mkdir -p /srv/doh-proxy/git /srv/doh-proxy/venv
python3 -mvirtualenv /srv/doh-proxy/venv
# Fork of https://github.com/facebookexperimental/doh-proxy - functionality additions
git clone https://github.com/rfinnie/doh-proxy /srv/doh-proxy/git/doh-proxy
# Fork of https://github.com/decentfox/aioh2 - Python 3.6/3.8 fixes
git clone https://github.com/URenko/aioh2 /srv/doh-proxy/git/aioh2
/srv/doh-proxy/venv/bin/pip3 install /srv/doh-proxy/git/aioh2
/srv/doh-proxy/venv/bin/pip3 install /srv/doh-proxy/git/doh-proxy
<VirtualHost *:443>
ServerName doh.example.com
DocumentRoot /srv/www/doh.example.com/htdocs
ProxyPass /dns-query http://[::1]:19380/dns-query
ProxyPassReverse /dns-query http://[::1]:19380/dns-query
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/doh.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/doh.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/doh.example.com/chain.pem
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
<VirtualHost *:80>
ServerName doh.example.com
Redirect permanent / https://doh.example.com/
</VirtualHost>
[Unit]
Description=doh-httpproxy
[Service]
DynamicUser=yes
Restart=always
ExecStart=/srv/doh-proxy/venv/bin/doh-httpproxy \
--level INFO \
--upstream-resolver ::1 \
--port 19380 \
--listen-address ::1 \
--ecs
[Install]
WantedBy=default.target
This assumes you're running an existing BIND server locally.
options {
// ...
forwarders { ::1 port 5390; };
};
[Unit]
Description=doh-stub
[Service]
DynamicUser=yes
Restart=always
ExecStart=/srv/doh-proxy/venv/bin/doh-stub \
--level INFO \
--listen-port 5390 \
--listen-address ::1 \
--domain doh.example.com \
--remote-address 1.2.3.4
[Install]
WantedBy=default.target