doc: document http module usage with systemd

parent 0fbcc9b9
......@@ -9,7 +9,7 @@ For when listening on ``localhost`` just doesn't cut it.
If you're using our packages with systemd with sockets support (not supported
on CentOS 7), network interfaces are configured using systemd drop-in files for
``kresd.socket`` and ``kresd-tls.socket``.
``kresd.socket``, ``kresd-tls.socket`` and ``kresd-doh.socket``.
To configure kresd to listen on public interface, create a drop-in file:
......@@ -75,6 +75,28 @@ TLS connections.
[Socket]
ListenStream=192.0.2.115:853
.. _kresd-doh-socket-configuration:
To configure socket for DNS-over-HTTPS, make sure you have
``kresd-doh.socket`` installed (it might be part of a separate
``knot-resolver-module-http`` package). Then, you can configure its network
interfaces as above. Also, don't forget to load http module in configuration
file, otherwise the socket won't have any function.
For example, to remove the default localhost:44353 and listen on all interfaces
on port 443, create the following drop-in file for ``kresd-doh.socket``:
.. code-block:: bash
# /etc/systemd/system/kresd-doh.socket.d/override.conf
[Socket]
ListenStream=
ListenStream=[::]:443
Make sure no other service is using port 443, as that will result in
unpredictable behaviour. Alternately, you can use port 44353 where a collision
is unlikely. Also, don't forget to load http module in configuration file.
**Daemon network configuration**
If you don't use systemd with sockets to run kresd, network interfaces are
......
......@@ -6,6 +6,14 @@
-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration
@config_defaults@
-- For DNS-over-HTTPS and web management when using http module
-- modules.load('http')
-- http.config({
-- cert = '/etc/knot-resolver/mycert.crt',
-- key = '/etc/knot-resolver/mykey.key',
-- tls = true,
-- })
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')
......
......@@ -3,6 +3,14 @@
-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration
@config_defaults@
-- For DNS-over-HTTPS and web management when using http module
-- modules.load('http')
-- http.config({
-- cert = '/etc/knot-resolver/mycert.crt',
-- key = '/etc/knot-resolver/mykey.key',
-- tls = true,
-- })
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')
......
......@@ -2,6 +2,14 @@
-- Refer to manual: http://knot-resolver.readthedocs.org/en/stable/daemon.html#configuration
@config_defaults@
-- For DNS-over-HTTPS and web management when using http module
-- modules.load('http')
-- http.config({
-- cert = '/etc/knot-resolver/mycert.crt',
-- key = '/etc/knot-resolver/mykey.key',
-- tls = true,
-- })
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')
......
......@@ -3,6 +3,14 @@
-- Refer to manual: https://knot-resolver.readthedocs.io/en/stable/daemon.html#configuration
@config_defaults@
-- For DNS-over-HTTPS and web management when using http module
-- modules.load('http')
-- http.config({
-- cert = '/etc/knot-resolver/mycert.crt',
-- key = '/etc/knot-resolver/mykey.key',
-- tls = true,
-- })
-- To disable DNSSEC validation, uncomment the following line (not recommended)
-- trust_anchors.remove('.')
......
......@@ -12,6 +12,12 @@ net.listen('127.0.0.1', 853)
net.listen('::1')
net.listen('::1', 853)
-- Extra interfaces for http module
-- net.listen('127.0.0.1', 44353, { kind = 'doh' })
-- net.listen('::1', 44353, { kind = 'doh' })
-- net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
-- net.listen('::1', 8453, { kind = 'webmgmt' })
-- Drop root privileges
user('@0@', '@1@')'''.format(user, group)
endif
......
......@@ -104,6 +104,28 @@ compatible with IPv4 syntax in \fIview:addr()\fR when using the view module.
For possible workarounds, see
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/445
To configure socket for DNS-over-HTTPS, make sure you have
\fBkresd-doh.socket\fR installed (it might be part of a separate
knot-resolver-module-http package). Then, you can configure its network
interfaces as above. Also, don't forget to load http module in configuration
file, otherwise the socket won't have any function.
For example, to remove the default localhost:44353 and listen on all interfaces
on port 443, create the following drop-in file for \fBkresd-doh.socket\fR:
.nf
.RS 4n
# /etc/systemd/system/kresd-doh.socket.d/override.conf
[Socket]
ListenStream=
ListenStream=[::]:443
.RE
.fi
Make sure no other service is using port 443, as that will result in
unpredictable behaviour. Alternately, you can use port 44353 where a collision
is unlikely.
For more detailed socket configuration, see \fBsystemd.socket\fR(5).
.B Concurrent daemons
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment