mirror of
https://github.com/SlackBuildsOrg/slackbuilds
synced 2024-09-28 15:21:00 +02:00
network/nss-tls: Added (dns over https).
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
This commit is contained in:
parent
0d10165c00
commit
9a766de5bd
11 changed files with 381 additions and 0 deletions
23
network/nss-tls/README
Normal file
23
network/nss-tls/README
Normal file
|
@ -0,0 +1,23 @@
|
|||
nss-tls (DNS-over-HTTPS resolver)
|
||||
|
||||
nss-tls is an alternative, encrypted name resolving library for Linux
|
||||
distributions with glibc which uses DNS-over-HTTPS. The glibc name
|
||||
resolver can be configured through nsswitch.conf(5) to use nss-tls
|
||||
instead of the DNS resolver, or fall back to DNS when nss-tls fails.
|
||||
|
||||
This way, all applications that use the standard resolver API
|
||||
(getaddrinfo(), gethostbyname(), etc'), are transparently
|
||||
migrated from DNS to encrypted means of name resolving, with
|
||||
zero application-side changes and minimal resource consumption
|
||||
footprint. However, nss-tls does not deal with applications that use
|
||||
their own, built-in DNS resolver.
|
||||
|
||||
See README_SBo.txt for instructions on setting things up, once the
|
||||
package is installed. It won't "just work", you really do have to
|
||||
configure it.
|
||||
|
||||
The default servers in the config file are provided by Google, Quad9,
|
||||
and Cloudflare. If you'd like to change these, there is a list of
|
||||
public DoH servers here:
|
||||
|
||||
https://zenodo.org/records/4923371
|
64
network/nss-tls/README_SBo.txt
Normal file
64
network/nss-tls/README_SBo.txt
Normal file
|
@ -0,0 +1,64 @@
|
|||
Slackware-specific nss-tls HOWTO
|
||||
--------------------------------
|
||||
|
||||
1. Make sure /etc/nss-tls.conf has at least one DNS-over-HTTPS server URL
|
||||
listed. The default config file has 3, so you shouldn't need to
|
||||
change it unless you don't trust the default servers (one of which
|
||||
belongs to Google). Although it's possible to use hostnames in the
|
||||
config file, I highly recommend using IP addresses.
|
||||
|
||||
2. Add this code to your /etc/rc.d/rc.local:
|
||||
|
||||
[ -x /etc/rc.d/rc.nss-tlsd ] && /etc/rc.d/rc.nss-tlsd start
|
||||
|
||||
3. Make sure /etc/rc.d/rc.nss-tlsd is executable (it is, by default).
|
||||
|
||||
4. Manually start the daemon with the command: /etc/rc.d/rc.nss-tlsd start
|
||||
Or, you could reboot instead.
|
||||
|
||||
At this point, you should be able to use the tlslookup(1) tool to
|
||||
do some test lookups. Try "tlslookup www.slackware.com". You should
|
||||
get output similar to:
|
||||
|
||||
$ tlslookup www.slackware.com
|
||||
23.218.93.137
|
||||
23.218.93.171
|
||||
2600:1402:9800:d::b833:2ac7
|
||||
2600:1402:9800:d::b833:2acd
|
||||
|
||||
5. Edit /etc/nsswitch.conf and find the line that reads "hosts: files dns".
|
||||
Replace the "dns" with "tls", so the line looks like:
|
||||
|
||||
hosts: files tls
|
||||
|
||||
Now, try "ping www.slackware.com". If this works, you should be
|
||||
able to use normal clients (web browsers, mail, etc). nss-tls
|
||||
transparently replaces the DNS resolver... but not everything
|
||||
will work. In particular, git, curl, and alpine (the mail client)
|
||||
are known not to work in this configuration. To support these
|
||||
applications, see the next step.
|
||||
|
||||
6. To keep regular DNS as a fallback option, change the line in
|
||||
/etc/nss-tls.conf again, so it looks like:
|
||||
|
||||
hosts: files tls dns
|
||||
|
||||
This allows applications that don't work with nss-tls to use regular
|
||||
DNS instead. Notably, git won't work without fallback DNS.
|
||||
|
||||
7. Optional: users can run their own instances of the daemon, with
|
||||
caching support. Run the command /usr/bin/nss-tlsd-user from
|
||||
your startup scripts (~/.bash_profile for console logins, or
|
||||
whatever your desktop environment uses if you use GUI login).
|
||||
|
||||
This isn't really required, though it can provide some extra
|
||||
security on multi-user systems. If you're the only person who uses
|
||||
your Slackware box, you probably don't need this.
|
||||
|
||||
Running a server
|
||||
----------------
|
||||
|
||||
nss-tls is just the client side of DNS-over-HTTPS. If you want to run
|
||||
a server, look into unbound (on SBo). In future Slackware versions,
|
||||
you may be able to use Slackware's bind for this (the version in 15.0
|
||||
doesn't support it, but the one in -current should).
|
12
network/nss-tls/doinst.sh
Normal file
12
network/nss-tls/doinst.sh
Normal file
|
@ -0,0 +1,12 @@
|
|||
config() {
|
||||
NEW="$1"
|
||||
OLD="$(dirname $NEW)/$(basename $NEW .new)"
|
||||
if [ ! -r $OLD ]; then
|
||||
mv $NEW $OLD
|
||||
elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
|
||||
rm $NEW
|
||||
fi
|
||||
}
|
||||
|
||||
config etc/nss-tls.conf.new
|
||||
config etc/default/nss-tls.new
|
120
network/nss-tls/nss-tls.SlackBuild
Normal file
120
network/nss-tls/nss-tls.SlackBuild
Normal file
|
@ -0,0 +1,120 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Slackware build script for nss-tls
|
||||
|
||||
# Written by B. Watson (urchlay@slackware.uk)
|
||||
|
||||
# Licensed under the WTFPL. See http://www.wtfpl.net/txt/copying/ for details.
|
||||
|
||||
# Notes:
|
||||
|
||||
# Building with --buildtype=debug makes the daemon write HTTP request
|
||||
# and response headers to its stdout. This isn't very useful, so this
|
||||
# script doesn't support it.
|
||||
|
||||
# It would be nice if the daemon would log to syslog, or had some
|
||||
# runtime-configurable verbose/debug options.
|
||||
|
||||
# I wish git would work with this. If it would, it'd be possible
|
||||
# to use 'hosts: files tls' in nsswitch.conf (curl and alpine still
|
||||
# wouldn't work, but there are decent workarounds for those).
|
||||
|
||||
# By default, when the daemon runs as root, it switches UID/GID to
|
||||
# daemon/daemon. This seems fine to me. It would be possible to
|
||||
# reserve a UID/GID and build with -Duser=<blah> -Dgroup=<blah>, if
|
||||
# there were any real need for it.
|
||||
|
||||
cd $(dirname $0) ; CWD=$(pwd)
|
||||
|
||||
PRGNAM=nss-tls
|
||||
VERSION=${VERSION:-1.1}
|
||||
BUILD=${BUILD:-1}
|
||||
TAG=${TAG:-_SBo}
|
||||
PKGTYPE=${PKGTYPE:-tgz}
|
||||
|
||||
if [ -z "$ARCH" ]; then
|
||||
case "$( uname -m )" in
|
||||
i?86) ARCH=i586 ;;
|
||||
arm*) ARCH=arm ;;
|
||||
*) ARCH=$( uname -m ) ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
|
||||
echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
TMP=${TMP:-/tmp/SBo}
|
||||
PKG=$TMP/package-$PRGNAM
|
||||
OUTPUT=${OUTPUT:-/tmp}
|
||||
|
||||
if [ "$ARCH" = "i586" ]; then
|
||||
SLKCFLAGS="-O2 -march=i586 -mtune=i686"
|
||||
LIBDIRSUFFIX=""
|
||||
elif [ "$ARCH" = "i686" ]; then
|
||||
SLKCFLAGS="-O2 -march=i686 -mtune=i686"
|
||||
LIBDIRSUFFIX=""
|
||||
elif [ "$ARCH" = "x86_64" ]; then
|
||||
SLKCFLAGS="-O2 -fPIC"
|
||||
LIBDIRSUFFIX="64"
|
||||
else
|
||||
SLKCFLAGS="-O2"
|
||||
LIBDIRSUFFIX=""
|
||||
fi
|
||||
|
||||
set -e
|
||||
|
||||
rm -rf $PKG
|
||||
mkdir -p $TMP $PKG $OUTPUT
|
||||
cd $TMP
|
||||
rm -rf $PRGNAM-$VERSION
|
||||
tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
|
||||
cd $PRGNAM-$VERSION
|
||||
chown -R root:root .
|
||||
find -L . -perm /111 -a \! -perm 755 -a -exec chmod 755 {} + -o \
|
||||
\! -perm /111 -a \! -perm 644 -a -exec chmod 644 {} +
|
||||
|
||||
# This patch makes the client and server agree on the per-user socket path.
|
||||
patch -p1 < $CWD/per_user_dir.diff
|
||||
|
||||
mkdir build
|
||||
cd build
|
||||
CFLAGS="$SLKCFLAGS" \
|
||||
CXXFLAGS="$SLKCFLAGS" \
|
||||
meson .. \
|
||||
--buildtype=release \
|
||||
--infodir=/usr/info \
|
||||
--libdir=/usr/lib${LIBDIRSUFFIX} \
|
||||
--localstatedir=/var \
|
||||
--mandir=/usr/man \
|
||||
--prefix=/usr \
|
||||
--sysconfdir=/etc \
|
||||
-Dstrip=true
|
||||
"${NINJA:=ninja}"
|
||||
DESTDIR=$PKG $NINJA install
|
||||
cd ..
|
||||
|
||||
gzip -9 $PKG/usr/man/man*/*
|
||||
rm -f $PKG/etc/nss-tls.conf
|
||||
cat $CWD/nss-tls.conf > $PKG/etc/nss-tls.conf.new
|
||||
|
||||
install -D -m0755 -oroot -groot $CWD/nss-tlsd-user.sh $PKG/usr/bin/nss-tlsd-user
|
||||
|
||||
mkdir -p $PKG/etc/rc.d $PKG/etc/default
|
||||
cat $CWD/rc.nss-tlsd > $PKG/etc/rc.d/rc.nss-tlsd
|
||||
cat $CWD/nss-tlsd.default > $PKG/etc/default/nss-tlsd.new
|
||||
chmod 755 $PKG/etc/rc.d/rc.nss-tlsd
|
||||
|
||||
PKGDOC=$PKG/usr/doc/$PRGNAM-$VERSION
|
||||
mkdir -p $PKGDOC
|
||||
cp -a AUTHORS COPYING README* $PKGDOC
|
||||
cat $CWD/README_SBo.txt > $PKGDOC/README_SBo.txt
|
||||
cat $CWD/$PRGNAM.SlackBuild > $PKGDOC/$PRGNAM.SlackBuild
|
||||
|
||||
mkdir -p $PKG/install
|
||||
cat $CWD/slack-desc > $PKG/install/slack-desc
|
||||
cat $CWD/doinst.sh > $PKG/install/doinst.sh
|
||||
|
||||
cd $PKG
|
||||
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE
|
27
network/nss-tls/nss-tls.conf
Normal file
27
network/nss-tls/nss-tls.conf
Normal file
|
@ -0,0 +1,27 @@
|
|||
# nss-tls.conf - config for nss-tlsd daemon, part of nss-tls SBo package.
|
||||
|
||||
# The only setting here is 'resolvers=', which must be a comma-separated
|
||||
# list of one or more DNS-over-HTTPS server URLs. Although it's possible
|
||||
# to use hostnames, it's better to use IP addresses in the URLs.
|
||||
|
||||
# There's a list of public DoH servers found by port-scanning, here:
|
||||
# https://zenodo.org/records/4923371
|
||||
|
||||
# Or, you could run your own (with unbound).
|
||||
|
||||
# Do not remove this line:
|
||||
[global]
|
||||
|
||||
# Google, DNS9, Cloudflare. These are the default servers from Debian's
|
||||
# nss-tls package.
|
||||
resolvers=https://9.9.9.9/dns-query,https://1.1.1.1/dns-query,https://8.8.8.8/dns-query
|
||||
|
||||
# AdGuards's default (ad/tracker blocking, but no content filtering) servers.
|
||||
# These can be IPv6, too. See https://adguard-dns.io/en/public-dns.html
|
||||
# resolvers=https://94.140.14.14/dns-query,https://94.140.15.15/dns-query
|
||||
|
||||
# AdGuards's non-filtering servers
|
||||
# resolvers=https://94.140.14.140/dns-query,https://94.140.15.141/dns-query
|
||||
|
||||
# AdGuards's "family protection" content-filtering server
|
||||
# resolvers=https://94.140.14.15/dns-query,https://94.140.15.16/dns-query
|
10
network/nss-tls/nss-tls.info
Normal file
10
network/nss-tls/nss-tls.info
Normal file
|
@ -0,0 +1,10 @@
|
|||
PRGNAM="nss-tls"
|
||||
VERSION="1.1"
|
||||
HOMEPAGE="https://github.com/dimkr/nss-tls/"
|
||||
DOWNLOAD="https://github.com/dimkr/nss-tls/archive/1.1/nss-tls-1.1.tar.gz"
|
||||
MD5SUM="a9e8c63856bf63ad2d1bedf46a01a48d"
|
||||
DOWNLOAD_x86_64=""
|
||||
MD5SUM_x86_64=""
|
||||
REQUIRES=""
|
||||
MAINTAINER="B. Watson"
|
||||
EMAIL="urchlay@slackware.uk"
|
20
network/nss-tls/nss-tlsd-user.sh
Normal file
20
network/nss-tls/nss-tlsd-user.sh
Normal file
|
@ -0,0 +1,20 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Launch a per-user nss-tlsd process, with caching.
|
||||
# Part of the SBo nss-tls build, by B. Watson, WTFPL licensed.
|
||||
# Other distributions use systemd to launch this when a user logs
|
||||
# in, we have to have users launch it from e.g. .bash_profile. This
|
||||
# wrapper script simplifies the setup.
|
||||
|
||||
# Note that launching the user daemon isn't required, but since the
|
||||
# system daemon doesn't do caching for security reasons, the user
|
||||
# daemon might help performance a bit.
|
||||
|
||||
# Using setsid --fork here prevents this script from hanging around
|
||||
# waiting for nss-tlsd to exit.
|
||||
|
||||
if [ -x /usr/sbin/nss-tlsd ]; then
|
||||
[ -e ~/.cache/nss-tlsd.sock ] || setsid --fork /usr/sbin/nss-tlsd -c &>/dev/null &
|
||||
fi
|
||||
|
||||
exit 0
|
8
network/nss-tls/nss-tlsd.default
Normal file
8
network/nss-tls/nss-tlsd.default
Normal file
|
@ -0,0 +1,8 @@
|
|||
# Default options for the nss-tlsd daemon:
|
||||
#
|
||||
# Supported options:
|
||||
# -c: cache results. This is really intended for per-user daemons.
|
||||
# -r: use a random server, when multiple servers are configured.
|
||||
# By default, all the above are disabled.
|
||||
|
||||
NSS_TLSD_OPTS=""
|
23
network/nss-tls/per_user_dir.diff
Normal file
23
network/nss-tls/per_user_dir.diff
Normal file
|
@ -0,0 +1,23 @@
|
|||
diff -Naur nss-tls-1.1/nss-tls.c nss-tls-1.1.patched/nss-tls.c
|
||||
--- nss-tls-1.1/nss-tls.c 2020-07-16 19:09:59.000000000 -0400
|
||||
+++ nss-tls-1.1.patched/nss-tls.c 2024-01-17 15:57:03.989437314 -0500
|
||||
@@ -68,7 +68,7 @@
|
||||
if (geteuid() == 0)
|
||||
strcpy(sun.sun_path, NSS_TLS_SOCKET_PATH);
|
||||
else {
|
||||
- dir = getenv("XDG_RUNTIME_DIR");
|
||||
+ dir = getenv("HOME");
|
||||
if (dir) {
|
||||
len = strlen(dir);
|
||||
if (len > sizeof(sun.sun_path) - sizeof("/"NSS_TLS_SOCKET_NAME))
|
||||
@@ -77,6 +77,10 @@
|
||||
memcpy(sun.sun_path, dir, len);
|
||||
sun.sun_path[len] = '/';
|
||||
++len;
|
||||
+ memcpy(sun.sun_path + len, ".cache", 6);
|
||||
+ len += 6;
|
||||
+ sun.sun_path[len] = '/';
|
||||
+ ++len;
|
||||
strncpy(sun.sun_path + len,
|
||||
NSS_TLS_SOCKET_NAME,
|
||||
sizeof(sun.sun_path) - len);
|
55
network/nss-tls/rc.nss-tlsd
Normal file
55
network/nss-tls/rc.nss-tlsd
Normal file
|
@ -0,0 +1,55 @@
|
|||
#!/bin/sh
|
||||
|
||||
# rc.nss-tlsd - by B. Watson (urchlay@slackware.uk). Part of the
|
||||
# SlackBuilds.org nss-tlsd package. WTFPL licensed.
|
||||
|
||||
DAEMON=/usr/sbin/nss-tlsd
|
||||
PIDFILE=/run/nss-tlsd.pid
|
||||
|
||||
[ -f /etc/default/nss-tlsd ] && . /etc/default/nss-tlsd
|
||||
|
||||
# we try to make sure not only that the PID file exists, but that the
|
||||
# PID is actually that of a running nss-tlsd process. the 'cut' stuff
|
||||
# is in case the package was upgraded, which results in /proc/<pid>/exe
|
||||
# pointing to "/usr/sbin/nss-tlsd (deleted)".
|
||||
daemon_is_running() {
|
||||
[ -e "$PIDFILE" ] || return 1
|
||||
[ "$( readlink /proc/$( cat $PIDFILE )/exe 2>/dev/null | cut -d' ' -f1 )" = "$DAEMON" ] || return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
start_daemon() {
|
||||
if daemon_is_running; then
|
||||
echo "$DAEMON is already running, PID $( cat $PIDFILE )"
|
||||
else
|
||||
echo "Starting $DAEMON"
|
||||
nohup $DAEMON $NSS_TLSD_OPTS >/dev/null 2>&1 &
|
||||
echo "${!}" > $PIDFILE
|
||||
fi
|
||||
}
|
||||
|
||||
stop_daemon() {
|
||||
if daemon_is_running; then
|
||||
echo "Stopping $DAEMON"
|
||||
kill "$( cat $PIDFILE )"
|
||||
sleep 1
|
||||
kill -9 "$( cat $PIDFILE )" >/dev/null 2>&1
|
||||
rm -f $PIDFILE
|
||||
else
|
||||
echo "$DAEMON not running"
|
||||
fi
|
||||
}
|
||||
|
||||
# most rc scripts don't need this: daemons will fail to start as non-root.
|
||||
# this one is designed to work either way.
|
||||
if [ "$(id -u)" != "0" ]; then
|
||||
echo "$0: must run as root."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
start|"") start_daemon ;;
|
||||
stop) stop_daemon ;;
|
||||
restart) stop_daemon; sleep 1; start_daemon ;;
|
||||
*) echo "Usage: $0 start|stop|restart" ;;
|
||||
esac
|
19
network/nss-tls/slack-desc
Normal file
19
network/nss-tls/slack-desc
Normal file
|
@ -0,0 +1,19 @@
|
|||
# HOW TO EDIT THIS FILE:
|
||||
# The "handy ruler" below makes it easier to edit a package description.
|
||||
# Line up the first '|' above the ':' following the base package name, and
|
||||
# the '|' on the right side marks the last column you can put a character in.
|
||||
# You must make exactly 11 lines for the formatting to be correct. It's also
|
||||
# customary to leave one space after the ':' except on otherwise blank lines.
|
||||
|
||||
|-----handy-ruler------------------------------------------------------|
|
||||
nss-tls: nss-tls (DNS-over-HTTPS resolver)
|
||||
nss-tls:
|
||||
nss-tls: nss-tls is an alternative, encrypted name resolving library for Linux
|
||||
nss-tls: distributions with glibc which uses DNS-over-HTTPS. The glibc name
|
||||
nss-tls: resolver can be configured through nsswitch.conf(5) to use nss-tls
|
||||
nss-tls: instead of the DNS resolver, or fall back to DNS when nss-tls fails.
|
||||
nss-tls:
|
||||
nss-tls:
|
||||
nss-tls:
|
||||
nss-tls:
|
||||
nss-tls:
|
Loading…
Reference in a new issue