rescached: support serving and forwarding DNS over TLS

2 files changed, 34 insertions, 26 deletions

diff --git a/cmd/rescached/main.go b/cmd/rescached/main.go
index b0b780b..58541f5 100644
--- a/cmd/rescached/main.go
+++ b/cmd/rescached/main.go
@@ -5,7 +5,6 @@
 package main
 
 import (
-	"crypto/tls"
 	"flag"
 	"fmt"
 	"io/ioutil"
@@ -34,15 +33,6 @@ func parseConfig(file string) (opts *rescached.Options) {
 		return opts
 	}
 
-	if len(opts.TLSCertFile) > 0 && len(opts.TLSPrivateKey) > 0 {
-		cert, err := tls.LoadX509KeyPair(opts.TLSCertFile, opts.TLSPrivateKey)
-		if err != nil {
-			log.Println("rescached: error loading certificate: " + err.Error())
-		} else {
-			opts.TLSCertificate = &cert
-		}
-	}
-
 	debug.Value = opts.Debug
 
 	return opts
diff --git a/cmd/rescached/rescached.cfg b/cmd/rescached/rescached.cfg
index de8d747..41f229f 100644
--- a/cmd/rescached/rescached.cfg
+++ b/cmd/rescached/rescached.cfg
@@ -1,21 +1,6 @@
 [rescached]
 
 ##
-## tls.certificate:: path to certificate file to serve DNS over HTTPS.
-## Default:: "" (empty)
-##
-
-#tls.certificate = /etc/rescached/localhost.cert.pem
-
-##
-## tls.private_key:: path to certificate's private key file to serve
-## DNS over HTTPS.
-## Default:: "" (empty)
-##
-
-#tls.private_key = /etc/rescached/localhost.key.pem
-
-##
 ## dir.hosts:: If its set, rescached will load all (host) files in path.
 ## if its empty, it will skip loading hosts files even in default location.
 ##
@@ -101,8 +86,30 @@ listen=127.0.0.1:53
 #http.port = 443
 
 ##
+## tls.port:: port to serve DNS over TLS.
+## Default:: 853
+##
+
+#tls.port = 853
+
+##
+## tls.certificate:: path to certificate file to serve DNS over TLS and HTTPS.
+## Default:: "" (empty)
+##
+
+#tls.certificate = /etc/rescached/localhost.cert.pem
+
+##
+## tls.private_key:: path to certificate's private key file to serve
+## DNS over TLS and HTTPS.
+## Default:: "" (empty)
+##
+
+#tls.private_key = /etc/rescached/localhost.key.pem
+
+##
 ## tls.allow_insecure:: If its true, allow serving self signed
-## certificate on DoH connection.
+## certificate on DoH and TLS server.
 ##
 ## Format:: true | false
 ## Default:: false
@@ -111,6 +118,17 @@ listen=127.0.0.1:53
 #tls.allow_insecure = false
 
 ##
+## doh.behind_proxy:: If its true, serve DNS over HTTP only, even if
+## certificate files is defined.
+## This allow serving DNS request forwarded by another proxy server.
+##
+## Format:: true | false
+## Default:: false
+##
+
+#doh.behind_proxy = false
+
+##
 ## cache.prune_delay:: Delay for pruning worker.
 ## Every N seconds/minutes/hours, DNS server will traverse all caches and
 ## remove response that has not been accessed less than "cache.threshold".