Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-27 16:24:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

custom DoH request validation (#4329)

Browse Source 
* custom DoH request validation

Signed-off-by: Johnny Bergström <johnny@klaudify.se>

* add comment and test

Signed-off-by: Johnny Bergström <johnny@klaudify.se>

* NewServerHTTPS comment typo

Signed-off-by: Johnny Bergström <johnny@klaudify.se>
This commit is contained in:
Johnny Bergström
2020-12-15 14:26:07 +01:00
committed by GitHub
parent 6af47bac39
commit be955daa37
3 changed files with 90 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
core/dnsserver/server_https.go
View File

@@ -20,12 +20,13 @@ import (
// ServerHTTPS represents an instance of a DNS-over-HTTPS server.
type ServerHTTPS struct {
*Server
httpsServer *http.Server
listenAddr net.Addr
tlsConfig *tls.Config
httpsServer *http.Server
listenAddr net.Addr
tlsConfig *tls.Config
validRequest func(*http.Request) bool
}
// NewServerHTTPS returns a new CoreDNS GRPC server and compiles all plugins in to it.
// NewServerHTTPS returns a new CoreDNS HTTPS server and compiles all plugins in to it.
func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {
s, err := NewServer(addr, group)
if err != nil {
@@ -45,12 +46,23 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {
// or the upgrade won't happen.
tlsConfig.NextProtos = []string{"h2", "http/1.1"}
// Use a custom request validation func or use the standard DoH path check.
var validator func(*http.Request) bool
for _, conf := range s.zones {
validator = conf.HTTPRequestValidateFunc
}
if validator == nil {
validator = func(r *http.Request) bool { return r.URL.Path == doh.Path }
}
srv := &http.Server{
ReadTimeout: 5 * time.Second,
WriteTimeout: 10 * time.Second,
IdleTimeout: 120 * time.Second,
}
sh := &ServerHTTPS{Server: s, tlsConfig: tlsConfig, httpsServer: srv}
sh := &ServerHTTPS{
Server: s, tlsConfig: tlsConfig, httpsServer: srv, validRequest: validator,
}
sh.httpsServer.Handler = sh
return sh, nil
@@ -114,7 +126,7 @@ func (s *ServerHTTPS) Stop() error {
// chain, converts it back and write it to the client.
func (s *ServerHTTPS) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != doh.Path {
if !s.validRequest(r) {
http.Error(w, "", http.StatusNotFound)
return
}