Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cloudflarearchive/odoh-server-go

Oblivious DoH server in Go
https://github.com/cloudflarearchive/odoh-server-go

Last synced: 3 days ago
JSON representation

Oblivious DoH server in Go

Host: GitHub
URL: https://github.com/cloudflarearchive/odoh-server-go
Owner: cloudflarearchive
License: mit
Created: 2020-10-20T13:50:15.000Z (about 4 years ago)
Default Branch: master
Last Pushed: 2022-04-17T13:43:39.000Z (over 2 years ago)
Last Synced: 2024-08-02T15:47:58.495Z (3 months ago)
Language: Go
Homepage:
Size: 122 KB
Stars: 68
Watchers: 12
Forks: 17
Open Issues: 11
Metadata Files:
- Readme: README.md
- License: LICENSE.md

Awesome Lists containing this project

awesome-repositories - cloudflarearchive/odoh-server-go - Oblivious DoH server in Go (Go)

README

        # odoh-server-go

[![Coverage Status](https://coveralls.io/repos/github/cloudflare/odoh-server-go/badge.svg?branch=master)](https://coveralls.io/github/cloudflare/odoh-server-go?branch=master)

[Oblivious DoH Server](https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh)

# Local development

To deploy the server locally, first acquire a TLS certificate using [mkcert](https://github.com/FiloSottile/mkcert) as follows:

~~~

$ mkcert -key-file key.pem -cert-file cert.pem 127.0.0.1 localhost

~~~

Then build and run the server as follows:

~~~

$ make all

$ CERT=cert.pem KEY=key.pem PORT=4567 ./odoh-server

~~~

By default, the proxy listens on `/proxy` and the target listens on `/dns-query`.

You may then run the [corresponding client](https://github.com/cloudflare/odoh-client-go) as follows:

~~~

$ ./odoh-client odoh --proxy localhost:4567 --target odoh.cloudflare-dns.com --domain cloudflare.com

;; opcode: QUERY, status: NOERROR, id: 14306

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;cloudflare.com.	IN	 AAAA

;; ANSWER SECTION:

cloudflare.com.	271	IN	AAAA	2606:4700::6810:84e5

cloudflare.com.	271	IN	AAAA	2606:4700::6810:85e5

~~~

# Deployment

This section describes deployment instructions for odoh-server-go.

## Preconfigured deployments

[![Deploy](https://www.herokucdn.com/deploy/button.svg)](https://heroku.com/deploy)

[![deploy to Scalingo](https://cdn.scalingo.com/deploy/button.svg)](https://my.scalingo.com/deploy)

## Manual deployment

This server can also be manually deployed on any bare metal machine, or in cloud providers such

as GCP. Instructions for both follow.

### Bare metal

Deployment on bare metal servers, such as [Equinix](https://metal.equinix.com/), can be done following

the instructions below. These steps assume that `git` and `go` are both installed on the metal.

1. Configure a certificate on the metal using [certbot](https://certbot.eff.org/all-instructions).

Once complete, the output should be something like the following, assuming the server domain name

is "example.com":

```

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem

Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem

```

You must configure certbot to renew this certificate periodically. The simplest way to do this is

via a cron job:

```

$ 00 00 1 * 1 certbot renew

```

2. Configure two environment variables to reference these files:

```

$ export CERT=/etc/letsencrypt/live/example.com/fullchain.pem

$ export KEY=/etc/letsencrypt/live/example.com/privkey.pem

```

3. Clone and build the server:

```

$ git clone [email protected]:cloudflare/odoh-server-go.git

$ cd odoh-server-go

$ go build ./...

```

4. Run the server:

```

$ PORT=443 ./odoh-server &

```

This will run the server until completion. You must configure the server to restart should it

terminate prematurely.

### GCP

To deploy, run:

~~~

$ gcloud app deploy proxy.yaml

...

$ gcloud app deploy target.yaml

...

~~~

To check on its status, run:

~~~

$ gcloud app browse

~~~

To stream logs when deployed, run

~~~

$ gcloud app logs tail -s default

~~~

### Reverse proxy

You need to deploy a reverse proxy with a valid TLS server certificate

for clients to be able to authenticate the target or proxy.

The simplest option for this is using [Caddy](https://caddyserver.com).

Caddy will automatically provision a TLS certificate using ACME from [Let's Encrypt](https://letsencrypt.org).

For instance:

```

caddy reverse-proxy --from https://odoh.example.net:443 --to 127.0.0.1:8080

```

Alternatively, use a Caddyfile similar to:

```

odoh.example.net

reverse_proxy localhost:8080

```

and run `caddy start`.