m.confLock.Unlock()
 
 	marshalTLS(w, r, data)
 }
@@ -444,9 +434,6 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
 	if setts.PrivateKeySaved {
 		setts.PrivateKey = m.conf.PrivateKey
 	}
@@ -462,7 +449,7 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 	// Skip the error check, since we are only interested in the value of
 	// status.WarningValidation.
 	status := &tlsConfigStatus{}
-	_ = m.loadTLSConfig(ctx, &setts.tlsConfigSettings, status)
+	_ = m.loadTLSConf(ctx, &setts.tlsConfigSettings, status)
 	resp := tlsConfig{
 		tlsConfigSettingsExt: setts,
 		tlsConfigStatus:      status,
@@ -471,23 +458,42 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 	marshalTLS(w, r, resp)
 }
 
-// setConfig updates manager TLS configuration with the given one.  m.mu is
-// expected to be locked.
+// setConfig updates manager conf with the given one.
 func (m *tlsManager) setConfig(
 	ctx context.Context,
 	newConf tlsConfigSettings,
 	status *tlsConfigStatus,
 	servePlain aghalg.NullBool,
 ) (restartHTTPS bool) {
-	if !m.conf.setPrivateFieldsAndCompare(&newConf) {
+	m.confLock.Lock()
+	defer m.confLock.Unlock()
+
+	// Reset the DNSCrypt data before comparing, since we currently do not
+	// accept these from the frontend.
+	//
+	// TODO(a.garipov): Define a custom comparer for dnsforward.TLSConfig.
+	newConf.DNSCryptConfigFile = m.conf.DNSCryptConfigFile
+	newConf.PortDNSCrypt = m.conf.PortDNSCrypt
+	if !cmp.Equal(m.conf, newConf, cmp.AllowUnexported(dnsforward.TLSConfig{})) {
 		m.logger.InfoContext(ctx, "config has changed, restarting https server")
 		restartHTTPS = true
 	} else {
 		m.logger.InfoContext(ctx, "config has not changed")
 	}
 
-	m.conf = &newConf
-
+	// Note: don't do just `t.conf = data` because we must preserve all other members of t.conf
+	m.conf.Enabled = newConf.Enabled
+	m.conf.ServerName = newConf.ServerName
+	m.conf.ForceHTTPS = newConf.ForceHTTPS
+	m.conf.PortHTTPS = newConf.PortHTTPS
+	m.conf.PortDNSOverTLS = newConf.PortDNSOverTLS
+	m.conf.PortDNSOverQUIC = newConf.PortDNSOverQUIC
+	m.conf.CertificateChain = newConf.CertificateChain
+	m.conf.CertificatePath = newConf.CertificatePath
+	m.conf.CertificateChainData = newConf.CertificateChainData
+	m.conf.PrivateKey = newConf.PrivateKey
+	m.conf.PrivateKeyPath = newConf.PrivateKeyPath
+	m.conf.PrivateKeyData = newConf.PrivateKeyData
 	m.status = status
 
 	if servePlain != aghalg.NBNull {
@@ -509,16 +515,6 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	var restartHTTPS bool
-	defer func() {
-		if restartHTTPS {
-			m.configModified()
-		}
-	}()
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
 	if req.PrivateKeySaved {
 		req.PrivateKey = m.conf.PrivateKey
 	}
@@ -530,7 +526,7 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 	}
 
 	status := &tlsConfigStatus{}
-	err = m.loadTLSConfig(ctx, &req.tlsConfigSettings, status)
+	err = m.loadTLSConf(ctx, &req.tlsConfigSettings, status)
 	if err != nil {
 		resp := tlsConfig{
 			tlsConfigSettingsExt: req,
@@ -542,18 +538,20 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	restartHTTPS = m.setConfig(ctx, req.tlsConfigSettings, status, req.ServePlainDNS)
+	restartHTTPS := m.setConfig(ctx, req.tlsConfigSettings, status, req.ServePlainDNS)
 	m.setCertFileTime(ctx)
 
 	if req.ServePlainDNS != aghalg.NBNull {
 		func() {
-			config.Lock()
-			defer config.Unlock()
+			m.confLock.Lock()
+			defer m.confLock.Unlock()
 
 			config.DNS.ServePlainDNS = req.ServePlainDNS == aghalg.NBTrue
 		}()
 	}
 
+	m.configModified()
+
 	err = m.reconfigureDNSServer()
 	if err != nil {
 		m.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
@@ -569,18 +567,18 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 	}
 
 	marshalTLS(w, r, resp)
-	rc := http.NewResponseController(w)
-	err = rc.Flush()
-	if err != nil {
-		m.logger.ErrorContext(ctx, "flushing response", slogutil.KeyError, err)
+	if f, ok := w.(http.Flusher); ok {
+		f.Flush()
 	}
 
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
-	// request.  It is also should be done in a separate goroutine due to the
+	// request. It is also should be done in a separate goroutine due to the
 	// same reason.
 	if restartHTTPS {
-		go m.web.tlsConfigChanged(context.Background(), &req.tlsConfigSettings)
+		go func() {
+			m.web.tlsConfigChanged(context.Background(), req.tlsConfigSettings)
+		}()
 	}
 }
 

internal/home/tls_internal_test.go

@@ -239,9 +239,11 @@ func TestTLSManager_Reload(t *testing.T) {
 		logger:         logger,
 		configModified: func() {},
 		tlsSettings: tlsConfigSettings{
-			Enabled:         true,
-			CertificatePath: certPath,
-			PrivateKeyPath:  keyPath,
+			Enabled: true,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificatePath: certPath,
+				PrivateKeyPath:  keyPath,
+			},
 		},
 		servePlainDNS: false,
 	})
@@ -252,7 +254,8 @@ func TestTLSManager_Reload(t *testing.T) {
 
 	m.setWebAPI(web)
 
-	conf := m.config()
+	conf := &tlsConfigSettings{}
+	m.WriteDiskConfig(conf)
 	assertCertSerialNumber(t, conf, snBefore)
 
 	certDER, key = newCertAndKey(t, snAfter)
@@ -260,7 +263,7 @@ func TestTLSManager_Reload(t *testing.T) {
 
 	m.reload(ctx)
 
-	conf = m.config()
+	m.WriteDiskConfig(conf)
 	assertCertSerialNumber(t, conf, snAfter)
 }
 
@@ -275,9 +278,11 @@ func TestTLSManager_HandleTLSStatus(t *testing.T) {
 		logger:         logger,
 		configModified: func() {},
 		tlsSettings: tlsConfigSettings{
-			Enabled:          true,
-			CertificateChain: string(testCertChainData),
-			PrivateKey:       string(testPrivateKeyData),
+			Enabled: true,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificateChain: string(testCertChainData),
+				PrivateKey:       string(testPrivateKeyData),
+			},
 		},
 		servePlainDNS: false,
 	})
@@ -337,49 +342,47 @@ func TestValidateTLSSettings(t *testing.T) {
 	busyUDPPort := udpAddr.Port
 
 	testCases := []struct {
+		setts   tlsConfigSettingsExt
 		name    string
 		wantErr string
-		setts   tlsConfigSettingsExt
 	}{{
 		name:    "basic",
-		wantErr: "",
 		setts:   tlsConfigSettingsExt{},
+		wantErr: "",
 	}, {
-		name:    "disabled_all",
-		wantErr: "plain DNS is required in case encryption protocols are disabled",
 		setts: tlsConfigSettingsExt{
 			ServePlainDNS: aghalg.NBFalse,
 		},
+		name:    "disabled_all",
+		wantErr: "plain DNS is required in case encryption protocols are disabled",
 	}, {
-		name:    "busy_https_port",
-		wantErr: fmt.Sprintf("port %d for HTTPS is not available", busyTCPPort),
 		setts: tlsConfigSettingsExt{
 			tlsConfigSettings: tlsConfigSettings{
 				Enabled:   true,
 				PortHTTPS: uint16(busyTCPPort),
 			},
 		},
+		name:    "busy_https_port",
+		wantErr: fmt.Sprintf("port %d for HTTPS is not available", busyTCPPort),
 	}, {
-		name:    "busy_dot_port",
-		wantErr: fmt.Sprintf("port %d for DNS-over-TLS is not available", busyTCPPort),
 		setts: tlsConfigSettingsExt{
 			tlsConfigSettings: tlsConfigSettings{
 				Enabled:        true,
 				PortDNSOverTLS: uint16(busyTCPPort),
 			},
 		},
+		name:    "busy_dot_port",
+		wantErr: fmt.Sprintf("port %d for DNS-over-TLS is not available", busyTCPPort),
 	}, {
-		name:    "busy_doq_port",
-		wantErr: fmt.Sprintf("port %d for DNS-over-QUIC is not available", busyUDPPort),
 		setts: tlsConfigSettingsExt{
 			tlsConfigSettings: tlsConfigSettings{
 				Enabled:         true,
 				PortDNSOverQUIC: uint16(busyUDPPort),
 			},
 		},
+		name:    "busy_doq_port",
+		wantErr: fmt.Sprintf("port %d for DNS-over-QUIC is not available", busyUDPPort),
 	}, {
-		name:    "duplicate_port",
-		wantErr: "validating tcp ports: duplicated values: [4433]",
 		setts: tlsConfigSettingsExt{
 			tlsConfigSettings: tlsConfigSettings{
 				Enabled:        true,
@@ -387,6 +390,8 @@ func TestValidateTLSSettings(t *testing.T) {
 				PortDNSOverTLS: 4433,
 			},
 		},
+		name:    "duplicate_port",
+		wantErr: "validating tcp ports: duplicated values: [4433]",
 	}}
 
 	for _, tc := range testCases {
@@ -412,9 +417,11 @@ func TestTLSManager_HandleTLSValidate(t *testing.T) {
 		logger:         logger,
 		configModified: func() {},
 		tlsSettings: tlsConfigSettings{
-			Enabled:          true,
-			CertificateChain: string(testCertChainData),
-			PrivateKey:       string(testPrivateKeyData),
+			Enabled: true,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificateChain: string(testCertChainData),
+				PrivateKey:       string(testPrivateKeyData),
+			},
 		},
 		servePlainDNS: false,
 	})
@@ -427,9 +434,11 @@ func TestTLSManager_HandleTLSValidate(t *testing.T) {
 
 	setts := &tlsConfigSettingsExt{
 		tlsConfigSettings: tlsConfigSettings{
-			Enabled:          true,
-			CertificateChain: base64.StdEncoding.EncodeToString(testCertChainData),
-			PrivateKey:       base64.StdEncoding.EncodeToString(testPrivateKeyData),
+			Enabled: true,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificateChain: base64.StdEncoding.EncodeToString(testCertChainData),
+				PrivateKey:       base64.StdEncoding.EncodeToString(testPrivateKeyData),
+			},
 		},
 	}
 
@@ -467,7 +476,6 @@ func TestTLSManager_HandleTLSConfigure(t *testing.T) {
 	require.NoError(t, err)
 
 	err = globalContext.dnsServer.Prepare(&dnsforward.ServerConfig{
-		TLSConf: &dnsforward.TLSConfig{},
 		Config: dnsforward.Config{
 			UpstreamMode:     dnsforward.UpstreamModeLoadBalance,
 			EDNSClientSubnet: &dnsforward.EDNSClientSubnet{Enabled: false},
@@ -503,9 +511,11 @@ func TestTLSManager_HandleTLSConfigure(t *testing.T) {
 		logger:         logger,
 		configModified: func() {},
 		tlsSettings: tlsConfigSettings{
-			Enabled:         true,
-			CertificatePath: certPath,
-			PrivateKeyPath:  keyPath,
+			Enabled: true,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificatePath: certPath,
+				PrivateKeyPath:  keyPath,
+			},
 		},
 		servePlainDNS: true,
 	})
@@ -516,16 +526,19 @@ func TestTLSManager_HandleTLSConfigure(t *testing.T) {
 
 	m.setWebAPI(web)
 
-	conf := m.config()
+	conf := &tlsConfigSettings{}
+	m.WriteDiskConfig(conf)
 	assertCertSerialNumber(t, conf, wantSerialNumber)
 
 	// Prepare a request with the new TLS configuration.
 	setts := &tlsConfigSettingsExt{
 		tlsConfigSettings: tlsConfigSettings{
-			Enabled:          true,
-			PortHTTPS:        4433,
-			CertificateChain: base64.StdEncoding.EncodeToString(testCertChainData),
-			PrivateKey:       base64.StdEncoding.EncodeToString(testPrivateKeyData),
+			Enabled:   true,
+			PortHTTPS: 4433,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificateChain: base64.StdEncoding.EncodeToString(testCertChainData),
+				PrivateKey:       base64.StdEncoding.EncodeToString(testPrivateKeyData),
+			},
 		},
 	}
 

internal/home/web.go

@@ -157,8 +157,8 @@ func newWebAPI(ctx context.Context, conf *webConfig) (w *webAPI) {
 }
 
 // tlsConfigChanged updates the TLS configuration and restarts the HTTPS server
-// if necessary.  tlsConf must not be nil.
-func (web *webAPI) tlsConfigChanged(ctx context.Context, tlsConf *tlsConfigSettings) {
+// if necessary.
+func (web *webAPI) tlsConfigChanged(ctx context.Context, tlsConf tlsConfigSettings) {
 	defer slogutil.RecoverAndExit(ctx, web.logger, osutil.ExitCodeFailure)
 
 	web.logger.DebugContext(ctx, "applying new tls configuration")

scripts/make/go-lint.sh

@@ -199,7 +199,6 @@ run_linter gocognit --over='10' \
 	./internal/aghhttp/ \
 	./internal/aghrenameio/ \
 	./internal/aghtest/ \
-	./internal/aghuser/ \
 	./internal/arpdb/ \
 	./internal/client/ \
 	./internal/configmigrate/ \
@@ -251,7 +250,6 @@ run_linter fieldalignment \
 	./internal/aghrenameio/ \
 	./internal/aghtest/ \
 	./internal/aghtls/ \
-	./internal/aghuser/ \
 	./internal/arpdb/ \
 	./internal/client/ \
 	./internal/configmigrate/ \
@@ -282,7 +280,6 @@ run_linter gosec --exclude G115 --quiet \
 	./internal/aghos/ \
 	./internal/aghrenameio/ \
 	./internal/aghtest/ \
-	./internal/aghuser/ \
 	./internal/arpdb/ \
 	./internal/client/ \
 	./internal/configmigrate/ \