Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ NOTE: Add new changes BELOW THIS COMMENT.

### Security

- The H2C connection establishment via HTTP/1.1 request upgrade is no longer supported. See [RFC 9113][rfc9113].

- Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in [1.26.4][go-1.26.4].

- The size of rulelists is limited. This is necessary to prevent a user's machine from becoming overloaded if the filter source misbehaves.
Expand All @@ -38,16 +40,15 @@ NOTE: Add new changes BELOW THIS COMMENT.

- The `filtering` object of the YAML configuration now includes a new property, `max_http_size`, which defines the maximum size of the HTTP request for rulelists. To disable the limitation, set a large size, such as `1 TB`.

### Deprecated

- The h2c connection establishment via HTTP/1.1 request upgrade is deprecated. Use the Prior Knowledge mechanism instead. See [RFC 9113][rfc9113].

### Fixed

- Invalid AA flag in DNS responses ([#7955]).

- The parsing of the `ech` parameter in DNS rewrite rules for the HTTPS record type ([#8276]).

- Blocked services check on the Custom filtering rules page does not work properly without specifying of a client.

[#7955]: https://github.com/AdguardTeam/AdGuardHome/issues/7955
[#8276]: https://github.com/AdguardTeam/AdGuardHome/issues/8276
[go-1.26.4]: https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw
[rfc9113]: https://datatracker.ietf.org/doc/html/rfc9113
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ go 1.26.4

require (
github.com/AdguardTeam/dnscrypt v0.0.1
github.com/AdguardTeam/dnsproxy v0.82.0
github.com/AdguardTeam/dnsproxy v0.82.1
github.com/AdguardTeam/golibs v0.35.13
github.com/AdguardTeam/urlfilter v0.23.2
github.com/NYTimes/gziphandler v1.1.1
Expand Down
4 changes: 4 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ github.com/AdguardTeam/dnscrypt v0.0.1 h1:TWaEbHjuKkMCNpXANv70aPlTQsLFrjRFdIwdJU
github.com/AdguardTeam/dnscrypt v0.0.1/go.mod h1:qCFs51rLfNzEDZqb6nz1tocVLnEearJ1zng6O3I6ecA=
github.com/AdguardTeam/dnsproxy v0.82.0 h1:a2HUCIM0UBQWh2t97xSAcdKP0TJK5/3tL449Sy67yFA=
github.com/AdguardTeam/dnsproxy v0.82.0/go.mod h1:ZXZIte3oksofqsFNmEfRr34fAL7xg8Pw+sj91HEGQ58=
github.com/AdguardTeam/dnsproxy v0.82.1-0.20260701081753-a2215046020c h1:xPVadjGX8exYIN3JiPeXL1AtCeLmBnrYr1aflAAlca4=
github.com/AdguardTeam/dnsproxy v0.82.1-0.20260701081753-a2215046020c/go.mod h1:ZXZIte3oksofqsFNmEfRr34fAL7xg8Pw+sj91HEGQ58=
github.com/AdguardTeam/dnsproxy v0.82.1 h1:9O9eKH1M+75k7Ge2lpAvZF+mfSwYZEc6gGQTRASZ7kU=
github.com/AdguardTeam/dnsproxy v0.82.1/go.mod h1:ZXZIte3oksofqsFNmEfRr34fAL7xg8Pw+sj91HEGQ58=
github.com/AdguardTeam/golibs v0.35.13 h1:sflm5/sWhiGwUXNAZObiqVMkdg8HeYVFK2A0oJ27hbU=
github.com/AdguardTeam/golibs v0.35.13/go.mod h1:8EEGG4auTDd8HV3tBETXLkuxDH9lk9vvFbJn+wbmypg=
github.com/AdguardTeam/urlfilter v0.23.2 h1:EiS/PQZO/X2S6cduFW6BBoRLyjd6SqZj1ZiFbU1KaFE=
Expand Down
50 changes: 23 additions & 27 deletions internal/home/web.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,6 @@ import (
"github.com/AdguardTeam/golibs/osutil/executil"
"github.com/NYTimes/gziphandler"
"github.com/quic-go/quic-go/http3"
"golang.org/x/net/http2"

//lint:ignore SA1019 See AGDNS-4111.
"golang.org/x/net/http2/h2c"
)

// TODO(a.garipov): Make configurable.
Expand Down Expand Up @@ -270,26 +266,13 @@ func (web *webAPI) start(ctx context.Context) {
printHTTPAddresses(ctx, web.logger, urlutil.SchemeHTTP, web.tlsManager)
errs := make(chan error, 2)

hdlr := withMiddlewares(web.conf.mux, limitRequestBody)

logger := web.baseLogger.With(loggerKeyServer, "plain")
hdlr := web.wrapMux(logger)

// TODO(a.garipov): Remove other logs like this in other code.
logMw := httputil.NewLogMiddleware(logger, slog.LevelDebug)
hdlr = logMw.Wrap(hdlr)

hdlr = web.auth.middleware().Wrap(hdlr)

// Use an h2c handler to support unencrypted HTTP/2, e.g. for proxies.
//
// NOTE: The auth middleware must be inside the h2c handler to ensure
// it applies to upgraded HTTP/2 connections as well. See AG-51779.
//
// TODO(f.setrakov): Use stdlib HTTP/2 when its compatibility issues are
// resolved.
//
//lint:ignore SA1019 See AGDNS-4111.
hdlr = h2c.NewHandler(hdlr, &http2.Server{})
// Enable unencrypted HTTP/2, e.g. for proxies.
protocols := &http.Protocols{}
protocols.SetUnencryptedHTTP2(true)
protocols.SetHTTP1(true)

// Create a new instance, because the Web is not usable after Shutdown.
web.httpServer = &http.Server{
Expand All @@ -299,6 +282,7 @@ func (web *webAPI) start(ctx context.Context) {
ReadHeaderTimeout: web.conf.ReadHeaderTimeout,
WriteTimeout: web.conf.WriteTimeout,
ErrorLog: slog.NewLogLogger(logger.Handler(), slog.LevelError),
Protocols: protocols,
}
go func() {
defer slogutil.RecoverAndLog(ctx, logger)
Expand All @@ -319,6 +303,17 @@ func (web *webAPI) start(ctx context.Context) {
}
}

// wrapMux wraps mux with common middlewares. l must not be nil.
func (web *webAPI) wrapMux(l *slog.Logger) (h http.Handler) {
h = withMiddlewares(web.conf.mux, limitRequestBody)

// TODO(a.garipov): Remove other logs like this in other code.
logMw := httputil.NewLogMiddleware(l, slog.LevelDebug)
h = logMw.Wrap(h)

return web.auth.middleware().Wrap(h)
}

// close gracefully shuts down the HTTP servers.
func (web *webAPI) close(ctx context.Context) {
web.logger.InfoContext(ctx, "stopping http server")
Expand Down Expand Up @@ -372,13 +367,11 @@ func (web *webAPI) serveTLS(ctx context.Context) (next bool) {
addr := netip.AddrPortFrom(web.conf.BindAddr.Addr(), portHTTPS).String()
logger := web.baseLogger.With(loggerKeyServer, "https")

// TODO(a.garipov): Remove other logs like this in other code.
logMw := httputil.NewLogMiddleware(logger, slog.LevelDebug)
hdlr := logMw.Wrap(withMiddlewares(web.conf.mux, limitRequestBody))
hdlr := web.wrapMux(logger)

web.httpsServer.server = &http.Server{
Addr: addr,
Handler: web.auth.middleware().Wrap(hdlr),
Handler: hdlr,
TLSConfig: &tls.Config{
Certificates: []tls.Certificate{web.httpsServer.cert},
RootCAs: web.tlsManager.rootCerts,
Expand Down Expand Up @@ -432,6 +425,9 @@ func (web *webAPI) waitForTLSReady() (ok bool) {
func (web *webAPI) mustStartHTTP3(ctx context.Context, address string) {
defer slogutil.RecoverAndExit(ctx, web.logger, osutil.ExitCodeFailure)

logger := web.baseLogger.With(loggerKeyServer, "http3")
hdlr := web.wrapMux(logger)

web.httpsServer.server3 = &http3.Server{
// TODO(a.garipov): See if there is a way to use the error log as
// well as timeouts here.
Expand All @@ -442,7 +438,7 @@ func (web *webAPI) mustStartHTTP3(ctx context.Context, address string) {
CipherSuites: web.tlsManager.customCipherIDs,
MinVersion: tls.VersionTLS12,
},
Handler: web.auth.middleware().Wrap(withMiddlewares(web.conf.mux, limitRequestBody)),
Handler: hdlr,
}

web.logger.DebugContext(ctx, "starting http/3 server")
Expand Down
Loading
Loading