cloudflarearchive / odoh-server-go

Oblivious DoH server in Go
MIT License
65 stars 17 forks source link

odoh-server-go

Coverage Status

Oblivious DoH Server

Local development

To deploy the server locally, first acquire a TLS certificate using mkcert as follows:

$ mkcert -key-file key.pem -cert-file cert.pem 127.0.0.1 localhost

Then build and run the server as follows:

$ make all
$ CERT=cert.pem KEY=key.pem PORT=4567 ./odoh-server

By default, the proxy listens on /proxy and the target listens on /dns-query.

You may then run the corresponding client as follows:

$ ./odoh-client odoh --proxy localhost:4567 --target odoh.cloudflare-dns.com --domain cloudflare.com
;; opcode: QUERY, status: NOERROR, id: 14306
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cloudflare.com.    IN   AAAA

;; ANSWER SECTION:
cloudflare.com. 271 IN  AAAA    2606:4700::6810:84e5
cloudflare.com. 271 IN  AAAA    2606:4700::6810:85e5

Deployment

This section describes deployment instructions for odoh-server-go.

Preconfigured deployments

Deploy deploy to Scalingo

Manual deployment

This server can also be manually deployed on any bare metal machine, or in cloud providers such as GCP. Instructions for both follow.

Bare metal

Deployment on bare metal servers, such as Equinix, can be done following the instructions below. These steps assume that git and go are both installed on the metal.

  1. Configure a certificate on the metal using certbot. Once complete, the output should be something like the following, assuming the server domain name is "example.com":
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem

You must configure certbot to renew this certificate periodically. The simplest way to do this is via a cron job:

$ 00 00 1 * 1 certbot renew
  1. Configure two environment variables to reference these files:
$ export CERT=/etc/letsencrypt/live/example.com/fullchain.pem
$ export KEY=/etc/letsencrypt/live/example.com/privkey.pem
  1. Clone and build the server:
$ git clone git@github.com:cloudflare/odoh-server-go.git
$ cd odoh-server-go
$ go build ./...
  1. Run the server:
$ PORT=443 ./odoh-server &

This will run the server until completion. You must configure the server to restart should it terminate prematurely.

GCP

To deploy, run:

$ gcloud app deploy proxy.yaml
...
$ gcloud app deploy target.yaml
...

To check on its status, run:

$ gcloud app browse

To stream logs when deployed, run

$ gcloud app logs tail -s default

Reverse proxy

You need to deploy a reverse proxy with a valid TLS server certificate for clients to be able to authenticate the target or proxy.

The simplest option for this is using Caddy. Caddy will automatically provision a TLS certificate using ACME from Let's Encrypt.

For instance:

caddy reverse-proxy --from https://odoh.example.net:443 --to 127.0.0.1:8080

Alternatively, use a Caddyfile similar to:

odoh.example.net

reverse_proxy localhost:8080

and run caddy start.