]> git.ipfire.org Git - thirdparty/pdns.git/blob - pdns/doh.hh
Merge pull request #8349 from rgacogne/ddist-doh-tickets
[thirdparty/pdns.git] / pdns / doh.hh
1 #pragma once
2 #include "iputils.hh"
3 #include "libssl.hh"
4
5 struct DOHServerConfig;
6
7 class DOHResponseMapEntry
8 {
9 public:
10 DOHResponseMapEntry(const std::string& regex, uint16_t status, const std::string& content, const boost::optional<std::vector<std::pair<std::string, std::string>>>& headers): d_regex(regex), d_customHeaders(headers), d_content(content), d_status(status)
11 {
12 }
13
14 bool matches(const std::string& path) const
15 {
16 return d_regex.match(path);
17 }
18
19 uint16_t getStatusCode() const
20 {
21 return d_status;
22 }
23
24 const std::string& getContent() const
25 {
26 return d_content;
27 }
28
29 const boost::optional<std::vector<std::pair<std::string, std::string>>>& getHeaders() const
30 {
31 return d_customHeaders;
32 }
33
34 private:
35 Regex d_regex;
36 boost::optional<std::vector<std::pair<std::string, std::string>>> d_customHeaders;
37 std::string d_content;
38 uint16_t d_status;
39 };
40
41 struct DOHFrontend
42 {
43 std::shared_ptr<DOHServerConfig> d_dsc{nullptr};
44 std::vector<std::pair<std::string, std::string>> d_certKeyPairs;
45 std::vector<std::string> d_ocspFiles;
46 std::vector<std::shared_ptr<DOHResponseMapEntry>> d_responsesMap;
47 std::string d_ciphers;
48 std::string d_ciphers13;
49 std::string d_serverTokens{"h2o/dnsdist"};
50 LibsslTLSVersion d_minTLSVersion{LibsslTLSVersion::TLS10};
51 #ifdef HAVE_DNS_OVER_HTTPS
52 std::unique_ptr<OpenSSLTLSTicketKeysRing> d_ticketKeys{nullptr};
53 #endif
54 std::vector<std::pair<std::string, std::string>> d_customResponseHeaders;
55 ComboAddress d_local;
56
57 uint32_t d_idleTimeout{30}; // HTTP idle timeout in seconds
58 std::vector<std::string> d_urls;
59 std::string d_ticketKeyFile;
60
61 std::atomic_flag d_rotatingTicketsKey;
62 time_t d_ticketsKeyRotationDelay{43200};
63 time_t d_ticketsKeyNextRotation{0};
64 size_t d_maxStoredSessions{20480};
65 uint8_t d_numberOfTicketsKeys{5};
66 bool d_enableTickets{true};
67
68 std::atomic<uint64_t> d_httpconnects; // number of TCP/IP connections established
69 std::atomic<uint64_t> d_tls10queries; // valid DNS queries received via TLSv1.0
70 std::atomic<uint64_t> d_tls11queries; // valid DNS queries received via TLSv1.1
71 std::atomic<uint64_t> d_tls12queries; // valid DNS queries received via TLSv1.2
72 std::atomic<uint64_t> d_tls13queries; // valid DNS queries received via TLSv1.3
73 std::atomic<uint64_t> d_tlsUnknownqueries; // valid DNS queries received via unknown TLS version
74
75 std::atomic<uint64_t> d_getqueries; // valid DNS queries received via GET
76 std::atomic<uint64_t> d_postqueries; // valid DNS queries received via POST
77 std::atomic<uint64_t> d_badrequests; // request could not be converted to dns query
78 std::atomic<uint64_t> d_errorresponses; // dnsdist set 'error' on response
79 std::atomic<uint64_t> d_redirectresponses; // dnsdist set 'redirect' on response
80 std::atomic<uint64_t> d_validresponses; // valid responses sent out
81
82 struct HTTPVersionStats
83 {
84 std::atomic<uint64_t> d_nbQueries{0}; // valid DNS queries received
85 std::atomic<uint64_t> d_nb200Responses{0};
86 std::atomic<uint64_t> d_nb400Responses{0};
87 std::atomic<uint64_t> d_nb403Responses{0};
88 std::atomic<uint64_t> d_nb500Responses{0};
89 std::atomic<uint64_t> d_nb502Responses{0};
90 std::atomic<uint64_t> d_nbOtherResponses{0};
91 };
92
93 HTTPVersionStats d_http1Stats;
94 HTTPVersionStats d_http2Stats;
95
96
97 #ifndef HAVE_DNS_OVER_HTTPS
98 void setup()
99 {
100 }
101
102 void reloadCertificates()
103 {
104 }
105
106 void rotateTicketsKey(time_t now)
107 {
108 }
109
110 void loadTicketsKeys(const std::string& keyFile)
111 {
112 }
113
114 void handleTicketsKeyRotation()
115 {
116 }
117
118 #else
119 void setup();
120 void reloadCertificates();
121
122 void rotateTicketsKey(time_t now);
123 void loadTicketsKeys(const std::string& keyFile);
124 void handleTicketsKeyRotation();
125
126 #endif /* HAVE_DNS_OVER_HTTPS */
127 };
128
129 #ifndef HAVE_DNS_OVER_HTTPS
130 struct DOHUnit
131 {
132 };
133
134 #else /* HAVE_DNS_OVER_HTTPS */
135 #include <unordered_map>
136
137 struct st_h2o_req_t;
138
139 struct DOHUnit
140 {
141 std::string query;
142 std::string response;
143 ComboAddress remote;
144 ComboAddress dest;
145 st_h2o_req_t* req{nullptr};
146 DOHUnit** self{nullptr};
147 std::string contentType;
148 int rsock;
149 uint16_t qtype;
150 /* the status_code is set from
151 processDOHQuery() (which is executed in
152 the DOH client thread) so that the correct
153 response can be sent in on_dnsdist(),
154 after the DOHUnit has been passed back to
155 the main DoH thread.
156 */
157 uint16_t status_code{200};
158 bool ednsAdded{false};
159
160 std::string getHTTPPath() const;
161 std::string getHTTPHost() const;
162 std::string getHTTPScheme() const;
163 std::string getHTTPQueryString() const;
164 std::unordered_map<std::string, std::string> getHTTPHeaders() const;
165 void setHTTPResponse(uint16_t statusCode, const std::string& body, const std::string& contentType="");
166 };
167
168 #endif /* HAVE_DNS_OVER_HTTPS */
169
170 void handleDOHTimeout(DOHUnit* oldDU);