From: Tomas Krizek Date: Wed, 17 Apr 2019 16:24:01 +0000 (+0200) Subject: doc: document http module usage with systemd X-Git-Tag: v4.0.0~1^2~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e06f3d78c2b3289256c7ab254e47f14c3d554e0c;p=thirdparty%2Fknot-resolver.git doc: document http module usage with systemd --- diff --git a/daemon/bindings/net.rst b/daemon/bindings/net.rst index b89b2c9ef..696fe6ed5 100644 --- a/daemon/bindings/net.rst +++ b/daemon/bindings/net.rst @@ -9,7 +9,7 @@ For when listening on ``localhost`` just doesn't cut it. If you're using our packages with systemd with sockets support (not supported on CentOS 7), network interfaces are configured using systemd drop-in files for -``kresd.socket`` and ``kresd-tls.socket``. +``kresd.socket``, ``kresd-tls.socket`` and ``kresd-doh.socket``. To configure kresd to listen on public interface, create a drop-in file: @@ -75,6 +75,28 @@ TLS connections. [Socket] ListenStream=192.0.2.115:853 +.. _kresd-doh-socket-configuration: + +To configure socket for DNS-over-HTTPS, make sure you have +``kresd-doh.socket`` installed (it might be part of a separate +``knot-resolver-module-http`` package). Then, you can configure its network +interfaces as above. Also, don't forget to load http module in configuration +file, otherwise the socket won't have any function. + +For example, to remove the default localhost:44353 and listen on all interfaces +on port 443, create the following drop-in file for ``kresd-doh.socket``: + +.. code-block:: bash + + # /etc/systemd/system/kresd-doh.socket.d/override.conf + [Socket] + ListenStream= + ListenStream=[::]:443 + +Make sure no other service is using port 443, as that will result in +unpredictable behaviour. Alternately, you can use port 44353 where a collision +is unlikely. Also, don't forget to load http module in configuration file. + **Daemon network configuration** If you don't use systemd with sockets to run kresd, network interfaces are diff --git a/etc/config/config.cluster.in b/etc/config/config.cluster.in index 6984aa092..3c63b1eb0 100644 --- a/etc/config/config.cluster.in +++ b/etc/config/config.cluster.in @@ -6,6 +6,14 @@ -- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration @config_defaults@ +-- For DNS-over-HTTPS and web management when using http module +-- modules.load('http') +-- http.config({ +-- cert = '/etc/knot-resolver/mycert.crt', +-- key = '/etc/knot-resolver/mykey.key', +-- tls = true, +-- }) + -- To disable DNSSEC validation, uncomment the following line (not recommended) -- trust_anchors.remove('.') diff --git a/etc/config/config.isp.in b/etc/config/config.isp.in index 4c29db19a..fed2f0ecd 100644 --- a/etc/config/config.isp.in +++ b/etc/config/config.isp.in @@ -3,6 +3,14 @@ -- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration @config_defaults@ +-- For DNS-over-HTTPS and web management when using http module +-- modules.load('http') +-- http.config({ +-- cert = '/etc/knot-resolver/mycert.crt', +-- key = '/etc/knot-resolver/mykey.key', +-- tls = true, +-- }) + -- To disable DNSSEC validation, uncomment the following line (not recommended) -- trust_anchors.remove('.') diff --git a/etc/config/config.personal.in b/etc/config/config.personal.in index 6d9844e02..87589e786 100644 --- a/etc/config/config.personal.in +++ b/etc/config/config.personal.in @@ -2,6 +2,14 @@ -- Refer to manual: http://knot-resolver.readthedocs.org/en/stable/daemon.html#configuration @config_defaults@ +-- For DNS-over-HTTPS and web management when using http module +-- modules.load('http') +-- http.config({ +-- cert = '/etc/knot-resolver/mycert.crt', +-- key = '/etc/knot-resolver/mykey.key', +-- tls = true, +-- }) + -- To disable DNSSEC validation, uncomment the following line (not recommended) -- trust_anchors.remove('.') diff --git a/etc/config/config.splitview.in b/etc/config/config.splitview.in index 60da665d7..463637191 100644 --- a/etc/config/config.splitview.in +++ b/etc/config/config.splitview.in @@ -3,6 +3,14 @@ -- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration @config_defaults@ +-- For DNS-over-HTTPS and web management when using http module +-- modules.load('http') +-- http.config({ +-- cert = '/etc/knot-resolver/mycert.crt', +-- key = '/etc/knot-resolver/mykey.key', +-- tls = true, +-- }) + -- To disable DNSSEC validation, uncomment the following line (not recommended) -- trust_anchors.remove('.') diff --git a/etc/config/meson.build b/etc/config/meson.build index 4f160ff1d..e7d28e219 100644 --- a/etc/config/meson.build +++ b/etc/config/meson.build @@ -12,6 +12,12 @@ net.listen('127.0.0.1', 853) net.listen('::1') net.listen('::1', 853) +-- Extra interfaces for http module +-- net.listen('127.0.0.1', 44353, { kind = 'doh' }) +-- net.listen('::1', 44353, { kind = 'doh' }) +-- net.listen('127.0.0.1', 8453, { kind = 'webmgmt' }) +-- net.listen('::1', 8453, { kind = 'webmgmt' }) + -- Drop root privileges user('@0@', '@1@')'''.format(user, group) endif diff --git a/systemd/kresd.systemd.7.in b/systemd/kresd.systemd.7.in index 758341864..9dc49dd1e 100644 --- a/systemd/kresd.systemd.7.in +++ b/systemd/kresd.systemd.7.in @@ -104,6 +104,28 @@ compatible with IPv4 syntax in \fIview:addr()\fR when using the view module. For possible workarounds, see https://gitlab.labs.nic.cz/knot/knot-resolver/issues/445 +To configure socket for DNS-over-HTTPS, make sure you have +\fBkresd-doh.socket\fR installed (it might be part of a separate +knot-resolver-module-http package). Then, you can configure its network +interfaces as above. Also, don't forget to load http module in configuration +file, otherwise the socket won't have any function. + +For example, to remove the default localhost:44353 and listen on all interfaces +on port 443, create the following drop-in file for \fBkresd-doh.socket\fR: + +.nf +.RS 4n +# /etc/systemd/system/kresd-doh.socket.d/override.conf +[Socket] +ListenStream= +ListenStream=[::]:443 +.RE +.fi + +Make sure no other service is using port 443, as that will result in +unpredictable behaviour. Alternately, you can use port 44353 where a collision +is unlikely. + For more detailed socket configuration, see \fBsystemd.socket\fR(5). .B Concurrent daemons