Add option to allow insecure connection to DoH server

author: Shulhan <ms@kilabit.info> 2018-09-26 23:44:05 +0700
committer: Shulhan <ms@kilabit.info> 2018-09-26 23:44:05 +0700
commit: 31fd616489d2b62fc23754e31a85522e7108761d (patch)
tree: c4efd5d8cf74f64b67063128617d37c911afca71 /cmd
parent: 4a365cc96ab0a2d5f3f99554bae3ae646c15fbd1 (diff)
download: rescached-31fd616489d2b62fc23754e31a85522e7108761d.tar.xz
3 files changed, 54 insertions, 40 deletions
diff --git a/cmd/rescached/config.go b/cmd/rescached/config.go
index 2d449c8..1fef63b 100644
--- a/cmd/rescached/config.go
+++ b/cmd/rescached/config.go
@@ -24,18 +24,19 @@ const (
 
 // List of config keys.
 const (
-	cfgKeyCachePruneDelay = "cache.prune_delay"
-	cfgKeyCacheThreshold  = "cache.threshold"
-	cfgKeyDebug           = "debug"
-	cfgKeyFilePID         = "file.pid"
-	cfgKeyFileResolvConf  = "file.resolvconf"
-	cfgKeyFileCert        = "server.file.certificate"
-	cfgKeyFileCertKey     = "server.file.certificate.key"
-	cfgKeyListenAddress   = "server.listen"
-	cfgKeyListenPortDoH   = "server.listen.port.doh"
-	cfgKeyNSNetwork       = "server.parent.connection"
-	cfgKeyNSParent        = "server.parent"
-	cfgKeyTimeout         = "server.timeout"
+	cfgKeyCachePruneDelay     = "cache.prune_delay"
+	cfgKeyCacheThreshold      = "cache.threshold"
+	cfgKeyDebug               = "debug"
+	cfgKeyFilePID             = "file.pid"
+	cfgKeyFileResolvConf      = "file.resolvconf"
+	cfgKeyFileCert            = "server.file.certificate"
+	cfgKeyFileCertKey         = "server.file.certificate.key"
+	cfgKeyListenAddress       = "server.listen"
+	cfgKeyListenPortDoH       = "server.listen.port.doh"
+	cfgKeyParentAllowInsecure = "server.parent.allow_insecure"
+	cfgKeyNSNetwork           = "server.parent.connection"
+	cfgKeyNSParent            = "server.parent"
+	cfgKeyTimeout             = "server.timeout"
 )
 
 // List of default values.
@@ -59,23 +60,24 @@ var (
 )
 
 type config struct {
-	connType        int
-	filePID         string
-	fileResolvConf  string
-	fileDoHCert     string
-	fileDoHCertKey  string
-	nsParents       []*net.UDPAddr
-	dohParents      []string
-	listenAddress   string
-	listenPort      uint16
-	listenDoHPort   uint16
-	timeout         time.Duration
-	dirHosts        string
-	dirMaster       string
-	cachePruneDelay time.Duration
-	cacheThreshold  time.Duration
-	debugLevel      byte
-	in              *ini.Ini
+	connType         int
+	filePID          string
+	fileResolvConf   string
+	fileDoHCert      string
+	fileDoHCertKey   string
+	nsParents        []*net.UDPAddr
+	dohParents       []string
+	dohAllowInsecure bool
+	listenAddress    string
+	listenPort       uint16
+	listenDoHPort    uint16
+	timeout          time.Duration
+	dirHosts         string
+	dirMaster        string
+	cachePruneDelay  time.Duration
+	cacheThreshold   time.Duration
+	debugLevel       byte
+	in               *ini.Ini
 }
 
 func newConfig(file string) (*config, error) {
@@ -92,6 +94,7 @@ func newConfig(file string) (*config, error) {
 	cfg.fileResolvConf = cfg.in.GetString(cfgSecRescached, "", cfgKeyFileResolvConf, "")
 	cfg.fileDoHCert = cfg.in.GetString(cfgSecRescached, "", cfgKeyFileCert, "")
 	cfg.fileDoHCertKey = cfg.in.GetString(cfgSecRescached, "", cfgKeyFileCertKey, "")
+	cfg.dohAllowInsecure = cfg.in.GetBool(cfgSecRescached, "", cfgKeyParentAllowInsecure, false)
 
 	err = cfg.parseParentConnection()
 	if err != nil {
diff --git a/cmd/rescached/main.go b/cmd/rescached/main.go
index 30ecaa7..30ed287 100644
--- a/cmd/rescached/main.go
+++ b/cmd/rescached/main.go
@@ -44,17 +44,18 @@ func createRescachedServer(fileConfig string) {
 	rescached.DebugLevel = cfg.debugLevel
 
 	opts := &rescached.Options{
-		ConnType:        cfg.connType,
-		ListenAddress:   cfg.listenAddress,
-		ListenPort:      cfg.listenPort,
-		ListenDoHPort:   cfg.listenDoHPort,
-		NSParents:       cfg.nsParents,
-		DoHParents:      cfg.dohParents,
-		CachePruneDelay: cfg.cachePruneDelay,
-		CacheThreshold:  cfg.cacheThreshold,
-		FileResolvConf:  cfg.fileResolvConf,
-		FileCert:        cfg.fileDoHCert,
-		FileCertKey:     cfg.fileDoHCertKey,
+		ConnType:         cfg.connType,
+		ListenAddress:    cfg.listenAddress,
+		ListenPort:       cfg.listenPort,
+		ListenDoHPort:    cfg.listenDoHPort,
+		NSParents:        cfg.nsParents,
+		DoHParents:       cfg.dohParents,
+		DoHAllowInsecure: cfg.dohAllowInsecure,
+		CachePruneDelay:  cfg.cachePruneDelay,
+		CacheThreshold:   cfg.cacheThreshold,
+		FileResolvConf:   cfg.fileResolvConf,
+		FileCert:         cfg.fileDoHCert,
+		FileCertKey:      cfg.fileDoHCertKey,
 	}
 
 	rcd, err = rescached.New(opts)
diff --git a/cmd/rescached/rescached.cfg b/cmd/rescached/rescached.cfg
index 65a8511..ca8dadf 100644
--- a/cmd/rescached/rescached.cfg
+++ b/cmd/rescached/rescached.cfg
@@ -24,6 +24,16 @@ server.parent.connection=udp
 #server.parent.connection=doh
 
 ##
+## server.parent.allow_insecure:: If its true, allow insecure TLS connection
+## to parent server when connection is "doh".
+##
+## Format:: true | false
+## Default:: false
+##
+
+#server.parent.allow_insecure = false
+
+##
 ## server.listen:: Local IP address that rescached will listening for client
 ## request.
 ##
author	Shulhan <ms@kilabit.info>	2018-09-26 23:44:05 +0700
committer	Shulhan <ms@kilabit.info>	2018-09-26 23:44:05 +0700
commit	31fd616489d2b62fc23754e31a85522e7108761d (patch)
tree	c4efd5d8cf74f64b67063128617d37c911afca71 /cmd
parent	4a365cc96ab0a2d5f3f99554bae3ae646c15fbd1 (diff)
download	rescached-31fd616489d2b62fc23754e31a85522e7108761d.tar.xz