mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-11-15 12:15:56 +01:00
73 lines
1.7 KiB
Markdown
73 lines
1.7 KiB
Markdown
# DNS-over-HTTPS Server {#module-service-doh-server}
|
|
|
|
[DNS-over-HTTPS](https://github.com/m13253/dns-over-https) is a high performance DNS over HTTPS client & server. This module enables its server part (`doh-server`).
|
|
|
|
## Quick Start {#module-service-doh-server-quick-start}
|
|
|
|
Setup with Nginx + ACME (recommended):
|
|
|
|
```nix
|
|
{
|
|
services.doh-server = {
|
|
enable = true;
|
|
settings = {
|
|
upstream = [ "udp:1.1.1.1:53" ];
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
virtualHosts."doh.example.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
http2 = true;
|
|
locations."/".return = 404;
|
|
locations."/dns-query" = {
|
|
proxyPass = "http://127.0.0.1:8053/dns-query";
|
|
recommendedProxySettings = true;
|
|
};
|
|
};
|
|
# and other virtual hosts ...
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "you@example.com";
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
}
|
|
```
|
|
|
|
`doh-server` can also work as a standalone HTTPS web server (with SSL cert and key specified), but this is not recommended as `doh-server` does not do OCSP Stabbing.
|
|
|
|
Setup a standalone instance with ACME:
|
|
|
|
```nix
|
|
let
|
|
domain = "doh.example.com";
|
|
in
|
|
{
|
|
security.acme.certs.${domain} = {
|
|
dnsProvider = "cloudflare";
|
|
credentialFiles."CF_DNS_API_TOKEN_FILE" = "/run/secrets/cf-api-token";
|
|
};
|
|
|
|
services.doh-server = {
|
|
enable = true;
|
|
settings = {
|
|
listen = [ ":443" ];
|
|
upstream = [ "udp:1.1.1.1:53" ];
|
|
};
|
|
useACMEHost = domain;
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 443 ];
|
|
}
|
|
```
|
|
|
|
See a full configuration in <https://github.com/m13253/dns-over-https/blob/master/doh-server/doh-server.conf>.
|