diff --git a/Dockerfile b/Dockerfile index 5ceb490..1e9049c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,12 +20,12 @@ ENV SPOOF_ALL_DOMAINS=false ENV DNYDNS_CRON_SCHEDULE="*/15 * * * *" # HEALTHCHECKS -HEALTHCHECK --interval=30s --timeout=3s CMD (pgrep "dnsdist" > /dev/null && pgrep "sniproxy" > /dev/null) || exit 1 +HEALTHCHECK --interval=30s --timeout=3s CMD (pgrep "dnsdist" > /dev/null && pgrep "nginx" > /dev/null) || exit 1 # Expose Ports EXPOSE 5300/udp -EXPOSE 80/tcp -EXPOSE 443/tcp +EXPOSE 8080/tcp +EXPOSE 8443/tcp EXPOSE 8083/tcp RUN echo "I'm building for $TARGETPLATFORM" @@ -33,38 +33,34 @@ RUN echo "I'm building for $TARGETPLATFORM" # Update Base RUN apk update && apk upgrade +# Create Users +RUN addgroup snidust && adduser -D -H -G snidust snidust + # Install needed packages and clean up -RUN apk add --no-cache tini dnsdist curl bash gnupg procps ca-certificates openssl dog lua5.4-filesystem ipcalc libcap && rm -rf /var/cache/apk/* +RUN apk add --no-cache tini dnsdist curl bash gnupg procps ca-certificates openssl dog lua5.4-filesystem ipcalc libcap nginx nginx-mod-stream && rm -rf /var/cache/apk/* # Setup Folder(s) RUN mkdir -p /etc/dnsdist/conf.d && \ mkdir -p /etc/snidust/ && \ mkdir -p /etc/sniproxy/ -# Download and install sniproxy -RUN ARCH=$(case ${TARGETPLATFORM:-linux/amd64} in \ - "linux/amd64") echo "amd64" ;; \ - "linux/arm/v7") echo "arm" ;; \ - "linux/arm64") echo "arm64" ;; \ - *) echo "" ;; esac) \ - && echo "ARCH=$ARCH" \ - && curl -sSL https://github.com/mosajjal/sniproxy/releases/download/v2.0.4/sniproxy-v2.0.4-linux-${ARCH}.tar.gz | tar xvz \ - && chmod +x sniproxy && install sniproxy /usr/local/bin && setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/sniproxy && rm sniproxy - # Copy Files COPY configs/dnsdist/dnsdist.conf.template /etc/dnsdist/dnsdist.conf.template COPY configs/dnsdist/conf.d/00-SniDust.conf /etc/dnsdist/conf.d/00-SniDust.conf +COPY configs/nginx/nginx.conf /etc/nginx/nginx.conf COPY domains.d /etc/snidust/domains.d -COPY configs/sniproxy/config.yaml /etc/sniproxy/config.yaml COPY entrypoint.sh /entrypoint.sh COPY generateACL.sh /generateACL.sh COPY dynDNSCron.sh /dynDNSCron.sh -RUN addgroup snidust && adduser -D -H -G snidust snidust + RUN chown -R snidust:snidust /etc/dnsdist/ && \ - chown -R snidust:snidust /etc/sniproxy/ && \ + chown -R snidust:snidust /etc/nginx/ && \ + chown -R snidust:snidust /var/log/nginx/ && \ + chown -R snidust:snidust /var/lib/nginx/ && \ + chown -R snidust:snidust /run/nginx/ && \ chmod +x /entrypoint.sh && \ chmod +x /generateACL.sh && \ chmod +x dynDNSCron.sh diff --git a/README.md b/README.md index 187a0d8..8b08fe4 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ You will need a VPS or a Root Server where you can install [Docker](https://www. ``` ## run this in your terminal or use your webbrowser -curl https://ifconfig.me +curl https://ifconfig.co ``` For this **example** lets assume your public ip (of your *client*) is `10.111.123.7` Since version `v1.0.8` you can also use DynDNS. In this case just use your DynDNS domain eg. `myDynDNSDomain.no-ip.com` @@ -30,14 +30,14 @@ Since version `v1.0.8` you can also use DynDNS. In this case just use your DynDN ### Get your IP of your Server ``` -curl https://ifconfig.me +curl https://ifconfig.co ``` For this **example** lets assume your public ip (of your *server*) is `10.111.123.8` ### Run SniDust on your Server ``` -docker run -d --name snidust -e ALLOWED_CLIENTS="127.0.0.1, 10.111.123.7, myDynDNSDomain.no-ip.com" -e EXTERNAL_IP=10.111.123.8 -p 443:443 -p 80:80 -p 53:5300/udp ghcr.io/seji64/snidust:main +docker run -d --name snidust -e ALLOWED_CLIENTS="127.0.0.1, 10.111.123.7, myDynDNSDomain.no-ip.com" -e EXTERNAL_IP=10.111.123.8 -p 443:8443 -p 80:8080 -p 53:5300/udp ghcr.io/seji64/snidust:main ``` Or if you use docker compose: @@ -48,12 +48,12 @@ services: snidust: container_name: snidust environment: - - ALLOWED_CLIENTS=127.0.0.1, 10.111.123.7, myDynDNSDomain.no-ip.com - - EXTERNAL_IP=10.111.123.8 + - 'ALLOWED_CLIENTS=127.0.0.1, 10.111.123.7, myDynDNSDomain.no-ip.com' + - 'EXTERNAL_IP=10.111.123.8' - SPOOF_ALL_DOMAINS=false # Set to true (case sensitive!) if you want to spoof ALL domains. ports: - - 443:443 - - 80:80 + - 443:8443 + - 80:8080 - 53:5300/udp image: 'ghcr.io/seji64/snidust:main' ``` @@ -136,7 +136,7 @@ Create a file with the name `99-custom.lst`. Insert all your custom domains in t #### Mount it ```bash -docker run --name snidust -e ALLOWED_CLIENTS="127.0.0.1, 10.111.123.7" -e EXTERNAL_IP=10.111.123.8 -p 443:443 -p 80:80 -p 53:5300/udp -v ~/99-custom.lst:/etc/snidust/domains.d/99-custom.lst:ro ghcr.io/seji64/snidust:main +docker run --name snidust -e ALLOWED_CLIENTS="127.0.0.1, 10.111.123.7" -e EXTERNAL_IP=10.111.123.8 -p 443:8443 -p 80:8080 -p 53:5300/udp -v ~/99-custom.lst:/etc/snidust/domains.d/99-custom.lst:ro ghcr.io/seji64/snidust:main ``` Or if you use docker-compose: @@ -150,8 +150,8 @@ services: - 'ALLOWED_CLIENTS=127.0.0.1, 10.111.123.7' - EXTERNAL_IP=10.111.123.8 ports: - - '443:443' - - '80:80' + - '443:8443' + - '80:8080' - '53:5300/udp' volumes: - '~/99-custom.lst:/etc/snidust/domains.d/99-custom.lst:ro' @@ -188,8 +188,8 @@ services: - 'ALLOWED_CLIENTS_FILE=/tmp/myacls.acl' - EXTERNAL_IP=10.111.123.8 ports: - - '443:443' - - '80:80' + - '443:8443' + - '80:8080' - '53:5300/udp' volumes: - '~/myacls.acl:/tmp/myacls.acl:ro' diff --git a/configs/dnsdist/conf.d/00-SniDust.conf b/configs/dnsdist/conf.d/00-SniDust.conf index a566ddc..e932751 100644 --- a/configs/dnsdist/conf.d/00-SniDust.conf +++ b/configs/dnsdist/conf.d/00-SniDust.conf @@ -57,7 +57,7 @@ function ReloadACL(dq) dq.dh:setQR(true) infolog("[INFO] [SniDust] *** Reloading ACL... ***") - os.execute("/generateACL.sh && touch /tmp/reload_sni_proxy && PID_SNIPROXY=$(pidof sniproxy) && kill -HUP $PID_SNIPROXY") + os.execute("/generateACL.sh && /usr/sbin/nginx -s reload") setACLFromFile("/etc/dnsdist/allowedClients.acl") infolog("[INFO] [SniDust] *** ACL reload complete! ***") diff --git a/configs/nginx/nginx.conf b/configs/nginx/nginx.conf new file mode 100644 index 0000000..c6439ce --- /dev/null +++ b/configs/nginx/nginx.conf @@ -0,0 +1,42 @@ +load_module '/usr/lib/nginx/modules/ngx_stream_module.so'; +worker_processes auto; +worker_rlimit_nofile 35000; +events { + worker_connections 15000; + multi_accept off; +} + +http { + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + server { + listen 8080 default_server; + listen [::]:8080 default_server; + resolver 8.8.8.8 ipv6=off; + include /etc/nginx/allowedClients.conf; + location / { + proxy_pass http://$host$request_uri; + } + } + +} + + +stream { + log_format basic '$remote_addr [$time_local] ' + '$protocol $status $bytes_sent $bytes_received ' + '$session_time'; + + access_log /var/log/nginx/access.log basic; + error_log /var/log/nginx/error.log error; + + server { + resolver 1.1.1.1 ipv6=off; + listen 8443; + include /etc/nginx/allowedClients.conf; + ssl_preread on; + proxy_connect_timeout 5s; + proxy_pass $ssl_preread_server_name:443; + } +} \ No newline at end of file diff --git a/configs/sniproxy/config.yaml b/configs/sniproxy/config.yaml deleted file mode 100644 index 279669d..0000000 --- a/configs/sniproxy/config.yaml +++ /dev/null @@ -1,67 +0,0 @@ -general: - # Upsteam DNS URI. examples: Upstream DNS URI. examples: udp://1.1.1.1:53, tcp://1.1.1.1:53, tcp-tls://1.1.1.1:853, https://dns.google/dns-query - upstream_dns: udp://8.8.8.8:53 - # enable send DNS through socks5 - upstream_dns_over_socks5: false - # Use a SOCKS proxy for upstream HTTP/HTTPS traffic. Example: socks5://admin: - upstream_socks5: - # DNS Port to listen on. Should remain 53 in most cases. MUST NOT be empty. Bind to dummy Port cause we use dnsdist - bind_dns_over_udp: "127.0.0.1:1234" - # enable DNS over TCP. empty disables it. example: "127.0.0.1:53" - bind_dns_over_tcp: - # enable DNS over TLS. empty disables it. example: "127.0.0.1:853" - bind_dns_over_tls: - # enable DNS over QUIC. empty disables it. example: "127.0.0.1:8853" - bind_dns_over_quic: - # Path to the certificate for DoH, DoT and DoQ. eg: /tmp/mycert.pem - tls_cert: - # Path to the certificate key for DoH, DoT and DoQ. eg: /tmp/mycert.key - tls_key: - # HTTP Port to listen on. Should remain 80 in most cases - bind_http: "0.0.0.0:80" - # HTTPS Port to listen on. Should remain 443 in most cases - bind_https: "0.0.0.0:443" - # Enable prometheus endpoint on IP:PORT. example: 127.0.0.1:8080. Always exposes /metrics and only supports HTTP - bind_prometheus: - # Interface used for outbound TLS connections. uses OS prefered one if empty - interface: - # Public IPv4 of the server, reply address of DNS A queries - public_ipv4: 127.0.0.1 # Dummy IP to supress "error" message - # Public IPv6 of the server, reply address of DNS AAAA queries - public_ipv6: ::1 # Dummy IP to supress "error" message - # log level for the application. choices: debug, info, warn, error - # by default, the logs are colored so they are not suited for logging to a file. - # in order to disable colors, set NO_COLOR=true in the environment variables - log_level: error - -acl: - # geoip filtering - # - # the logic is as follows: - # 1. if mmdb is not loaded or not available, it's fail-open (allow by default) - # 2. if the IP can't be resolved to a country, it's rejected - # 3. if the country is in the blocked list, it's rejected - # 4. if the country is in the allowed list, it's allowed - # note that the reject list is checked first and takes priority over the allow list - # if the IP's country doesn't match any of the above, it's allowed if the blocked list is not empty - # for example, if the blockedlist is [US] and the allowedlist is empty, a connection from - # CA will be allowed. but if blockedlist is empty and allowedlist is [US], a connection from - # CA will be rejected. - geoip: - enabled: false - # domain filtering - domain: - enabled: false # false means ALL domains will be allowed to go through the proxy - # IP/CIDR filtering - cidr: - enabled: true - # priority of the cidr filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order - priority: 10 - # Path to the CIDR list. eg: /tmp/cidr.csv. Look at the example file for the format. - path: /etc/sniproxy/allowedClients.acl - # Interval to re-fetch the cidr list - refresh_interval: 1h0m0s - # FQDN override. This ACL is used to override the destination IP to not be the one resolved by the upstream DNS or the proxy itself, rather a custom IP and port - # if the destination is HTTP, it uses tls_cert and tls_key certificate to terminate the original connection. - override: - enabled: false diff --git a/dynDNSCron.sh b/dynDNSCron.sh index 74fe0de..22b6efb 100644 --- a/dynDNSCron.sh +++ b/dynDNSCron.sh @@ -11,8 +11,7 @@ else echo "[ERROR] [DnyDNSCron] Failed to reload DnsDist ACL config!" fi -touch /tmp/reload_sni_proxy -echo "[INFO] [DnyDNSCron] Reloading/Restarting Sniproxy..." -PID_SNIPROXY=$(pidof sniproxy) -kill -HUP $PID_SNIPROXY -echo "[INFO] [DnyDNSCron] Sniproxy successfully reloaded/restarted" \ No newline at end of file + +echo "[INFO] [DnyDNSCron] reloading nginx..." +/usr/sbin/nginx -s reload +echo "[INFO] [DnyDNSCron] ngix successfully reloaded" \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 1a400dc..00f1b1a 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -28,7 +28,7 @@ source generateACL.sh set -e -echo "[INFO] Generating DNSDist Configs..." +echo "[INFO] Generating DNSDist Config..." /bin/bash /etc/dnsdist/dnsdist.conf.template > /etc/dnsdist/dnsdist.conf if [ "$DYNDNS_CRON_ENABLED" = true ]; @@ -41,16 +41,9 @@ fi echo "[INFO] Starting DNSDist..." /usr/bin/dnsdist -C /etc/dnsdist/dnsdist.conf --supervised --disable-syslog --uid snidust --gid snidust & -echo "[INFO] Starting sniproxy" -(until /usr/local/bin/sniproxy --config "/etc/sniproxy/config.yaml"; do - if [ -f "/tmp/reload_sni_proxy" ]; - then - # ignore => restarted by cron - rm -f /tmp/reload_sni_proxy - else - echo "[WARN] sniproxy crashed with exit code $?. Restarting..." >&2 - fi - sleep 1 -done) & + +echo "[INFO] Starting nginx.." +nginx + echo "[INFO] Using $EXTERNAL_IP - Point your DNS settings to this address" wait -n diff --git a/generateACL.sh b/generateACL.sh index f5950d6..9e379c8 100644 --- a/generateACL.sh +++ b/generateACL.sh @@ -37,10 +37,12 @@ fi if [ -f "/etc/dnsdist/allowedClients.acl" ]; then - echo "" > /etc/sniproxy/allowedClients.acl + echo "" > etc/nginx/allowedClients.conf while read -r line do - echo "$line,allow" >> /etc/sniproxy/allowedClients.acl + echo "allow $line;" >> /etc/nginx/allowedClients.conf done < "/etc/dnsdist/allowedClients.acl" - echo "0.0.0.0/0,deny" >> /etc/sniproxy/allowedClients.acl + echo "deny all;" >> /etc/nginx/allowedClients.conf +else + touch /etc/nginx/allowedClients.conf fi \ No newline at end of file