FreeBSD Bugzilla – Attachment 192370 Details for
Bug 227129
dns/dnscrypt-proxy2: Instructions for using together with unbound are lacking
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
dns/dnscrypt-proxy2: instructions for using together with unbound, r466876
dns_dnscrypt-proxy2.r466876.diff (text/plain), 7.31 KB, created by
Vinícius Zavam
on 2018-04-09 21:49:24 UTC
(
hide
)
Description:
dns/dnscrypt-proxy2: instructions for using together with unbound, r466876
Filename:
MIME Type:
Creator:
Vinícius Zavam
Created:
2018-04-09 21:49:24 UTC
Size:
7.31 KB
patch
obsolete
>Index: dns/dnscrypt-proxy2/Makefile >=================================================================== >--- dns/dnscrypt-proxy2/Makefile (revision 466876) >+++ dns/dnscrypt-proxy2/Makefile (working copy) >@@ -1,57 +1,61 @@ > # $FreeBSD$ > > PORTNAME= dnscrypt-proxy > PORTVERSION= 2.0.8 >-CATEGORIES= dns security >+PORTREVISION= 1 >+CATEGORIES= dns security ipv6 > PKGNAMESUFFIX= 2 > > MAINTAINER= egypcio@googlemail.com > COMMENT= Flexible DNS proxy with support for encrypted protocols > > LICENSE= ISCL > LICENSE_FILE= ${WRKSRC}/LICENSE > > BUILD_DEPENDS= go:lang/go > RUN_DEPENDS= ca_root_nss>=3.35:security/ca_root_nss > >+PLIST_SUB= USER="${USERS}" GROUP="${GROUPS}" >+SUB_LIST= USER="${USERS}" GROUP="${GROUPS}" > USE_RC_SUBR= ${PORTNAME} > > USE_GITHUB= yes > GH_ACCOUNT= jedisct1 > > USERS= _dnscrypt-proxy > GROUPS= _dnscrypt-proxy > > PORTDOCS= README.* > PORTEXAMPLES= example* > > CONFLICTS_INSTALL= dnscrypt-proxy > > OPTIONS_DEFINE= DOCS EXAMPLES > > do-build: > ${RLN} ${WRKSRC}/vendor ${WRKSRC}/src > cd ${WRKSRC}/${PORTNAME} && \ > ${SETENV} ${MAKE_ENV} ${BUILD_ENV} GOPATH=${WRKSRC} \ > go build -ldflags "-s -w" -o ${WRKDIR}/sbin/${PORTNAME} > > do-install: >- ${INSTALL_PROGRAM} ${WRKDIR}/sbin/${PORTNAME} ${STAGEDIR}${LOCALBASE}/sbin >+ ${INSTALL_PROGRAM} ${WRKDIR}/sbin/${PORTNAME} ${STAGEDIR}${PREFIX}/sbin > > do-install-DOCS-on: > ${MKDIR} ${STAGEDIR}${DOCSDIR} > cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} > > do-install-EXAMPLES-on: > ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} > cd ${WRKSRC}/${PORTNAME} && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR} > > post-install: >- # After install examples because of the priv drop issue with Go >+ ${MKDIR} ${STAGEDIR}/var/run/${PORTNAME} ${STAGEDIR}${PREFIX}/etc/${PORTNAME} >+ # After 'install' because of the priv drop issue with Go; keeping original example files. > @${REINPLACE_CMD} -e \ > "s#\['127.0.0.1:53', '\[::1\]:53'\]#\['127.0.0.1:5353'\]#" \ > ${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml > ${INSTALL_DATA} ${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml \ >- ${STAGEDIR}${LOCALBASE}/etc/${PORTNAME}.toml.sample >+ ${STAGEDIR}${PREFIX}/etc/${PORTNAME}/${PORTNAME}.toml.sample > > .include <bsd.port.mk> >Index: dns/dnscrypt-proxy2/files/dnscrypt-proxy.in >=================================================================== >--- dns/dnscrypt-proxy2/files/dnscrypt-proxy.in (revision 466876) >+++ dns/dnscrypt-proxy2/files/dnscrypt-proxy.in (working copy) >@@ -1,36 +1,36 @@ > #!/bin/sh > # > # $FreeBSD$ > # > # PROVIDE: dnscrypt_proxy > # REQUIRE: cleanvar SERVERS >-# BEFORE: dnsmasq local_unbound unbound named >+# BEFORE: local_unbound unbound dnsmasq pdns named > # >-# Options to configure dnscrypt-proxy via /etc/rc.conf: >+# Options to configure dnscrypt-proxy via /etc/rc.conf: > # >-# dnscrypt_proxy_enable (bool) Enable service on boot >-# Default: NO >+# dnscrypt_proxy_enable (bool) Start on Boot. # Default: NO >+# dnscrypt_proxy_conf (str) Config File. # Default: %%PREFIX%%/etc/dnscrypt-proxy/dnscrypt-proxy.toml >+# dnscrypt_proxy_setuid (bool) Set root priv. # Default: NO >+# dnscrypt_proxy_uid (str) User to run as. # Default: %%USER%% > # >-# dnscrypt_proxy_conf (str) Config file to use >-# Default: %%PREFIX%%/etc/dnscrypt-proxy.toml >-# >-# dnscrypt_proxy_uid (str) User to run dnscrypt_proxy as >-# Default: _dnscrypt-proxy > > . /etc/rc.subr > > name="dnscrypt_proxy" >-rcvar="dnscrypt_proxy_enable" >-pidfile="/var/run/dnscrypt-proxy.pid" >+rcvar="${name}_enable" >+pidfile="/var/run/dnscrypt-proxy/${name}.pid" > procname="%%PREFIX%%/sbin/dnscrypt-proxy" > > load_rc_config $name > >-: ${dnscrypt_proxy_enable:=NO} >-: ${dnscrypt_proxy_conf:=%%PREFIX%%/etc/dnscrypt-proxy.toml} >-: ${dnscrypt_proxy_uid:=_dnscrypt-proxy} >+: ${dnscrypt_proxy_enable:="NO"} >+: ${dnscrypt_proxy_conf:="%%PREFIX%%/etc/dnscrypt-proxy/dnscrypt-proxy.toml"} >+: ${dnscrypt_proxy_setuid:="NO"} >+: ${dnscrypt_proxy_uid:="%%USER%%"} > >+checkyesno dnscrypt_proxy_setuid && dnscrypt_proxy_uid="root" >+ > command="/usr/sbin/daemon" >-command_args="-p ${pidfile} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}" >+command_args="-p ${pidfile} -t ${name} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}" > >-run_rc_command "$1" >+run_rc_command $1 >Index: dns/dnscrypt-proxy2/pkg-message >=================================================================== >--- dns/dnscrypt-proxy2/pkg-message (revision 466876) >+++ dns/dnscrypt-proxy2/pkg-message (working copy) >@@ -1,40 +1,55 @@ >-===================================================================== >-Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable >-of dropping privileges after binding to a low port on FreeBSD. >+====================================================================== >+Version 2 of dnscrypt-proxy is written in Go, and therefore isn't capable >+ of dropping privileges after binding to a low port on FreeBSD. > >-By default, the dnscrypt-proxy2 port will listen on (tcp/udp) port 5353 >-as the _dnscrypt-proxy user. >+By default, this port's daemon will listen on port 5353 (TCP/UDP) as the >+ %%USER%% user. It's still possible to bind it and listen on port 53 (TCP/UDP), >+ but it's not recommended. > >-It's possible to change back to port 53, but not recommended. >+Below are a few examples on how to redirect traffic from port 5353 to 53. > >-Below are a few examples on how to redirect local connections from port >-5353 to 53. >- > [ipfw] > >- ipfw nat 1 config if lo0 reset same_ports \ >- redirect_port tcp 127.0.0.1:5353 53 \ >- redirect_port udp 127.0.0.1:5353 53 >- ipfw add nat 1 ip from any to 127.0.0.1 via lo0 >+ /etc/rc.firewall.local: >+ ipfw nat 1 config if lo0 reset same_ports \ >+ redirect_port tcp 127.0.0.1:5353 53 \ >+ redirect_port udp 127.0.0.1:5353 53 >+ ipfw add nat 1 ip from any to 127.0.0.1 via lo0 > > /etc/rc.conf: >+ firewall_enable="YES" > firewall_nat_enable="YES" > > /etc/sysctl.conf: > net.inet.ip.fw.one_pass=0 > > [pf] > >- rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353 >+ /etc/pf.conf: >+ set skip on lo0 >+ rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353 > >+ /etc/rc.conf: >+ pf_enable="YES" >+ > [unbound] > >- server: >- interface: 127.0.0.1 >- do-not-query-localhost: no >+ /etc/rc.conf: >+ local_unbound_enable="YES" > >- forward-zone: >- name: "." >- forward-addr: 127.0.0.1@5353 >+ /var/unbound/unbound.conf: >+ server: >+ interface: 127.0.0.1 >+ do-not-query-localhost: no > >-===================================================================== >+ /var/unbound/forward.conf: >+ forward-zone: >+ name: "." >+ forward-addr: 127.0.0.1@5353 >+ >+---------------------------------------------------------------------- >+ >+If you are using local_unbound, DNSSEC is enabled by default. You should >+ comment the "auto-trust-anchor-file" line or change dnscrypt-proxy to use >+ servers with DNSSEC support only. >+====================================================================== >Index: dns/dnscrypt-proxy2/pkg-plist >=================================================================== >--- dns/dnscrypt-proxy2/pkg-plist (revision 466876) >+++ dns/dnscrypt-proxy2/pkg-plist (working copy) >@@ -1,2 +1,4 @@ >-@sample etc/dnscrypt-proxy.toml.sample >+@dir(%%USER%%,%%GROUP%%,750) etc/dnscrypt-proxy >+@dir(%%USER%%,%%GROUP%%,750) /var/run/dnscrypt-proxy >+@sample etc/dnscrypt-proxy/dnscrypt-proxy.toml.sample > sbin/dnscrypt-proxy
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=192370">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
egypcio
:
maintainer-approval+
Actions:
View
|
Diff
Attachments on
bug 227129
:
192105
| 192370