海运的博客

unbound做mosdns前置的时候会重新查询域名返回的dns cname记录，这样mosdns做dns域名分流的时候还要额外添加cname域名规则，写了一个mosdns插件删除cname信息直接返回a记录避免二次查询。

//dispatcher/plugin/executable/dcname/dcname.go
package dcname

import (
  "context"
  "github.com/IrineSistiana/mosdns/v3/dispatcher/handler"
  "github.com/IrineSistiana/mosdns/v3/dispatcher/pkg/dnsutils"
  "github.com/miekg/dns"
)

const (
  PluginType = "dcname"
)

func init() {
  handler.RegInitFunc(PluginType, Init, func() interface{} { return new(Args) })
}

var _ handler.ExecutablePlugin = (*dcname)(nil)

type Args struct {
}

type dcname struct {
  *handler.BP
  args *Args
}

func Init(bp *handler.BP, args interface{}) (p handler.Plugin, err error) {
  return newDcname(bp, args.(*Args)), nil
}

func newDcname(bp *handler.BP, args *Args) handler.Plugin {
  return &dcname{
    BP:   bp,
    args: args,
  }
}

func (t *dcname) Exec(ctx context.Context, qCtx *handler.Context, next handler.ExecutableChainNode) error {
  if r := qCtx.R(); r != nil {
    q := qCtx.Q()
    if (len(q.Question) == 1 && len(r.Answer) >= 1) {
      qname := q.Question[0].Name
      qtype := q.Question[0].Qtype
      rname := r.Answer[0].Header().Name
      rtype := r.Answer[0].Header().Rrtype
      if ((qtype == dns.TypeA || qtype == dns.TypeAAAA) && qname == rname && rtype == dns.TypeCNAME) {
        var Answer2 []dns.RR
        for i := range r.Answer {
          var rr2 dns.RR
          switch rr := r.Answer[i].(type) {
          case *dns.A:
            rr2 = &dns.A{
              Hdr: dns.RR_Header{
                Name:   qname,
                Rrtype: dns.TypeA,
                Class:  dns.ClassINET,
                Ttl:    r.Answer[i].Header().Ttl,
              },
              A: rr.A,
            }
          case *dns.AAAA:
            rr2 = &dns.AAAA{
              Hdr: dns.RR_Header{
                Name:   qname,
                Rrtype: dns.TypeAAAA,
                Class:  dns.ClassINET,
                Ttl:    r.Answer[i].Header().Ttl,
              },
              AAAA: rr.AAAA,
            }
          default:
            continue
          }
          Answer2 = append(Answer2, rr2)
        }
        r.Answer = Answer2
      }
    }
  }
  return handler.ExecChainNode(ctx, qCtx, next)
}

开启插件：

dispatcher/plugin/enabled_plugin.go 
_ "github.com/IrineSistiana/mosdns/v3/dispatcher/plugin/executable/dcname"

qCtx.Q()和qCtx.R()分别获取查询和返回的信息，*dns.Msg定义在：
https://github.com/miekg/dns/blob/master/msg.go#L109
查询信息Question []Question定义在：
https://github.com/miekg/dns/blob/master/types.go#L228
返回信息Answer RR[]定义在：
https://github.com/miekg/dns/blob/master/dns.go#L31
Answer Header：
https://github.com/miekg/dns/blob/master/dns.go#L67

不切换到用户目录且用户不包含shell，runuser和sudo参数--为参数终止符，可通过alias调用。

runuser -u nobody -- id -un
sudo -u nobody -- id -un
su nobody -s /bin/bash -c 'id -un'

参考：
https://www.cyberciti.biz/open-source/linux-run-command-as-different-user/

由于nginx监听了443端口，caddy监听其它端口，通过iptables dnat到caddy端口也能使用，但是caddy head会返回alt-svc包含监听的端口，通过使用docker桥接方式启动caddy可解决。
docker build安装caddy镜像：

FROM debian:bullseye
RUN apt update -y
RUN apt install curl net-tools vim iputils-ping -y
RUN curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | tee /etc/apt/trusted.gpg.d/caddy-stable.asc
RUN curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
RUN apt update -y
RUN apt install caddy

docker build --tag debian-caddy:v1 - < Dockerfile

启动：

docker run -d --name caddy-http3 -p 443:443/udp --dns=172.17.0.1 --restart=always -v /etc/caddy:/etc/caddy -v /data/www.haiyun.me:/data/www.haiyun.me -v /acme/haiyun.me:/acme/haiyun.me debian-caddy:v1 caddy run -config /etc/caddy/Caddyfile

caddy配置文件：

{
  admin off
  auto_https off
  servers  {
    protocol {
      experimental_http3
    }
  }
}
https://www.haiyun.me:443 {
  tls /acme/haiyun.me/haiyun.me.cer /acme/haiyun.me/haiyun.me.key
  reverse_proxy https://www.haiyun.me {
    header_up X-Forwarded-For {remote_host}
    header_down -server
  }
}

nginx添加head:

add_header Alt-Svc "h3=\":443\"; ma=86400,h3-29=\":443\"; ma=86400";  

可通过编译curl支持http3测试。

方法一，使用openssl ngtcp2 nghttp3编译curl支持http3 quic：

apt install build-essential autoconf libtool pkg-config 
git clone --depth 1 -b OpenSSL_1_1_1m+quic https://github.com/quictls/openssl
cd openssl/
./config enable-tls1_3 --prefix=/usr/local/openssl
 make && make install
cd ../
git clone https://github.com/ngtcp2/nghttp3
cd nghttp3/
autoreconf -fi
./configure --prefix=/usr/local/nghttp3 --enable-lib-only
make && make install
cd ../
git clone https://github.com/ngtcp2/ngtcp2
cd ngtcp2/
autoreconf -fi
./configure PKG_CONFIG_PATH=/usr/local/openssl/lib/pkgconfig:/usr/local/nghttp3/lib/pkgconfig LDFLAGS="-Wl,-rpath,/usr/local/openssl/lib" --prefix=/usr/local/ngtcp2 --enable-lib-only 
 make && make install
cd ../
wget https://github.com/curl/curl/releases/download/curl-7_80_0/curl-7.80.0.tar.gz
tar zxf curl-7.80.0.tar.gz 
cd curl-7.80.0/
LDFLAGS="-Wl,-rpath,/usr/local/openssl/lib64" ./configure --with-openssl=/usr/local/openssl/ --with-nghttp3=/usr/local/nghttp3 --with-ngtcp2=/usr/local/ngtcp2 --prefix=/usr/local/curl
make && make install
LD_LIBRARY_PATH="/usr/local/curl/lib/:/usr/local/openssl/lib/" /usr/local/curl/bin/curl -V

方法二，通过quiche编译支持http3 quic：

apt install build-essential cmake pkg-config
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
git clone --recursive https://github.com/cloudflare/quiche
cd quiche/
cargo build --package quiche --release --features ffi,pkg-config-meta,qlog
mkdir quiche/deps/boringssl/src/lib
ln -vnf $(find target/release -name libcrypto.a -o -name libssl.a) quiche/deps/boringssl/src/lib/
cd ../
wget https://github.com/curl/curl/releases/download/curl-7_80_0/curl-7.80.0.tar.gz
tar zxf curl-7.80.0.tar.gz 
cd curl-7.80.0/
./configure LDFLAGS="-Wl,-rpath,$PWD/../quiche/target/release" --with-openssl=$PWD/../quiche/quiche/deps/boringssl/src --with-quiche=$PWD/../quiche/target/release --prefix=/usr/local/curl
make && make install
cp ../quiche/target/release/libquiche.so /usr/local/curl/lib/
LD_LIBRARY_PATH="/usr/local/curl/lib/"  /usr/local/curl/bin/curl -V

使用curl测试http3 quic：

LD_LIBRARY_PATH="/usr/local/curl/lib/:/usr/local/openssl/lib/"  /usr/local/curl/bin/curl --http3 https://www.haiyun.me  -I

使用中遇到的问题，quiche编译的curl下载一会后断流，openssl编译的curl下载速度很慢。
参考：
https://github.com/curl/curl/blob/master/docs/HTTP3.md