install/configure bubble-enhanced dnscrypt-proxy as part of algo install

4年前 · 67bb627211
--- a/バイナリ
+++ b/バイナリ
--- a/バイナリ
+++ b/バイナリ
--- a/automation/roles/mitmproxy/files/dnscrypt-proxy.toml
+++ b/automation/roles/mitmproxy/files/dnscrypt-proxy.toml
@@ -1,556 +0,0 @@

 ##############################################
 #                                            #
 #        dnscrypt-proxy configuration        #
 #                                            #
 ##############################################

 ## Online documentation is available here: https://dnscrypt.info/doc

 ##################################
 #         Global settings        #
 ##################################

 ## List of servers to use
 ##
 ## Servers from the "public-resolvers" source (see down below) can
 ## be viewed here: https://dnscrypt.info/public-servers
 ##
 ## If this line is commented, all registered servers matching the require_* filters
 ## will be used.
 ##
 ## The proxy will automatically pick the fastest, working servers from the list.
 ## Remove the leading # first to enable this; lines starting with # are ignored.

 server_names = ['cloudflare', 'google', 'cloudflare-ipv6']

 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
 ## Note: When using systemd socket activation, choose an empty set (i.e. [] ).

 listen_addresses  = [
  '172.20.134.211:53',
  '[fd00::4:86d3]:53'  ]


 ## Maximum number of simultaneous client connections to accept

 max_clients = 250


 ## Switch to a different system user after listening sockets have been created.
 ## Note (1): this feature is currently unsupported on Windows.
 ## Note (2): this feature is not compatible with systemd socket activation.
 ## Note (3): when using -pidfile, the PID file directory must be writable by the new user

 # user_name = 'nobody'


 ## Require servers (from static + remote sources) to satisfy specific properties

 # Use servers reachable over IPv4
 ipv4_servers = true

 # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
 ipv6_servers = true

 # Use servers implementing the DNSCrypt protocol
 dnscrypt_servers = true

 # Use servers implementing the DNS-over-HTTPS protocol
 doh_servers = true


 ## Require servers defined by remote sources to satisfy specific properties

 # Server must support DNS security extensions (DNSSEC)
 require_dnssec = true

 # Server must not log user queries (declarative)
 require_nolog = false

 # Server must not enforce its own blacklist (for parental control, ads blocking...)
 require_nofilter = true

 # Server names to avoid even if they match all criteria
 disabled_server_names = []


 ## Always use TCP to connect to upstream servers.
 ## This can be useful if you need to route everything through Tor.
 ## Otherwise, leave this to `false`, as it doesn't improve security
 ## (dnscrypt-proxy will always encrypt everything even using UDP), and can
 ## only increase latency.

 force_tcp = false


 ## SOCKS proxy
 ## Uncomment the following line to route all TCP connections to a local Tor node
 ## Tor doesn't support UDP, so set `force_tcp` to `true` as well.

 # proxy = "socks5://127.0.0.1:9050"


 ## HTTP/HTTPS proxy
 ## Only for DoH servers

 # http_proxy = "http://127.0.0.1:8888"


 ## How long a DNS query will wait for a response, in milliseconds

 timeout = 2500


 ## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds

 keepalive = 30


 ## Use the REFUSED return code for blocked responses
 ## Setting this to `false` means that some responses will be lies.
 ## Unfortunately, `false` appears to be required for Android 8+

 refused_code_in_responses = false


 ## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'

 lb_strategy = 'p2'

 ## Set to `true` to constantly try to estimate the latency of all the resolvers
 ## and adjust the load-balancing parameters accordingly, or to `false` to disable.

 # lb_estimator = true


 ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)

 log_level = 5


 ## log file for the application

 # log_file = '/var/log/private/dnscrypt-proxy/dnscrypt-proxy.log'


 ## Use the system logger (syslog on Unix, Event Log on Windows)

 use_syslog = true


 ## Delay, in minutes, after which certificates are reloaded

 cert_refresh_delay = 240


 ## DNSCrypt: Create a new, unique key for every single DNS query
 ## This may improve privacy but can also have a significant impact on CPU usage
 ## Only enable if you don't have a lot of network load

 dnscrypt_ephemeral_keys = true


 ## DoH: Disable TLS session tickets - increases privacy but also latency

 tls_disable_session_tickets = true


 ## DoH: Use a specific cipher suite instead of the server preference
 ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
 ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
 ##  4865 = TLS_AES_128_GCM_SHA256
 ##  4867 = TLS_CHACHA20_POLY1305_SHA256
 ##
 ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
 ## the following suite improves performance.
 ## This may also help on Intel CPUs running 32-bit operating systems.
 ##
 ## Keep tls_cipher_suite empty if you have issues fetching sources or
 ## connecting to some DoH servers. Google and Cloudflare are fine with it.

 # tls_cipher_suite = [52392, 49199]


 ## Fallback resolver
 ## This is a normal, non-encrypted DNS resolver, that will be only used
 ## for one-shot queries when retrieving the initial resolvers list, and
 ## only if the system DNS configuration doesn't work.
 ## No user application queries will ever be leaked through this resolver,
 ## and it will not be used after IP addresses of resolvers URLs have been found.
 ## It will never be used if lists have already been cached, and if stamps
 ## don't include host names without IP addresses.
 ## It will not be used if the configured system DNS works.
 ## A resolver supporting DNSSEC is recommended. This may become mandatory.
 ##
 ## People in China may need to use 114.114.114.114:53 here.
 ## Other popular options include 8.8.8.8 and 1.1.1.1.

 fallback_resolver = '127.0.0.53:53'


 ## Never let dnscrypt-proxy try to use the system DNS settings;
 ## unconditionally use the fallback resolver.

 ignore_system_dns = true


 ## Maximum time (in seconds) to wait for network connectivity before
 ## initializing the proxy.
 ## Useful if the proxy is automatically started at boot, and network
 ## connectivity is not guaranteed to be immediately available.
 ## Use 0 to not test for connectivity at all (not recommended),
 ## and -1 to wait as much as possible.

 netprobe_timeout = 60

 ## Address and port to try initializing a connection to, just to check
 ## if the network is up. It can be any address and any port, even if
 ## there is nothing answering these on the other side. Just don't use
 ## a local address, as the goal is to check for Internet connectivity.
 ## On Windows, a datagram with a single, nul byte will be sent, only
 ## when the system starts.
 ## On other operating systems, the connection will be initialized
 ## but nothing will be sent at all.

 netprobe_address = "1.1.1.1:53"


 ## Offline mode - Do not use any remote encrypted servers.
 ## The proxy will remain fully functional to respond to queries that
 ## plugins can handle directly (forwarding, cloaking, ...)

 # offline_mode = false


 ## Automatic log files rotation

 # Maximum log files size in MB
 log_files_max_size = 10

 # How long to keep backup files, in days
 log_files_max_age = 7

 # Maximum log files backups to keep (or 0 to keep all backups)
 log_files_max_backups = 1



 #########################
 #        Filters        #
 #########################

 ## Immediately respond to IPv6-related queries with an empty response
 ## This makes things faster when there is no IPv6 connectivity, but can
 ## also cause reliability issues with some stub resolvers.
 ## Do not enable if you added a validating resolver such as dnsmasq in front
 ## of the proxy.

 block_ipv6 = false



 ##################################################################################
 #        Route queries for specific domains to a dedicated set of servers        #
 ##################################################################################

 ## Example map entries (one entry per line):
 ## example.com 9.9.9.9
 ## example.net 9.9.9.9,8.8.8.8,1.1.1.1

 # forwarding_rules = 'forwarding-rules.txt'



 ###############################
 #        Cloaking rules       #
 ###############################

 ## Cloaking returns a predefined address for a specific name.
 ## In addition to acting as a HOSTS file, it can also return the IP address
 ## of a different name. It will also do CNAME flattening.
 ##
 ## Example map entries (one entry per line)
 ## example.com     10.1.1.1
 ## www.google.com  forcesafesearch.google.com

 cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'



 ###########################
 #        DNS cache        #
 ###########################

 ## Enable a DNS cache to reduce latency and outgoing traffic

 cache = true


 ## Cache size

 cache_size = 512


 ## Minimum TTL for cached entries

 cache_min_ttl = 600


 ## Maximum TTL for cached entries

 cache_max_ttl = 86400


 ## Minimum TTL for negatively cached entries

 cache_neg_min_ttl = 60


 ## Maximum TTL for negatively cached entries

 cache_neg_max_ttl = 600

 ###############################
 #    Bubble resolver cache    #
 ###############################

 ## Cache name->IP resolutions in redis. This allows cert-pinned sites and apps to function properly.
 ## When mitmproxy is performing SSL interception, it will check the name of the IP in redis
 ## If the name is on the "TLS Passthu" whitelist, then SSL interception will not be performed

 [reverse_resolve_cache]

  ## Redis configuration for cache

  prefix = 'bubble_dns_'


 ###############################
 #        Query logging        #
 ###############################

 ## Log client queries to a file

 [query_log]

  ## Path to the query log file (absolute, or relative to the same directory as the executable file)

 #  file = '/var/log/private/dnscrypt-proxy/query.log'


  ## Query log format (currently supported: tsv and ltsv)

  format = 'ltsv'


  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.

  ignored_qtypes = ['DNSKEY', 'NS']



 ############################################
 #        Suspicious queries logging        #
 ############################################

 ## Log queries for nonexistent zones
 ## These queries can reveal the presence of malware, broken/obsolete applications,
 ## and devices signaling their presence to 3rd parties.

 [nx_log]

  ## Path to the query log file (absolute, or relative to the same directory as the executable file)

  # file = 'nx.log'


  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'



 ######################################################
 #        Pattern-based blocking (blacklists)        #
 ######################################################

 ## Blacklists are made of one pattern per line. Example of valid patterns:
 ##
 ##   example.com
 ##   =example.com
 ##   *sex*
 ##   ads.*
 ##   ads*.example.*
 ##   ads*.example[0-9]*.com
 ##
 ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
 ## A script to build blacklists from public feeds can be found in the
 ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.

 [blacklist]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)

  


  ## Optional path to a file logging blocked queries

  # log_file = 'blocked.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



 ###########################################################
 #        Pattern-based IP blocking (IP blacklists)        #
 ###########################################################

 ## IP blacklists are made of one pattern per line. Example of valid patterns:
 ##
 ##   127.*
 ##   fe80:abcd:*
 ##   192.168.1.4

 [ip_blacklist]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)

  blacklist_file = 'ip-blacklist.txt'


  ## Optional path to a file logging blocked queries

  # log_file = 'ip-blocked.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



 ######################################################
 #   Pattern-based whitelisting (blacklists bypass)   #
 ######################################################

 ## Whitelists support the same patterns as blacklists
 ## If a name matches a whitelist entry, the corresponding session
 ## will bypass names and IP filters.
 ##
 ## Time-based rules are also supported to make some websites only accessible at specific times of the day.

 [whitelist]

  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)

  # whitelist_file = 'whitelist.txt'


  ## Optional path to a file logging whitelisted queries

  # log_file = 'whitelisted.log'


  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'



 ##########################################
 #        Time access restrictions        #
 ##########################################

 ## One or more weekly schedules can be defined here.
 ## Patterns in the name-based blocklist can optionally be followed with @schedule_name
 ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
 ##
 ## For example, the following rule in a blacklist file:
 ## *.youtube.* @time-to-sleep
 ## would block access to YouTube only during the days, and period of the days
 ## define by the 'time-to-sleep' schedule.
 ##
 ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
 ## {after= '9:00', before='18:00'} matches 9:00-18:00

 [schedules]

  # [schedules.'time-to-sleep']
  # mon = [{after='21:00', before='7:00'}]
  # tue = [{after='21:00', before='7:00'}]
  # wed = [{after='21:00', before='7:00'}]
  # thu = [{after='21:00', before='7:00'}]
  # fri = [{after='23:00', before='7:00'}]
  # sat = [{after='23:00', before='7:00'}]
  # sun = [{after='21:00', before='7:00'}]

  # [schedules.'work']
  # mon = [{after='9:00', before='18:00'}]
  # tue = [{after='9:00', before='18:00'}]
  # wed = [{after='9:00', before='18:00'}]
  # thu = [{after='9:00', before='18:00'}]
  # fri = [{after='9:00', before='17:00'}]



 #########################
 #        Servers        #
 #########################

 ## Remote lists of available servers
 ## Multiple sources can be used simultaneously, but every source
 ## requires a dedicated cache file.
 ##
 ## Refer to the documentation for URLs of public sources.
 ##
 ## A prefix can be prepended to server names in order to
 ## avoid collisions if different sources share the same for
 ## different servers. In that case, names listed in `server_names`
 ## must include the prefixes.
 ##
 ## If the `urls` property is missing, cache files and valid signatures
 ## must be already present; This doesn't prevent these cache files from
 ## expiring after `refresh_delay` hours.

 [sources]

  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = '/tmp/public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  prefix = ''

  ## Quad9 over DNSCrypt - https://quad9.net/

  # [sources.quad9-resolvers]
  # urls = ["https://www.quad9.net/quad9-resolvers.md"]
  # minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
  # cache_file = "quad9-resolvers.md"
  # prefix = "quad9-"

  ## Another example source, with resolvers censoring some websites not appropriate for children
  ## This is a subset of the `public-resolvers` list, so enabling both is useless

  #  [sources.'parental-control']
  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
  #  cache_file = 'parental-control.md'
  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'



 ## Optional, local, static list of additional servers
 ## Mostly useful for testing your own servers.

 [static]

  # [static.'myserver']
  # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
--- a/automation/roles/mitmproxy/tasks/main.yml
+++ b/automation/roles/mitmproxy/tasks/main.yml
@@ -87,22 +87,6 @@
    group: root
    state: link

 - name: Install dnscrypt-proxy
  copy:
    src: "dnscrypt-proxy"
    dest: "/usr/bin/dnscrypt-proxy"
    owner: root
    group: root
    mode: 0755

 - name: Install dnscrypt-proxy conf file
  copy:
    src: "dnscrypt-proxy.toml"
    dest: "/etc/dnscrypt-proxy/dnscrypt-proxy.toml"
    owner: root
    group: root
    mode: 0755

 - name: Restart dnscrypt-proxy
  shell: service dnscrypt-proxy restart