Added details related to nginx transparent proxy config.

nginx/nginx.conf

@@ -0,0 +1,89 @@
+user root;
+#user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
+stream {
+        include /etc/nginx/streams/*;
+}
+
+#mail {
+#	# See sample authentication script at:
+#	# https://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+# 
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+# 
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}

nginx/streams/DoT_dns

@@ -0,0 +1,19 @@
+upstream dns-servers {
+    zone dns 64k;
+    server    127.0.0.1:53;
+}
+server {
+    listen 853 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/dns.example.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/dns.example.com/privkey.pem; # managed by Certbot
+    #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+    ssl_protocols        TLSv1.2 TLSv1.3;
+    ssl_ciphers          HIGH:!aNULL:!MD5;
+
+    ssl_handshake_timeout    10s;
+    ssl_session_cache        shared:SSL:20m;
+    ssl_session_timeout      4h;
+    proxy_ssl off;
+    proxy_pass dns-servers;
+    proxy_bind $remote_addr transparent;
+}

nginx/transparent-proxy.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=A script to enable transparent Nginx proxy
+After=multi-user.target
+After=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/transparent-proxy
+
+[Install]
+WantedBy=multi-user.target

nginx/transparent-proxy.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+# Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as
+# destination
+sysctl -w net.ipv4.conf.default.route_localnet=1
+sysctl -w net.ipv4.conf.all.route_localnet=1
+
+# DROP martian packets as they would have been if route_localnet was zero
+# Note: packets not leaving the server aren't affected by this, thus sslh/stunnel will
+# still work
+iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
+iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
+
+# Mark all connections made by ssl for special treatment (here stunnel connects to 127.0.0.1)
+iptables -t nat -A OUTPUT -d 127.0.0.1 -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
+
+# Outgoing packets that should go to sslh/stunnel/nginx instead have to be rerouted, so mark
+# them accordingly (copying over the connection mark)
+iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
+
+# Configure routing for those marked packets
+ip rule add fwmark 0x1 lookup 100
+ip route add local 0.0.0.0/0 dev lo table 100