Closed mistersixt closed 1 year ago
ralphdolmans
commented
3 years ago You didn't configure Unbound to listen on port 8054 for the DoH queries, add this to your configuration:
https-port: 8054See also https://nlnetlabs.nl/documentation/unbound/unbound.conf/#https-port
mistersixt
commented
3 years ago Dooh, thanks a lot, good catch, missed that one ... now I do have this errors though:
[1602578544] unbound[8157:1] debug: comm point start listening 31 (30000 msec) [1602578544] unbound[8157:1] debug: SSL connection ip4 127.0.0.1 port 59362 (len 16) [1602578544] unbound[8157:1] debug: close fd 31 [1602578555] unbound[8157:1] debug: comm point start listening 31 (30000 msec) [1602578555] unbound[8157:1] debug: SSL connection ip4 127.0.0.1 port 59370 (len 16) [1602578555] unbound[8157:1] debug: close fd 31
With Apache saying:
[Tue Oct 13 10:42:24.535713 2020] [proxy:error] [pid 8152] (502)Unknown error 502: [client 127.0.0.1:51858] AH01084: pass request body failed to 127.0.0.1:8054 (127.0.0.1) [Tue Oct 13 10:42:24.535852 2020] [proxy:error] [pid 8152] [client 127.0.0.1:51858] AH00898: Error during SSL Handshake with remote server returned by /dns-query [Tue Oct 13 10:42:24.535862 2020] [proxy_http:error] [pid 8152] [client 127.0.0.1:51858] AH01097: pass request body failed to 127.0.0.1:8054 (127.0.0.1) from 127.0.0.1 ()
openssl s_client -connect 127.0.0.1:8054
No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits
SSL handshake has read 3273 bytes and written 261 bytes Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305
Apache is configured with "all -SSLv3 -TLSv1 -TLSv1.1", so nothing unusual. But I think this is no longer an issue with Unbound.
Thanks again for the hint with the "https-port" option.
Kind regards, mistersixt.
murty2
commented
2 years ago Something to try: Load module mod_proxy_http2 and use: ProxyPass /dns-query h2://127.0.0.1:8054/dns-query
If your unbound does not support TLS, replace h2 with h2c. Please let me know if this works.
gthess
commented
1 year ago Closing this as inactive; feel free to reopen/ping.
Hi there,
when trying to use the new DoH feature shipped with the latest Unbound version 1.12.0 - with ProxyPass via Apache2 - I get " tcp took too long" messages, and I cannot find the issue (in general the ProxyPass in Apache2 works fine with my current DoH software[1]).
Unbound is configured with:
Apache with:
Unbound is showing (startet with some -d / -v) :
[1602576756] unbound[6014:2] debug: comm point start listening 31 (30000 msec) [1602576756] unbound[6014:2] debug: Reading tcp query of length 5635 [1602576786] unbound[6014:2] debug: tcp took too long, dropped [1602576786] unbound[6014:2] debug: close fd 31
And Apache error.log:
[Tue Oct 13 10:15:51.669428 2020] [proxy:error] [pid 5540] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8054 (127.0.0.1) failed [Tue Oct 13 10:15:51.669596 2020] [proxy_http:error] [pid 5540] [client 127.0.0.1:51168] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
Any help is welcome, the unbound logfile does not give any further hint unfortunately.
Thanks in advance, and kind regards,
mistersixt
[1 ]https://github.com/m13253/dns-over-https