## # Individual DoH server entries, one server per resolver. # These establish proxy ports that the upstream resolvers # can be reached via. ## server { listen 8001 default_server; server_name _; location / { proxy_pass https://dns.google; add_header X-Resolved-By $upstream_addr always; } } server { listen 8002 default_server; server_name _; location / { proxy_pass https://cloudflare-dns.com; add_header X-Resolved-By $upstream_addr always; } } server { listen 8003 default_server; server_name _; location / { proxy_pass https://doh.opendns.com; add_header X-Resolved-By $upstream_addr always; } } server { listen 8004 default_server; server_name _; location / { proxy_pass https://doh.42l.fr/dns-query; add_header X-Resolved-By $upstream_addr always; } } ## # Aggregate our resolver proxies into a single upstream ## upstream dohproviders { server 127.0.0.1:8001; server 127.0.0.1:8002; server 127.0.0.1:8003; server 127.0.0.1:8004; } server { listen [::]:443 ssl http2 ipv6only=on; listen 443 ssl http2; server_name _; # Changeme: if you put your static site root elsewhere, change that here root /srv/proxy_static; ## # SSL Configuration # Changme: you'll need to change these to reflect your actual cert and key location ## ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; # not all of these are compatible with all nginx versions # sourced from https://cipherli.st/ ssl_protocols TLSv1.3 TLSv1.2; # Requires nginx >= 1.13.0 else use TLSv1.2 ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; ## # Actual DNS endpoint ## location /dns-query { proxy_pass http://dohproviders; } ## # Secondary ".well-known" endpoint ## location /.well-known/dns-query { rewrite ^/\.well-known/(.*) /$1 break; proxy_pass http://dohproviders; } ## # Default greeting page for web browsers ## location / { index index.html; } } ## # HTTP => HTTPS redirect ## server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; }