ServeHTTP is the http.Handler implementation that handles DoH queries. Here is what it returns: - http.StatusNotFound if the request is not encrypted and proxy is not configured to accept unencrypted requests, - http.StatusBadRequest if there is no DNS request data, - http.StatusUnsupportedMediaTy
(w http.ResponseWriter, r *http.Request)
| 196 | // "application/dns-message", |
| 197 | // - http.StatusMethodNotAllowed if request method is not GET or POST. |
| 198 | func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) { |
| 199 | ctx := r.Context() |
| 200 | ctx, cancel := p.reqCtx.New(ctx) |
| 201 | defer cancel() |
| 202 | |
| 203 | p.logger.DebugContext(ctx, "incoming https request", "url", r.URL) |
| 204 | |
| 205 | if !p.HTTPConfig.InsecureEnabled && r.TLS == nil { |
| 206 | statusCode := http.StatusNotFound |
| 207 | http.Error(w, http.StatusText(statusCode), statusCode) |
| 208 | |
| 209 | return |
| 210 | } |
| 211 | |
| 212 | raddr, prx, err := remoteAddr(r, p.logger) |
| 213 | if err != nil { |
| 214 | p.logger.DebugContext(ctx, "getting real ip", slogutil.KeyError, err) |
| 215 | } |
| 216 | |
| 217 | if !p.checkBasicAuth(w, r, raddr) { |
| 218 | return |
| 219 | } |
| 220 | |
| 221 | req, statusCode := newDoHReq(ctx, r, p.logger) |
| 222 | if req == nil { |
| 223 | http.Error(w, http.StatusText(statusCode), statusCode) |
| 224 | |
| 225 | return |
| 226 | } |
| 227 | |
| 228 | if prx.IsValid() { |
| 229 | l := p.logger.With("addr", prx) |
| 230 | |
| 231 | l.DebugContext(ctx, "request came from proxy server") |
| 232 | |
| 233 | if !p.TrustedProxies.Contains(prx.Addr()) { |
| 234 | l.DebugContext(ctx, "proxy is not trusted, using original remote addr") |
| 235 | |
| 236 | // So the address of the proxy itself is used, as the remote address |
| 237 | // parsed from headers cannot be trusted. |
| 238 | // |
| 239 | // TODO(e.burkov): Do not parse headers in this case. |
| 240 | raddr = prx |
| 241 | } |
| 242 | } |
| 243 | |
| 244 | d := p.newDNSContext(ProtoHTTPS, req, raddr) |
| 245 | d.HTTPRequest = r |
| 246 | d.HTTPResponseWriter = w |
| 247 | |
| 248 | err = p.handleDNSRequest(ctx, d) |
| 249 | if err != nil { |
| 250 | p.logger.DebugContext(ctx, "handling dns request", "proto", d.Proto, slogutil.KeyError, err) |
| 251 | } |
| 252 | } |
| 253 | |
| 254 | // checkBasicAuth checks the basic authorization data, if necessary, and if the |
| 255 | // data isn't valid, it writes an error. shouldHandle is false if the request |
nothing calls this directly
no test coverage detected