From d5d527ca1c3bae10aebb81773be9f6448117e0b9 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 22 Jan 2018 18:21:50 +0100 Subject: [PATCH] Require the external IP address --- Dockerfile | 2 +- README.md | 6 ++++-- entrypoint.sh | 21 ++++++++++++++++----- kube/dnscrypt-init-job.yml | 2 +- 4 files changed, 22 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8a44a8c..7f68d81 100644 --- a/Dockerfile +++ b/Dockerfile @@ -47,7 +47,7 @@ RUN set -x && \ rm -fr /tmp/* /var/tmp/* ENV DNSCRYPT_WRAPPER_GIT_URL https://github.com/jedisct1/dnscrypt-wrapper.git -ENV DNSCRYPT_WRAPPER_GIT_BRANCH xchacha20 +ENV DNSCRYPT_WRAPPER_GIT_BRANCH xchacha20-stamps COPY queue.h /tmp diff --git a/README.md b/README.md index 0f24aab..0c2ba36 100644 --- a/README.md +++ b/README.md @@ -23,9 +23,11 @@ Let's pick `example.com` here. Download, create and initialize the container, once and for all: $ docker run --name=dnscrypt-server -p 443:443/udp -p 443:443/tcp --net=host \ - jedisct1/unbound-dnscrypt-server init -N example.com + jedisct1/unbound-dnscrypt-server init -N example.com -L 192.168.1.1:443 -This will only accept connections via DNSCrypt on the standard port (443). +This will only accept connections via DNSCrypt on the standard port (443). Replace +`192.168.1.1` with the actual external IP address (not the internal Docker one) +clients will connect to. `--net=host` provides the best network performance, but may have to be removed on some shared containers hosting services. diff --git a/entrypoint.sh b/entrypoint.sh index 3f969b1..a868aad 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,17 +6,18 @@ action="$1" KEYS_DIR="/opt/dnscrypt-wrapper/etc/keys" -# -N provider-name +# -N provider-name -L external-ip-address:port init() { if [ $(is_initialized) = yes ]; then start exit $? fi - while getopts "h?N:" opt; do + while getopts "h?N:L:" opt; do case "$opt" in h|\?) usage ;; N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;; + L) listen_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;; esac done [ -z "$provider_name" ] && usage @@ -26,8 +27,17 @@ init() { *) provider_name="2.dnscrypt-cert.${provider_name}" esac echo "Provider name: [$provider_name]" + + [ -z "$listen_address" ] && usage + case "$listen_address" in + .*) usage ;; + 0.*) echo "Do not use 0.0.0.0, use an actual external IP address" >&2 ; exit 1 ;; + esac + echo "Provider name: [$provider_name]" cd "$KEYS_DIR" - /opt/dnscrypt-wrapper/sbin/dnscrypt-wrapper --gen-provider-keypair | \ + /opt/dnscrypt-wrapper/sbin/dnscrypt-wrapper \ + --gen-provider-keypair --nolog --dnssec \ + --provider-name="$provider_name" --listen-address="$listen_address" | \ tee "${KEYS_DIR}/provider-info.txt" chmod 640 "${KEYS_DIR}/secret.key" chmod 644 "${KEYS_DIR}/public.key" @@ -81,8 +91,9 @@ usage() { Commands ======== -* init -N : initialize the container for a new provider named -This is supposed to be called only once. +* init -N -L : +initialize the container for a server accessible at ip on port +, for a provider named . This is required only once. * start (default command): start the resolver and the dnscrypt server proxy. Ports 443/udp and 443/tcp have to be publicly exposed. diff --git a/kube/dnscrypt-init-job.yml b/kube/dnscrypt-init-job.yml index 90fb4f1..c7840ed 100644 --- a/kube/dnscrypt-init-job.yml +++ b/kube/dnscrypt-init-job.yml @@ -10,7 +10,7 @@ spec: containers: - name: dnscrypt-init image: jedisct1/unbound-dnscrypt-server - command: ["/entrypoint.sh", "init", "-N", "example.com"] + command: ["/entrypoint.sh", "init", "-N", "example.com", "-L", "192.168.1.1:443"] volumeMounts: - name: dnscrypt-keys mountPath: /opt/dnscrypt-wrapper/etc/keys