Attachment #192370 for bug #227129




# $FreeBSD$

PORTNAME=	dnscrypt-proxy
PORTVERSION=	2.0.8
PORTREVISION=	1
CATEGORIES=	dns security ipv6
PKGNAMESUFFIX=	2

MAINTAINER=	egypcio@googlemail.com
COMMENT=	Flexible DNS proxy with support for encrypted protocols

LICENSE=	ISCL
LICENSE_FILE=	${WRKSRC}/LICENSE

BUILD_DEPENDS=	go:lang/go
RUN_DEPENDS=	ca_root_nss>=3.35:security/ca_root_nss

PLIST_SUB=	USER="${USERS}" GROUP="${GROUPS}"
SUB_LIST=	USER="${USERS}" GROUP="${GROUPS}"
USE_RC_SUBR=	${PORTNAME}

USE_GITHUB=	yes
GH_ACCOUNT=	jedisct1

USERS=		_dnscrypt-proxy
GROUPS=		_dnscrypt-proxy

PORTDOCS=	README.*
PORTEXAMPLES=	example*

CONFLICTS_INSTALL=	dnscrypt-proxy

OPTIONS_DEFINE=	DOCS EXAMPLES

do-build:
	${RLN} ${WRKSRC}/vendor ${WRKSRC}/src
	cd ${WRKSRC}/${PORTNAME} && \
		${SETENV} ${MAKE_ENV} ${BUILD_ENV} GOPATH=${WRKSRC} \
		go build -ldflags "-s -w" -o ${WRKDIR}/sbin/${PORTNAME}

do-install:
	${INSTALL_PROGRAM} ${WRKDIR}/sbin/${PORTNAME} ${STAGEDIR}${PREFIX}/sbin

do-install-DOCS-on:
	${MKDIR} ${STAGEDIR}${DOCSDIR}
	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}

do-install-EXAMPLES-on:
	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
	cd ${WRKSRC}/${PORTNAME} && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}

post-install:
	${MKDIR} ${STAGEDIR}/var/run/${PORTNAME} ${STAGEDIR}${PREFIX}/etc/${PORTNAME}
	# After 'install' because of the priv drop issue with Go; keeping original example files.
	@${REINPLACE_CMD} -e \
		"s#\['127.0.0.1:53', '\[::1\]:53'\]#\['127.0.0.1:5353'\]#" \
		${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml
	${INSTALL_DATA} ${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml \
		${STAGEDIR}${PREFIX}/etc/${PORTNAME}/${PORTNAME}.toml.sample

.include <bsd.port.mk>




#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: cleanvar SERVERS
# BEFORE:  local_unbound unbound dnsmasq pdns named
#
#	Options to configure dnscrypt-proxy via /etc/rc.conf:
#
# dnscrypt_proxy_enable	(bool)	Start on Boot.	# Default: NO
# dnscrypt_proxy_conf	(str)	Config File.	# Default: %%PREFIX%%/etc/dnscrypt-proxy/dnscrypt-proxy.toml
# dnscrypt_proxy_setuid	(bool)	Set root priv.	# Default: NO
# dnscrypt_proxy_uid	(str)	User to run as.	# Default: %%USER%%
#
# dnscrypt_proxy_conf (str)	Config file to use
#				Default: %%PREFIX%%/etc/dnscrypt-proxy.toml
#
# dnscrypt_proxy_uid (str)	User to run dnscrypt_proxy as
#				Default: _dnscrypt-proxy

. /etc/rc.subr

name="dnscrypt_proxy"
rcvar="${name}_enable"
pidfile="/var/run/dnscrypt-proxy/${name}.pid"
procname="%%PREFIX%%/sbin/dnscrypt-proxy"

load_rc_config $name

: ${dnscrypt_proxy_enable:="NO"}
: ${dnscrypt_proxy_conf:="%%PREFIX%%/etc/dnscrypt-proxy/dnscrypt-proxy.toml"}
: ${dnscrypt_proxy_setuid:="NO"}
: ${dnscrypt_proxy_uid:="%%USER%%"}

checkyesno dnscrypt_proxy_setuid && dnscrypt_proxy_uid="root"

command="/usr/sbin/daemon"
command_args="-p ${pidfile} -t ${name} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}"

run_rc_command $1




======================================================================
Version 2 of dnscrypt-proxy is written in Go, and therefore isn't capable
  of dropping privileges after binding to a low port on FreeBSD.

By default, this port's daemon will listen on port 5353 (TCP/UDP) as the 
  %%USER%% user. It's still possible to bind it and listen on port 53 (TCP/UDP),
  but it's not recommended.

Below are a few examples on how to redirect traffic from port 5353 to 53.

Below are a few examples on how to redirect local connections from port
5353 to 53.

[ipfw]

  /etc/rc.firewall.local:
    ipfw nat 1 config if lo0 reset same_ports \
      redirect_port tcp 127.0.0.1:5353 53 \
      redirect_port udp 127.0.0.1:5353 53
    ipfw add nat 1 ip from any to 127.0.0.1 via lo0

  /etc/rc.conf:
    firewall_enable="YES"
    firewall_nat_enable="YES"

  /etc/sysctl.conf:
    net.inet.ip.fw.one_pass=0

[pf]

  /etc/pf.conf:
    set skip on lo0
    rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353

  /etc/rc.conf:
    pf_enable="YES"

[unbound]

  /etc/rc.conf:
    local_unbound_enable="YES"
    do-not-query-localhost: no

  /var/unbound/unbound.conf:
    server:
      interface:              127.0.0.1
      do-not-query-localhost: no

  /var/unbound/forward.conf:
    forward-zone:
      name:         "."
      forward-addr: 127.0.0.1@5353

----------------------------------------------------------------------

If you are using local_unbound, DNSSEC is enabled by default. You should
  comment the "auto-trust-anchor-file" line or change dnscrypt-proxy to use
  servers with DNSSEC support only.
======================================================================

Lines 1-2 Link Here

(-)dns/dnscrypt-proxy2/pkg-plist (-1 / +3 lines)
1	@sample etc/dnscrypt-proxy.toml.sample	1	@dir(%%USER%%,%%GROUP%%,750) etc/dnscrypt-proxy
		2	@dir(%%USER%%,%%GROUP%%,750) /var/run/dnscrypt-proxy
		3	@sample etc/dnscrypt-proxy/dnscrypt-proxy.toml.sample
2	sbin/dnscrypt-proxy	4	sbin/dnscrypt-proxy

Return to bug 227129

Lines 1-57 Link Here

(-)dns/dnscrypt-proxy2/Makefile (-4 / +8 lines)
1	# $FreeBSD$	1	# $FreeBSD$
2		2
3	PORTNAME= dnscrypt-proxy	3	PORTNAME= dnscrypt-proxy
4	PORTVERSION= 2.0.8	4	PORTVERSION= 2.0.8
5	CATEGORIES= dns security	5	PORTREVISION= 1
		6	CATEGORIES= dns security ipv6
6	PKGNAMESUFFIX= 2	7	PKGNAMESUFFIX= 2
7		8
8	MAINTAINER= egypcio@googlemail.com	9	MAINTAINER= egypcio@googlemail.com
9	COMMENT= Flexible DNS proxy with support for encrypted protocols	10	COMMENT= Flexible DNS proxy with support for encrypted protocols
10		11
11	LICENSE= ISCL	12	LICENSE= ISCL
12	LICENSE_FILE= ${WRKSRC}/LICENSE	13	LICENSE_FILE= ${WRKSRC}/LICENSE
13		14
14	BUILD_DEPENDS= go:lang/go	15	BUILD_DEPENDS= go:lang/go
15	RUN_DEPENDS= ca_root_nss>=3.35:security/ca_root_nss	16	RUN_DEPENDS= ca_root_nss>=3.35:security/ca_root_nss
16		17
		18	PLIST_SUB= USER="${USERS}" GROUP="${GROUPS}"
		19	SUB_LIST= USER="${USERS}" GROUP="${GROUPS}"
17	USE_RC_SUBR= ${PORTNAME}	20	USE_RC_SUBR= ${PORTNAME}
18		21
19	USE_GITHUB= yes	22	USE_GITHUB= yes
20	GH_ACCOUNT= jedisct1	23	GH_ACCOUNT= jedisct1
21		24
22	USERS= _dnscrypt-proxy	25	USERS= _dnscrypt-proxy
23	GROUPS= _dnscrypt-proxy	26	GROUPS= _dnscrypt-proxy
24		27
25	PORTDOCS= README.*	28	PORTDOCS= README.*
26	PORTEXAMPLES= example*	29	PORTEXAMPLES= example*
27		30
28	CONFLICTS_INSTALL= dnscrypt-proxy	31	CONFLICTS_INSTALL= dnscrypt-proxy
29		32
30	OPTIONS_DEFINE= DOCS EXAMPLES	33	OPTIONS_DEFINE= DOCS EXAMPLES
31		34
32	do-build:	35	do-build:
33	${RLN} ${WRKSRC}/vendor ${WRKSRC}/src	36	${RLN} ${WRKSRC}/vendor ${WRKSRC}/src
34	cd ${WRKSRC}/${PORTNAME} && \	37	cd ${WRKSRC}/${PORTNAME} && \
35	${SETENV} ${MAKE_ENV} ${BUILD_ENV} GOPATH=${WRKSRC} \	38	${SETENV} ${MAKE_ENV} ${BUILD_ENV} GOPATH=${WRKSRC} \
36	go build -ldflags "-s -w" -o ${WRKDIR}/sbin/${PORTNAME}	39	go build -ldflags "-s -w" -o ${WRKDIR}/sbin/${PORTNAME}
37		40
38	do-install:	41	do-install:
39	${INSTALL_PROGRAM} ${WRKDIR}/sbin/${PORTNAME} ${STAGEDIR}${LOCALBASE}/sbin	42	${INSTALL_PROGRAM} ${WRKDIR}/sbin/${PORTNAME} ${STAGEDIR}${PREFIX}/sbin
40		43
41	do-install-DOCS-on:	44	do-install-DOCS-on:
42	${MKDIR} ${STAGEDIR}${DOCSDIR}	45	${MKDIR} ${STAGEDIR}${DOCSDIR}
43	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}	46	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
44		47
45	do-install-EXAMPLES-on:	48	do-install-EXAMPLES-on:
46	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}	49	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
47	cd ${WRKSRC}/${PORTNAME} && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}	50	cd ${WRKSRC}/${PORTNAME} && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
48		51
49	post-install:	52	post-install:
50	# After install examples because of the priv drop issue with Go	53	${MKDIR} ${STAGEDIR}/var/run/${PORTNAME} ${STAGEDIR}${PREFIX}/etc/${PORTNAME}
		54	# After 'install' because of the priv drop issue with Go; keeping original example files.
51	@${REINPLACE_CMD} -e \	55	@${REINPLACE_CMD} -e \
52	"s#\['127.0.0.1:53', '\[::1\]:53'\]#\['127.0.0.1:5353'\]#" \	56	"s#\['127.0.0.1:53', '\[::1\]:53'\]#\['127.0.0.1:5353'\]#" \
53	${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml	57	${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml
54	${INSTALL_DATA} ${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml \	58	${INSTALL_DATA} ${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml \
55	${STAGEDIR}${LOCALBASE}/etc/${PORTNAME}.toml.sample	59	${STAGEDIR}${PREFIX}/etc/${PORTNAME}/${PORTNAME}.toml.sample
56		60
57	.include <bsd.port.mk>	61	.include <bsd.port.mk>

Lines 1-36 Link Here

(-)dns/dnscrypt-proxy2/files/dnscrypt-proxy.in (-16 / +16 lines)
1	#!/bin/sh	1	#!/bin/sh
2	#	2	#
3	# $FreeBSD$	3	# $FreeBSD$
4	#	4	#
5	# PROVIDE: dnscrypt_proxy	5	# PROVIDE: dnscrypt_proxy
6	# REQUIRE: cleanvar SERVERS	6	# REQUIRE: cleanvar SERVERS
7	# BEFORE: dnsmasq local_unbound unbound named	7	# BEFORE: local_unbound unbound dnsmasq pdns named
8	#	8	#
9	# Options to configure dnscrypt-proxy via /etc/rc.conf:	9	# Options to configure dnscrypt-proxy via /etc/rc.conf:
10	#	10	#
11	# dnscrypt_proxy_enable (bool) Enable service on boot	11	# dnscrypt_proxy_enable (bool) Start on Boot. # Default: NO
12	# Default: NO	12	# dnscrypt_proxy_conf (str) Config File. # Default: %%PREFIX%%/etc/dnscrypt-proxy/dnscrypt-proxy.toml
		13	# dnscrypt_proxy_setuid (bool) Set root priv. # Default: NO
		14	# dnscrypt_proxy_uid (str) User to run as. # Default: %%USER%%
13	#	15	#
14	# dnscrypt_proxy_conf (str) Config file to use
15	# Default: %%PREFIX%%/etc/dnscrypt-proxy.toml
16	#
17	# dnscrypt_proxy_uid (str) User to run dnscrypt_proxy as
18	# Default: _dnscrypt-proxy
19		16
20	. /etc/rc.subr	17	. /etc/rc.subr
21		18
22	name="dnscrypt_proxy"	19	name="dnscrypt_proxy"
23	rcvar="dnscrypt_proxy_enable"	20	rcvar="${name}_enable"
24	pidfile="/var/run/dnscrypt-proxy.pid"	21	pidfile="/var/run/dnscrypt-proxy/${name}.pid"
25	procname="%%PREFIX%%/sbin/dnscrypt-proxy"	22	procname="%%PREFIX%%/sbin/dnscrypt-proxy"
26		23
27	load_rc_config $name	24	load_rc_config $name
28		25
29	: ${dnscrypt_proxy_enable:=NO}	26	: ${dnscrypt_proxy_enable:="NO"}
30	: ${dnscrypt_proxy_conf:=%%PREFIX%%/etc/dnscrypt-proxy.toml}	27	: ${dnscrypt_proxy_conf:="%%PREFIX%%/etc/dnscrypt-proxy/dnscrypt-proxy.toml"}
31	: ${dnscrypt_proxy_uid:=_dnscrypt-proxy}	28	: ${dnscrypt_proxy_setuid:="NO"}
		29	: ${dnscrypt_proxy_uid:="%%USER%%"}
32		30
		31	checkyesno dnscrypt_proxy_setuid && dnscrypt_proxy_uid="root"
		32
33	command="/usr/sbin/daemon"	33	command="/usr/sbin/daemon"
34	command_args="-p ${pidfile} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}"	34	command_args="-p ${pidfile} -t ${name} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}"
35		35
36	run_rc_command "$1"	36	run_rc_command $1

Lines 1-40 Link Here

(-)dns/dnscrypt-proxy2/pkg-message (-21 / +36 lines)
1	=====================================================================	1	======================================================================
2	Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable	2	Version 2 of dnscrypt-proxy is written in Go, and therefore isn't capable
3	of dropping privileges after binding to a low port on FreeBSD.	3	of dropping privileges after binding to a low port on FreeBSD.
4		4
5	By default, the dnscrypt-proxy2 port will listen on (tcp/udp) port 5353	5	By default, this port's daemon will listen on port 5353 (TCP/UDP) as the
6	as the _dnscrypt-proxy user.	6	%%USER%% user. It's still possible to bind it and listen on port 53 (TCP/UDP),
		7	but it's not recommended.
7		8
8	It's possible to change back to port 53, but not recommended.	9	Below are a few examples on how to redirect traffic from port 5353 to 53.
9		10
10	Below are a few examples on how to redirect local connections from port
11	5353 to 53.
12
13	[ipfw]	11	[ipfw]
14		12
15	ipfw nat 1 config if lo0 reset same_ports \	13	/etc/rc.firewall.local:
16	redirect_port tcp 127.0.0.1:5353 53 \	14	ipfw nat 1 config if lo0 reset same_ports \
17	redirect_port udp 127.0.0.1:5353 53	15	redirect_port tcp 127.0.0.1:5353 53 \
18	ipfw add nat 1 ip from any to 127.0.0.1 via lo0	16	redirect_port udp 127.0.0.1:5353 53
		17	ipfw add nat 1 ip from any to 127.0.0.1 via lo0
19		18
20	/etc/rc.conf:	19	/etc/rc.conf:
		20	firewall_enable="YES"
21	firewall_nat_enable="YES"	21	firewall_nat_enable="YES"
22		22
23	/etc/sysctl.conf:	23	/etc/sysctl.conf:
24	net.inet.ip.fw.one_pass=0	24	net.inet.ip.fw.one_pass=0
25		25
26	[pf]	26	[pf]
27		27
28	rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353	28	/etc/pf.conf:
		29	set skip on lo0
		30	rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353
29		31
		32	/etc/rc.conf:
		33	pf_enable="YES"
		34
30	[unbound]	35	[unbound]
31		36
32	server:	37	/etc/rc.conf:
33	interface: 127.0.0.1	38	local_unbound_enable="YES"
34	do-not-query-localhost: no
35		39
36	forward-zone:	40	/var/unbound/unbound.conf:
37	name: "."	41	server:
38	forward-addr: 127.0.0.1@5353	42	interface: 127.0.0.1
		43	do-not-query-localhost: no
39		44
40	=====================================================================	45	/var/unbound/forward.conf:
		46	forward-zone:
		47	name: "."
		48	forward-addr: 127.0.0.1@5353
		49
		50	----------------------------------------------------------------------
		51
		52	If you are using local_unbound, DNSSEC is enabled by default. You should
		53	comment the "auto-trust-anchor-file" line or change dnscrypt-proxy to use
		54	servers with DNSSEC support only.
		55	======================================================================