海运的博客

mosdns删除dns返回结果中的cname直接返回a记录插件

发布时间:January 18, 2022 // 分类: // No Comments

unbound做mosdns前置的时候会重新查询域名返回的dns cname记录,这样mosdns做dns域名分流的时候还要额外添加cname域名规则,写了一个mosdns插件删除cname信息直接返回a记录避免二次查询。

//dispatcher/plugin/executable/dcname/dcname.go
package dcname

import (
  "context"
  "github.com/IrineSistiana/mosdns/v3/dispatcher/handler"
  "github.com/IrineSistiana/mosdns/v3/dispatcher/pkg/dnsutils"
  "github.com/miekg/dns"
)

const (
  PluginType = "dcname"
)

func init() {
  handler.RegInitFunc(PluginType, Init, func() interface{} { return new(Args) })
}

var _ handler.ExecutablePlugin = (*dcname)(nil)

type Args struct {
}

type dcname struct {
  *handler.BP
  args *Args
}

func Init(bp *handler.BP, args interface{}) (p handler.Plugin, err error) {
  return newDcname(bp, args.(*Args)), nil
}

func newDcname(bp *handler.BP, args *Args) handler.Plugin {
  return &dcname{
    BP:   bp,
    args: args,
  }
}

func (t *dcname) Exec(ctx context.Context, qCtx *handler.Context, next handler.ExecutableChainNode) error {
  if r := qCtx.R(); r != nil {
    q := qCtx.Q()
    if (len(q.Question) == 1 && len(r.Answer) >= 1) {
      qname := q.Question[0].Name
      qtype := q.Question[0].Qtype
      rname := r.Answer[0].Header().Name
      rtype := r.Answer[0].Header().Rrtype
      if ((qtype == dns.TypeA || qtype == dns.TypeAAAA) && qname == rname && rtype == dns.TypeCNAME) {
        var Answer2 []dns.RR
        for i := range r.Answer {
          var rr2 dns.RR
          switch rr := r.Answer[i].(type) {
          case *dns.A:
            rr2 = &dns.A{
              Hdr: dns.RR_Header{
                Name:   qname,
                Rrtype: dns.TypeA,
                Class:  dns.ClassINET,
                Ttl:    r.Answer[i].Header().Ttl,
              },
              A: rr.A,
            }
          case *dns.AAAA:
            rr2 = &dns.AAAA{
              Hdr: dns.RR_Header{
                Name:   qname,
                Rrtype: dns.TypeAAAA,
                Class:  dns.ClassINET,
                Ttl:    r.Answer[i].Header().Ttl,
              },
              AAAA: rr.AAAA,
            }
          default:
            continue
          }
          Answer2 = append(Answer2, rr2)
        }
        r.Answer = Answer2
      }
    }
  }
  return handler.ExecChainNode(ctx, qCtx, next)
}

开启插件:

dispatcher/plugin/enabled_plugin.go 
_ "github.com/IrineSistiana/mosdns/v3/dispatcher/plugin/executable/dcname"

qCtx.Q()和qCtx.R()分别获取查询和返回的信息,*dns.Msg定义在:
https://github.com/miekg/dns/blob/master/msg.go#L109
查询信息Question []Question定义在:
https://github.com/miekg/dns/blob/master/types.go#L228
返回信息Answer RR[]定义在:
https://github.com/miekg/dns/blob/master/dns.go#L31
Answer Header:
https://github.com/miekg/dns/blob/master/dns.go#L67

此内容被密码保护

发布时间:January 14, 2022 // 分类: // No Comments

请输入密码访问

linux以普通用户执行程序

发布时间:December 28, 2021 // 分类: // No Comments

不切换到用户目录且用户不包含shell,runuser和sudo参数--为参数终止符,可通过alias调用。

runuser -u nobody -- id -un
sudo -u nobody -- id -un
su nobody -s /bin/bash -c 'id -un'

参考:
https://www.cyberciti.biz/open-source/linux-run-command-as-different-user/

caddy为nginx网站提供http3 quic支持

发布时间:December 27, 2021 // 分类: // No Comments

由于nginx监听了443端口,caddy监听其它端口,通过iptables dnat到caddy端口也能使用,但是caddy head会返回alt-svc包含监听的端口,通过使用docker桥接方式启动caddy可解决。
docker build安装caddy镜像:

FROM debian:bullseye
RUN apt update -y
RUN apt install curl net-tools vim iputils-ping -y
RUN curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | tee /etc/apt/trusted.gpg.d/caddy-stable.asc
RUN curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
RUN apt update -y
RUN apt install caddy
docker build --tag debian-caddy:v1 - < Dockerfile

启动:

docker run -d --name caddy-http3 -p 443:443/udp --dns=172.17.0.1 --restart=always -v /etc/caddy:/etc/caddy -v /data/www.haiyun.me:/data/www.haiyun.me -v /acme/haiyun.me:/acme/haiyun.me debian-caddy:v1 caddy run -config /etc/caddy/Caddyfile

caddy配置文件:

{
  admin off
  auto_https off
  servers  {
    protocol {
      experimental_http3
    }
  }
}
https://www.haiyun.me:443 {
  tls /acme/haiyun.me/haiyun.me.cer /acme/haiyun.me/haiyun.me.key
  reverse_proxy https://www.haiyun.me {
    header_up X-Forwarded-For {remote_host}
    header_down -server
  }
}

nginx添加head:

add_header Alt-Svc "h3=\":443\"; ma=86400,h3-29=\":443\"; ma=86400";  

可通过编译curl支持http3测试。

编译curl http3 quic支持

发布时间:December 27, 2021 // 分类: // No Comments

方法一,使用openssl ngtcp2 nghttp3编译curl支持http3 quic:

apt install build-essential autoconf libtool pkg-config 
git clone --depth 1 -b OpenSSL_1_1_1m+quic https://github.com/quictls/openssl
cd openssl/
./config enable-tls1_3 --prefix=/usr/local/openssl
 make && make install
cd ../
git clone https://github.com/ngtcp2/nghttp3
cd nghttp3/
autoreconf -fi
./configure --prefix=/usr/local/nghttp3 --enable-lib-only
make && make install
cd ../
git clone https://github.com/ngtcp2/ngtcp2
cd ngtcp2/
autoreconf -fi
./configure PKG_CONFIG_PATH=/usr/local/openssl/lib/pkgconfig:/usr/local/nghttp3/lib/pkgconfig LDFLAGS="-Wl,-rpath,/usr/local/openssl/lib" --prefix=/usr/local/ngtcp2 --enable-lib-only 
 make && make install
cd ../
wget https://github.com/curl/curl/releases/download/curl-7_80_0/curl-7.80.0.tar.gz
tar zxf curl-7.80.0.tar.gz 
cd curl-7.80.0/
LDFLAGS="-Wl,-rpath,/usr/local/openssl/lib64" ./configure --with-openssl=/usr/local/openssl/ --with-nghttp3=/usr/local/nghttp3 --with-ngtcp2=/usr/local/ngtcp2 --prefix=/usr/local/curl
make && make install
LD_LIBRARY_PATH="/usr/local/curl/lib/:/usr/local/openssl/lib/" /usr/local/curl/bin/curl -V

方法二,通过quiche编译支持http3 quic:

apt install build-essential cmake pkg-config
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
git clone --recursive https://github.com/cloudflare/quiche
cd quiche/
cargo build --package quiche --release --features ffi,pkg-config-meta,qlog
mkdir quiche/deps/boringssl/src/lib
ln -vnf $(find target/release -name libcrypto.a -o -name libssl.a) quiche/deps/boringssl/src/lib/
cd ../
wget https://github.com/curl/curl/releases/download/curl-7_80_0/curl-7.80.0.tar.gz
tar zxf curl-7.80.0.tar.gz 
cd curl-7.80.0/
./configure LDFLAGS="-Wl,-rpath,$PWD/../quiche/target/release" --with-openssl=$PWD/../quiche/quiche/deps/boringssl/src --with-quiche=$PWD/../quiche/target/release --prefix=/usr/local/curl
make && make install
cp ../quiche/target/release/libquiche.so /usr/local/curl/lib/
LD_LIBRARY_PATH="/usr/local/curl/lib/"  /usr/local/curl/bin/curl -V

使用curl测试http3 quic:

LD_LIBRARY_PATH="/usr/local/curl/lib/:/usr/local/openssl/lib/"  /usr/local/curl/bin/curl --http3 https://www.haiyun.me  -I

使用中遇到的问题,quiche编译的curl下载一会后断流,openssl编译的curl下载速度很慢。
参考:
https://github.com/curl/curl/blob/master/docs/HTTP3.md

分类
最新文章
最近回复
  • zr: 大佬,这个bash-completion是从哪个源搞到的
  • 姚生: 要要下载
  • 阿东: 我在编译树莓派的时候也遇到同样的问题,后来发现是make menuconfig 的时候忘了带环...
  • crowjin: 你确定这能过滤??不是所有请求都返回空地址::?
  • : linux系统上单个网卡多条宽带拨号获取公网IP,外网可以访问这些IP,有偿! Q:25299...
  • 硅谷少年: 非常有用,感谢分享
  • spartan2: https://dashboard.hcaptcha.com/welcome_accessib...
  • 海运: 应该能,在购买页面先手工跳过cf机器验证,后续一定时间内不更换ip应该不会再次验证。
  • spartan: 大佬斯巴达开启了CF的机器识别验证,请问插件能自动跳过吗? 另外这个脚本有没有简单使用说明,新...
  • vincent: 膜拜大佬
归档