search

DNSCrypt / encrypted-dns-server

An easy to install, high-performance, zero maintenance proxy to run an encrypted DNS server.
MIT License
983 stars 93 forks source link

[SOLVED] TLS Proxy: relaying the real client ip #296

Closed blob42 closed 2 days ago

blob42 commented 2 days ago

Hi,

I am running a DoH and relaying https connections to my reverse proxy. All relayed tls traffic has the remote_ip set to the DoH server so implementing any kind of rate/spam control is difficult.

Is there any way I could pass along the real remote client ip when it is proxied ? Or maybe add an extra header field ?

SOLUTION:

I found a way to bypass specific TLS traffic from dnscrypt server which keeps the original ip packet data. My solution relies and Docker, Caddy-L4 for tls proxy.

The process is roughly the following:

Here is a quick overview of the Caddyfile used with the caddy-l4 docker container:

{
    layer4 {
                # bypass foo traffic based on sni matcher
                :443 {
                    @tls_nofoo not tls sni foo.website.com

                    route @tls_nofoo {
                        proxy dnscrypt-server:443
                    }
                }
    }
}

foo.website.com {
    reverse_proxy foo_server
}

This would make any tls traffic to foo.website.com avoid any extra proxy and keep initial packet data.

Note that this Caddyfile only works with Caddy compiled with caddy-l4 support.

jedisct1 commented 2 days ago

Relaying happens at layer 4. The proxy never decrypts the relayed TLS traffic and is not even able to.

But rate limiting is something that can be implemented in the proxy itself. I'm using firewall rules to limit the number of sessions per client IP, but doing it in user land could be easier to configure.

blob42 commented 2 days ago

Thanks for the quick reply.

Relaying happens at layer 4

Granted, how would I go about changing the source address of the relayed tls traffic ? As I understand the upstream server is using the source address to set the http remote ip. Would SNAT work without disturbing the TLS stream ?

For info I am running DoH inside a docker container. All http traffic has as remote ip the DoH sever ip address.

On November 20, 2024 12:06:43 PM GMT+01:00, Frank Denis @.***> wrote:

Relaying happens at layer 4. The proxy never decrypts the relayed TLS traffic and is not even able to.

But rate limiting is something that can be implemented in the proxy itself. I'm using firewall rules to limit the number of sessions per client IP, but doing it in user land could be easier to configure.

-- Reply to this email directly or view it on GitHub: https://github.com/DNSCrypt/encrypted-dns-server/issues/296#issuecomment-2488284956 You are receiving this because you authored the thread.

Message ID: @.***>

jedisct1 commented 2 days ago

That would not work without breaking the TCP stream.

blob42 commented 2 days ago

Got it thanks again for the tips.

blob42 commented 1 day ago

@jedisct1 I found a solution and updated the comment for future people who encounter the same problem

jedisct1 commented 1 day ago

Wow, well done!

I didn't know that Caddy could do that!

Thanks for the update!