rescached: support serving and forwarding DNS over TLS

9 files changed, 78 insertions, 61 deletions

diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
index 9870d2b..56eec58 100644
--- a/CHANGELOG.adoc
+++ b/CHANGELOG.adoc
@@ -7,6 +7,8 @@ and watching changes from system resolv.conf.
 
 ==  New Features
 
+*  Support serving and forwarding DNS over TLS
+
 *  Add launchd script for macOS and make tasks to install and uninstall on
    macOS
 
diff --git a/README.adoc b/README.adoc
index ad1e10e..50899b3 100644
--- a/README.adoc
+++ b/README.adoc
@@ -317,12 +317,10 @@ To enable this feature rescached provided TLS certificate and private key.
 Example configuration in *rescached.cfg*,
 
 ----
-	[rescached]
-	tls.certificate = /etc/rescached/localhost.cert.pem
-	tls.private_key = /etc/rescached/localhost.key.pem
-
 	[dns "server"]
 	parent = https://kilabit.info/dns-query
+	tls.certificate = /etc/rescached/localhost.cert.pem
+	tls.private_key = /etc/rescached/localhost.key.pem
 	tls.allow_insecure = false
 ----
 
diff --git a/cmd/rescached/main.go b/cmd/rescached/main.go
index b0b780b..58541f5 100644
--- a/cmd/rescached/main.go
+++ b/cmd/rescached/main.go
@@ -5,7 +5,6 @@
 package main
 
 import (
-	"crypto/tls"
 	"flag"
 	"fmt"
 	"io/ioutil"
@@ -34,15 +33,6 @@ func parseConfig(file string) (opts *rescached.Options) {
 		return opts
 	}
 
-	if len(opts.TLSCertFile) > 0 && len(opts.TLSPrivateKey) > 0 {
-		cert, err := tls.LoadX509KeyPair(opts.TLSCertFile, opts.TLSPrivateKey)
-		if err != nil {
-			log.Println("rescached: error loading certificate: " + err.Error())
-		} else {
-			opts.TLSCertificate = &cert
-		}
-	}
-
 	debug.Value = opts.Debug
 
 	return opts
diff --git a/cmd/rescached/rescached.cfg b/cmd/rescached/rescached.cfg
index de8d747..41f229f 100644
--- a/cmd/rescached/rescached.cfg
+++ b/cmd/rescached/rescached.cfg
@@ -1,21 +1,6 @@
 [rescached]
 
 ##
-## tls.certificate:: path to certificate file to serve DNS over HTTPS.
-## Default:: "" (empty)
-##
-
-#tls.certificate = /etc/rescached/localhost.cert.pem
-
-##
-## tls.private_key:: path to certificate's private key file to serve
-## DNS over HTTPS.
-## Default:: "" (empty)
-##
-
-#tls.private_key = /etc/rescached/localhost.key.pem
-
-##
 ## dir.hosts:: If its set, rescached will load all (host) files in path.
 ## if its empty, it will skip loading hosts files even in default location.
 ##
@@ -101,8 +86,30 @@ listen=127.0.0.1:53
 #http.port = 443
 
 ##
+## tls.port:: port to serve DNS over TLS.
+## Default:: 853
+##
+
+#tls.port = 853
+
+##
+## tls.certificate:: path to certificate file to serve DNS over TLS and HTTPS.
+## Default:: "" (empty)
+##
+
+#tls.certificate = /etc/rescached/localhost.cert.pem
+
+##
+## tls.private_key:: path to certificate's private key file to serve
+## DNS over TLS and HTTPS.
+## Default:: "" (empty)
+##
+
+#tls.private_key = /etc/rescached/localhost.key.pem
+
+##
 ## tls.allow_insecure:: If its true, allow serving self signed
-## certificate on DoH connection.
+## certificate on DoH and TLS server.
 ##
 ## Format:: true | false
 ## Default:: false
@@ -111,6 +118,17 @@ listen=127.0.0.1:53
 #tls.allow_insecure = false
 
 ##
+## doh.behind_proxy:: If its true, serve DNS over HTTP only, even if
+## certificate files is defined.
+## This allow serving DNS request forwarded by another proxy server.
+##
+## Format:: true | false
+## Default:: false
+##
+
+#doh.behind_proxy = false
+
+##
 ## cache.prune_delay:: Delay for pruning worker.
 ## Every N seconds/minutes/hours, DNS server will traverse all caches and
 ## remove response that has not been accessed less than "cache.threshold".
diff --git a/doc/rescached.cfg.adoc b/doc/rescached.cfg.adoc
index 8a2af0a..715b08a 100644
--- a/doc/rescached.cfg.adoc
+++ b/doc/rescached.cfg.adoc
@@ -37,21 +37,6 @@ in square bracket:
 This group of options contain the main configuration that related to
 rescached.
 
-[[tls.certificate]]
-==== +tls.certificate+
-
-Format:: /path/to/file
-Default:: (empty)
-Description:: Path to certificate file to serve DNS over HTTPS.
-
-
-[[tls.private_key]]
-==== +tls.private_key+
-
-Format:: /path/to/file
-Default:: (empty)
-Description:: Path to certificate private key file to serve DNS over HTTPS.
-
 [[dir.hosts]]
 ==== +dir.hosts+
 
@@ -165,6 +150,35 @@ query from client.
 If you want rescached to serve a query from another host in your local
 network, change this value to +0.0.0.0:53+.
 
+[[http.port]]
+==== +http.port+
+
+Format:: Number
+Default:: 443
+Description:: Port to serve DNS over HTTPS.
+
+[[tls.port]]
+==== +tls.port+
+
+Format:: Number
+Default:: 853
+Description:: Port to listen for DNS over TLS
+
+[[tls.certificate]]
+==== +tls.certificate+
+
+Format:: /path/to/file
+Default:: (empty)
+Description:: Path to certificate file to serve DNS over TLS and HTTPS.
+
+
+[[tls.private_key]]
+==== +tls.private_key+
+
+Format:: /path/to/file
+Default:: (empty)
+Description:: Path to certificate private key file to serve DNS over TLS and
+HTTPS.
 
 [[tls.allow_insecure]]
 ==== +tls.allow_insecure+
@@ -173,14 +187,14 @@ Format:: true | false
 Default:: false
 Description:: If its true, the certificate is self-signed.
 
+[[doh.behind_proxy]]
+==== +doh.behind_proxy+
 
-[[http.port]]
-==== +http.port+
-
-Format:: Number
-Default:: 443
-Description:: Port to serve DNS over HTTPS.
-
+Format:: true | false
+Default:: false
+Description:: If its true, serve DNS over HTTP only, even if
+certificate files is defined.
+This allow serving DNS request forwarded by another proxy server.
 
 [[cache.prune_delay]]
 ==== +cache.prune_delay+
diff --git a/go.mod b/go.mod
index e50c035..c7a65ca 100644
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,8 @@
 module github.com/shuLhan/rescached-go/v3
 
-go 1.11
+go 1.13
 
 require (
-	github.com/shuLhan/share v0.9.1-0.20191016132846-c698f9750a2a
+	github.com/shuLhan/share v0.9.1-0.20191017163223-a19f1f0a7d65
 	golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 // indirect
 )
diff --git a/go.sum b/go.sum
index c75213c..5e62bce 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-github.com/shuLhan/share v0.9.1-0.20191016132846-c698f9750a2a h1:KEpcbL7cEpR7Tsk87TKp5Uov7rgB79dMm4rnxP6k15A=
-github.com/shuLhan/share v0.9.1-0.20191016132846-c698f9750a2a/go.mod h1:1+SBspKy8sF3BkQ83Jov/CDul+2e4Y3nr+izWC3hDhI=
+github.com/shuLhan/share v0.9.1-0.20191017163223-a19f1f0a7d65 h1:ujqTpkTXTT6MhQsJhTOt9aOnTKnZC2sOTGbKoWU2pMQ=
+github.com/shuLhan/share v0.9.1-0.20191017163223-a19f1f0a7d65/go.mod h1:1+SBspKy8sF3BkQ83Jov/CDul+2e4Y3nr+izWC3hDhI=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190926114937-fa1a29108794/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
diff --git a/options.go b/options.go
index 4a421a2..4d97725 100644
--- a/options.go
+++ b/options.go
@@ -18,8 +18,6 @@ import (
 //
 type Options struct {
 	dns.ServerOptions
-	TLSCertFile    string `ini:"rescached::tls.certificate"`
-	TLSPrivateKey  string `ini:"rescached::tls.private_key"`
 	DirHosts       string `ini:"rescached::dir.hosts"`
 	DirMaster      string `ini:"rescached::dir.master"`
 	FileResolvConf string `ini:"rescached::file.resolvconf"`
diff --git a/rescached.go b/rescached.go
index cc08173..6fce494 100644
--- a/rescached.go
+++ b/rescached.go
@@ -57,9 +57,6 @@ func New(opts *Options) (srv *Server, err error) {
 // it.
 //
 func (srv *Server) Start() (err error) {
-	fmt.Printf("= Listening on %q (UDP and TCP) and port %d for HTTP(S)\n",
-		srv.opts.ListenAddress, srv.opts.HTTPPort)
-
 	if len(srv.opts.FileResolvConf) > 0 {
 		_, err = libio.NewWatcher(srv.opts.FileResolvConf, 0, srv.watchResolvConf)
 		if err != nil {