-
-
Notifications
You must be signed in to change notification settings - Fork 39
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
440 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,7 +22,6 @@ _testmain.go | |
| *.exe | ||
| *.test | ||
| *.prof | ||
| sniproxy | ||
| config.yaml | ||
|
|
||
| .TODO.md | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| # you can use environment variables to override the settings provided int he default config or the config file as well | ||
| # to do that use the `SNIPROXY_` prefix, followed by the full tree of the parameter you need to update, separated by two underscores (__) | ||
| # for example, if you want the dns server to be bounded to 0.0.0.0:5555 rather than the default 0.0.0.0:53, you run the sniproxy (or the container) | ||
| # with the following environment variable | ||
| # SNIPROXY_GENERAL__BIND_DNS_OVER_UDP=0.0.0.0:5555 | ||
| # note that there are 2 underscores between general and BIND_DNS_OVER_UDP | ||
| general: | ||
| # Upsteam DNS URI. examples: Upstream DNS URI. examples: udp://1.1.1.1:53, tcp://1.1.1.1:53, tcp-tls://1.1.1.1:853, https://dns.google/dns-query | ||
| upstream_dns: udp://8.8.8.8:53 | ||
| # enable send DNS through socks5 | ||
| upstream_dns_over_socks5: false | ||
| # Use a SOCKS proxy for upstream HTTP/HTTPS traffic. Example: socks5://admin: | ||
| upstream_socks5: | ||
| # DNS Port to listen on. Should remain 53 in most cases. MUST NOT be empty | ||
| bind_dns_over_udp: "0.0.0.0:53" | ||
| # enable DNS over TCP. empty disables it. example: "127.0.0.1:53" | ||
| bind_dns_over_tcp: | ||
| # enable DNS over TLS. empty disables it. example: "127.0.0.1:853" | ||
| bind_dns_over_tls: | ||
| # enable DNS over QUIC. empty disables it. example: "127.0.0.1:8853" | ||
| bind_dns_over_quic: | ||
| # Path to the certificate for DoH, DoT and DoQ. eg: /tmp/mycert.pem | ||
| tls_cert: | ||
| # Path to the certificate key for DoH, DoT and DoQ. eg: /tmp/mycert.key | ||
| tls_key: | ||
| # HTTP Port to listen on. Should remain 80 in most cases | ||
| bind_http: "0.0.0.0:80" | ||
| # HTTPS Port to listen on. Should remain 443 in most cases | ||
| bind_https: "0.0.0.0:443" | ||
| # Enable prometheus endpoint on IP:PORT. example: 127.0.0.1:8080. Always exposes /metrics and only supports HTTP | ||
| bind_prometheus: | ||
| # Interface used for outbound TLS connections. uses OS prefered one if empty | ||
| interface: | ||
| # Public IPv4 of the server, reply address of DNS A queries | ||
| public_ipv4: | ||
| # Public IPv6 of the server, reply address of DNS AAAA queries | ||
| public_ipv6: | ||
| # allow connections from sniproxy to RFC1918 addresses. default is false. | ||
| allow_conn_to_local: false | ||
| # log level for the application. choices: debug, info, warn, error | ||
| # by default, the logs are colored so they are not suited for logging to a file. | ||
| # in order to disable colors, set NO_COLOR=true in the environment variables | ||
| log_level: info | ||
|
|
||
| acl: | ||
| # geoip filtering | ||
| # | ||
| # the logic is as follows: | ||
| # 1. if mmdb is not loaded or not available, it's fail-open (allow by default) | ||
| # 2. if the IP can't be resolved to a country, it's rejected | ||
| # 3. if the country is in the blocked list, it's rejected | ||
| # 4. if the country is in the allowed list, it's allowed | ||
| # note that the reject list is checked first and takes priority over the allow list | ||
| # if the IP's country doesn't match any of the above, it's allowed if the blocked list is not empty | ||
| # for example, if the blockedlist is [US] and the allowedlist is empty, a connection from | ||
| # CA will be allowed. but if blockedlist is empty and allowedlist is [US], a connection from | ||
| # CA will be rejected. | ||
| geoip: | ||
| enabled: false | ||
| # priority of the geoip filter. lower priority means it's checked first, meaning it can be ovveriden by other ACLs with higehr priority number. | ||
| priority: 10 | ||
| # strictly blocked countries | ||
| blocked: | ||
| # allowed countries | ||
| allowed: | ||
| # Path to the MMDB file. eg: /tmp/Country.mmdb, https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb | ||
| path: | ||
| # Interval to re-fetch the MMDB file | ||
| refresh_interval: 24h0m0s | ||
| # domain filtering | ||
| domain: | ||
| enabled: false # false means ALL domains will be allowed to go through the proxy | ||
| # priority of the domain filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order | ||
| priority: 20 | ||
| # Path to the domain list. eg: /tmp/domainlist.csv. Look at the example file for the format. | ||
| path: | ||
| # Interval to re-fetch the domain list | ||
| refresh_interval: 1h0m0s | ||
| # IP/CIDR filtering | ||
| cidr: | ||
| enabled: false | ||
| # priority of the cidr filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order | ||
| priority: 30 | ||
| # Path to the CIDR list. eg: /tmp/cidr.csv. Look at the example file for the format. | ||
| path: | ||
| # Interval to re-fetch the domain list | ||
| refresh_interval: 1h0m0s | ||
| # FQDN override. This ACL is used to override the destination IP to not be the one resolved by the upstream DNS or the proxy itself, rather a custom IP and port | ||
| # if the destination is HTTP, it uses tls_cert and tls_key certificate to terminate the original connection. | ||
| override: | ||
| enabled: false | ||
| # priority of the override filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order | ||
| priority: 40 | ||
| # override rules. unlike others, this one does not require a path to a file. it's a map of FQDNs wildcards to IPs and ports. only HTTPS is supported | ||
| # currently, these rules are checked with a simple for loop and string matching, | ||
| # so it's not suited for a large number of rules. if you have a big list of rules | ||
| # use a reverse proxy in front of sniproxy rather than using sniproxy as a reverse proxy | ||
| rules: | ||
| "one.one.one.one": "1.1.1.1:443" | ||
| "google.com": "8.8.8.8:443" | ||
| # enable listening on DoH on a specific SNI. example: "myawesomedoh.example.com". empty disables it. If you need DoH to be enabled and don't want | ||
| # any other overrides, enable this ACL with empty rules. DoH SNI will add a default rule and start. | ||
| doh_sni: "myawesomedoh.example.com" | ||
| # Path to the certificate for handling tls decryption. eg: /tmp/mycert.pem | ||
| tls_cert: | ||
| # Path to the certificate key handling tls decryption. eg: /tmp/mycert.key | ||
| tls_key: |
Oops, something went wrong.