pdns/doh.hh

   1 #pragma once
   2 #include "iputils.hh"
   3 #include "libssl.hh"
   4
   5 struct DOHServerConfig;
   6
   7 class DOHResponseMapEntry
   8 {
   9 public:
  10   DOHResponseMapEntry(const std::string& regex, uint16_t status, const std::string& content, const boost::optional<std::vector<std::pair<std::string, std::string>>>& headers): d_regex(regex), d_customHeaders(headers), d_content(content), d_status(status)
  11   {
  12   }
  13
  14   bool matches(const std::string& path) const
  15   {
  16     return d_regex.match(path);
  17   }
  18
  19   uint16_t getStatusCode() const
  20   {
  21     return d_status;
  22   }
  23
  24   const std::string& getContent() const
  25   {
  26     return d_content;
  27   }
  28
  29   const boost::optional<std::vector<std::pair<std::string, std::string>>>& getHeaders() const
  30   {
  31     return d_customHeaders;
  32   }
  33
  34 private:
  35   Regex d_regex;
  36   boost::optional<std::vector<std::pair<std::string, std::string>>> d_customHeaders;
  37   std::string d_content;
  38   uint16_t d_status;
  39 };
  40
  41 struct DOHFrontend
  42 {
  43   DOHFrontend()
  44   {
  45     d_rotatingTicketsKey.clear();
  46   }
  47
  48   std::shared_ptr<DOHServerConfig> d_dsc{nullptr};
  49   std::vector<std::pair<std::string, std::string>> d_certKeyPairs;
  50   std::vector<std::string> d_ocspFiles;
  51   std::vector<std::shared_ptr<DOHResponseMapEntry>> d_responsesMap;
  52   std::string d_ciphers;
  53   std::string d_ciphers13;
  54   std::string d_serverTokens{"h2o/dnsdist"};
  55   LibsslTLSVersion d_minTLSVersion{LibsslTLSVersion::TLS10};
  56 #ifdef HAVE_DNS_OVER_HTTPS
  57   std::unique_ptr<OpenSSLTLSTicketKeysRing> d_ticketKeys{nullptr};
  58 #endif
  59   std::vector<std::pair<std::string, std::string>> d_customResponseHeaders;
  60   ComboAddress d_local;
  61
  62   uint32_t d_idleTimeout{30};             // HTTP idle timeout in seconds
  63   std::vector<std::string> d_urls;
  64   std::string d_ticketKeyFile;
  65
  66   time_t d_ticketsKeyRotationDelay{43200};
  67   size_t d_maxStoredSessions{20480};
  68   uint8_t d_numberOfTicketsKeys{5};
  69   bool d_enableTickets{true};
  70   bool d_preferServerCiphers{false};
  71
  72   std::atomic<uint64_t> d_httpconnects{0};   // number of TCP/IP connections established
  73   std::atomic<uint64_t> d_getqueries{0};     // valid DNS queries received via GET
  74   std::atomic<uint64_t> d_postqueries{0};    // valid DNS queries received via POST
  75   std::atomic<uint64_t> d_badrequests{0};     // request could not be converted to dns query
  76   std::atomic<uint64_t> d_errorresponses{0}; // dnsdist set 'error' on response
  77   std::atomic<uint64_t> d_redirectresponses{0}; // dnsdist set 'redirect' on response
  78   std::atomic<uint64_t> d_validresponses{0}; // valid responses sent out
  79
  80   struct HTTPVersionStats
  81   {
  82     std::atomic<uint64_t> d_nbQueries{0}; // valid DNS queries received
  83     std::atomic<uint64_t> d_nb200Responses{0};
  84     std::atomic<uint64_t> d_nb400Responses{0};
  85     std::atomic<uint64_t> d_nb403Responses{0};
  86     std::atomic<uint64_t> d_nb500Responses{0};
  87     std::atomic<uint64_t> d_nb502Responses{0};
  88     std::atomic<uint64_t> d_nbOtherResponses{0};
  89   };
  90
  91   HTTPVersionStats d_http1Stats;
  92   HTTPVersionStats d_http2Stats;
  93
  94
  95 #ifndef HAVE_DNS_OVER_HTTPS
  96   void setup()
  97   {
  98   }
  99
 100   void reloadCertificates()
 101   {
 102   }
 103
 104   void rotateTicketsKey(time_t now)
 105   {
 106   }
 107
 108   void loadTicketsKeys(const std::string& keyFile)
 109   {
 110   }
 111
 112   void handleTicketsKeyRotation()
 113   {
 114   }
 115
 116 #else
 117   void setup();
 118   void reloadCertificates();
 119
 120   void rotateTicketsKey(time_t now);
 121   void loadTicketsKeys(const std::string& keyFile);
 122   void handleTicketsKeyRotation();
 123
 124 #endif /* HAVE_DNS_OVER_HTTPS */
 125
 126   time_t getNextTicketsKeyRotation() const
 127   {
 128     return d_ticketsKeyNextRotation;
 129   }
 130
 131   size_t getTicketsKeysCount() const
 132   {
 133     size_t res = 0;
 134 #ifdef HAVE_DNS_OVER_HTTPS
 135     if (d_ticketKeys) {
 136       res = d_ticketKeys->getKeysCount();
 137     }
 138 #endif /* HAVE_DNS_OVER_HTTPS */
 139     return res;
 140   }
 141
 142 private:
 143   time_t d_ticketsKeyNextRotation{0};
 144   std::atomic_flag d_rotatingTicketsKey;
 145 };
 146
 147 #ifndef HAVE_DNS_OVER_HTTPS
 148 struct DOHUnit
 149 {
 150 };
 151
 152 #else /* HAVE_DNS_OVER_HTTPS */
 153 #include <unordered_map>
 154
 155 struct st_h2o_req_t;
 156
 157 struct DOHUnit
 158 {
 159   std::string query;
 160   std::string response;
 161   ComboAddress remote;
 162   ComboAddress dest;
 163   st_h2o_req_t* req{nullptr};
 164   DOHUnit** self{nullptr};
 165   std::string contentType;
 166   int rsock;
 167   uint16_t qtype;
 168   /* the status_code is set from
 169      processDOHQuery() (which is executed in
 170      the DOH client thread) so that the correct
 171      response can be sent in on_dnsdist(),
 172      after the DOHUnit has been passed back to
 173      the main DoH thread.
 174   */
 175   uint16_t status_code{200};
 176   bool ednsAdded{false};
 177
 178   std::string getHTTPPath() const;
 179   std::string getHTTPHost() const;
 180   std::string getHTTPScheme() const;
 181   std::string getHTTPQueryString() const;
 182   std::unordered_map<std::string, std::string> getHTTPHeaders() const;
 183   void setHTTPResponse(uint16_t statusCode, const std::string& body, const std::string& contentType="");
 184 };
 185
 186 #endif /* HAVE_DNS_OVER_HTTPS  */
 187
 188 void handleDOHTimeout(DOHUnit* oldDU);