Update deps

Fixes #103

.github/workflows/issues.yml

@@ -0,0 +1,17 @@
+name: Close inactive issues
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v9
+        with:
+          stale-issue-message: "This issue is stale because it has been open for 30 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -16,7 +16,9 @@ jobs:
 
       - uses: actions/checkout@v3
 
-      - uses: goto-bus-stop/setup-zig@v2
+      - uses: mlugg/setup-zig@v1
+        with:
+          version: 0.10.1
 
       - uses: hecrj/setup-rust-action@master
         with:
@@ -31,42 +33,58 @@ jobs:
       - name: Install cargo-deb
         run: cargo install cargo-deb
 
+      - name: Install cargo-generate-rpm
+        run: cargo install cargo-generate-rpm
+
       - name: Install cargo-zigbuild
         run: cargo install cargo-zigbuild
 
       - name: Release build Linux-x86-64
         run: |
           rustup target add x86_64-unknown-linux-musl
-          env RUSTFLAGS="-C link-arg=-s" cargo zigbuild --release --target x86_64-unknown-linux-musl
+          env RUSTFLAGS="-C strip=symbols" cargo zigbuild --release --target x86_64-unknown-linux-musl
           mkdir doh-proxy
           mv target/x86_64-unknown-linux-musl/release/doh-proxy doh-proxy/
           cp README.md localhost.pem doh-proxy/
-          tar cJpf doh-proxy_${{ steps.get_version.outputs.VERSION }}_linux-x86_64.tar.bz2 doh-proxy
+          tar cjpf doh-proxy_${{ steps.get_version.outputs.VERSION }}_linux-x86_64.tar.bz2 doh-proxy
           rm -fr doh-proxy
 
       - name: Release build Linux-aarch64
         run: |
           rustup target add aarch64-unknown-linux-musl
-          env RUSTFLAGS="-C link-arg=-s" cargo zigbuild --release --target aarch64-unknown-linux-musl
+          env RUSTFLAGS="-C strip=symbols" cargo zigbuild --release --target aarch64-unknown-linux-musl
           mkdir doh-proxy
           mv target/aarch64-unknown-linux-musl/release/doh-proxy doh-proxy/
           cp README.md localhost.pem doh-proxy/
-          tar cJpf doh-proxy_${{ steps.get_version.outputs.VERSION }}_linux-aarch64.tar.bz2 doh-proxy
+          tar cjpf doh-proxy_${{ steps.get_version.outputs.VERSION }}_linux-aarch64.tar.bz2 doh-proxy
           rm -fr doh-proxy
 
       - name: Release build Windows-x86_64
         run: |
           rustup target add x86_64-pc-windows-gnu
-          env RUSTFLAGS="-C link-arg=-s" cargo zigbuild --release --target x86_64-pc-windows-gnu
+          env RUSTFLAGS="-C strip=symbols" cargo zigbuild --release --target x86_64-pc-windows-gnu
           mkdir doh-proxy
           mv target/x86_64-pc-windows-gnu/release/doh-proxy.exe doh-proxy/
           cp README.md localhost.pem doh-proxy/
           zip -9 -r doh-proxy_${{ steps.get_version.outputs.VERSION }}_windows-x86_64.zip doh-proxy
           rm -fr doh-proxy
 
-      - name: Debian package
+      - name: Debian packages
         run: |
-          cargo deb
+          rustup target add x86_64-unknown-linux-musl
+          env RUSTFLAGS="-C strip=symbols" cargo deb --no-strip --cargo-build=zigbuild --target=x86_64-unknown-linux-musl
+          rustup target add aarch64-unknown-linux-musl
+          env RUSTFLAGS="-C strip=symbols" cargo deb --no-strip --cargo-build=zigbuild --target=aarch64-unknown-linux-musl
+
+      - name: RPM packages
+        run: |
+          rustup target add x86_64-unknown-linux-gnu
+          env RUSTFLAGS="-C strip=symbols" cargo-zigbuild build --target=x86_64-unknown-linux-gnu.2.17 --release
+          mv target/x86_64-unknown-linux-musl/release/doh-proxy target/release/
+          cargo generate-rpm --target x86_64-unknown-linux-gnu
+          rustup target add aarch64-unknown-linux-gnu
+          env RUSTFLAGS="-C strip=symbols" cargo-zigbuild build --target=aarch64-unknown-linux-gnu.2.17 --release
+          cargo generate-rpm --target aarch64-unknown-linux-gnu
 
       - name: Create release
         id: create_release
@@ -79,17 +97,39 @@ jobs:
           draft: true
           prerelease: false
 
-      - name: Upload Debian package
+      - name: Upload Debian package for x86_64
-        id: upload-release-asset-debian
+        id: upload-release-asset-debian-x86_64
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_name: "doh-proxy_${{ steps.get_version.outputs.VERSION }}_amd64.deb"
+          asset_name: "doh-proxy_${{ steps.get_version.outputs.VERSION }}-1_amd64.deb"
-          asset_path: "target/debian/doh-proxy_${{ steps.get_version.outputs.VERSION }}_amd64.deb"
+          asset_path: "target/x86_64-unknown-linux-musl/debian/doh-proxy_${{ steps.get_version.outputs.VERSION }}-1_amd64.deb"
           asset_content_type: application/x-debian-package
 
+      - name: Upload RPM package for x86_64
+        id: upload-release-asset-rpm-x86_64
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_name: "doh-proxy-${{ steps.get_version.outputs.VERSION }}-1.x86_64.rpm"
+          asset_path: "target/x86_64-unknown-linux-gnu/generate-rpm/doh-proxy-${{ steps.get_version.outputs.VERSION }}-1.x86_64.rpm"
+          asset_content_type: application/x-redhat-package-manager
+
+      - name: Upload RPM package for aarch64
+        id: upload-release-asset-rpm-aarch64
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_name: "doh-proxy-${{ steps.get_version.outputs.VERSION }}-1.aarch64.rpm"
+          asset_path: "target/aarch64-unknown-linux-gnu/generate-rpm/doh-proxy-${{ steps.get_version.outputs.VERSION }}-1.aarch64.rpm"
+          asset_content_type: application/x-redhat-package-manager
+
       - name: Upload tarball for linux-x86_64
         id: upload-release-asset-tarball-linux-x86_64
         uses: actions/upload-release-asset@v1

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "doh-proxy"
-version = "0.9.6"
+version = "0.9.11"
 authors = ["Frank Denis <github@pureftpd.org>"]
 description = "A DNS-over-HTTPS (DoH) and ODoH (Oblivious DoH) proxy"
 keywords = ["dns", "https", "doh", "odoh", "proxy"]
@@ -16,10 +16,16 @@ default = ["tls"]
 tls = ["libdoh/tls"]
 
 [dependencies]
-libdoh = { path = "src/libdoh", version = "0.9.6", default-features = false }
+libdoh = { path = "src/libdoh", version = "0.9.9", default-features = false }
 clap = { version = "4", features = ["std", "cargo", "wrap_help", "string"] }
-dnsstamps = "0.1.9"
+dnsstamps = "0.1.10"
-mimalloc = { version = "0.1.32", default-features = false }
+mimalloc = { version = "0.1.44", default-features = false }
+
+[package.metadata.generate-rpm]
+assets = [
+  { source = "target/release/doh-proxy", dest = "/usr/bin/doh-proxy", mode = "755" },
+  { source = "README.md", dest = "/usr/share/doc/doh-proxy/README.md", mode = "644", doc = true },
+]
 
 [package.metadata.deb]
 extended-description = """\

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2018-2023 Frank Denis
+Copyright (c) 2018-2025 Frank Denis
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,4 +1,4 @@
-# doh-proxy
+# ![DoH server (and ODoH - Oblivious DoH server)](logo.png)
 
 A fast and secure DoH (DNS-over-HTTPS) and ODoH (Oblivious DoH) server.
 
@@ -68,13 +68,13 @@ doh-proxy -H 'doh.example.com' -u 127.0.0.1:53 -g 233.252.0.5
 
 Here, `doh.example.com` is the host name (which should match a name included in the TLS certificate), `127.0.0.1:53` is the address of the DNS resolver, and `233.252.0.5` is the public IP address of the DoH server.
 
-## HTTP/2 termination
+## HTTP/2 and HTTP/3 termination
 
-The recommended way to use `doh-proxy` is to use a TLS termination proxy (such as [hitch](https://github.com/varnish/hitch) or [relayd](https://bsd.plumbing/about.html)), a CDN or a web server with proxying abilities as a front-end.
+The recommended way to use `doh-proxy` is to use a TLS termination proxy (such as [hitch](https://github.com/varnish/hitch) or [relayd](https://man.openbsd.org/relayd.8)), a CDN or a web server with proxying abilities as a front-end.
 
 That way, the DoH service can be exposed as a virtual host, sharing the same IP addresses as existing websites.
 
-If `doh-proxy` and the HTTP/2 front-end run on the same host, using the HTTP protocol to communicate between both is fine.
+If `doh-proxy` and the HTTP/2 (/ HTTP/3) front-end run on the same host, using the HTTP protocol to communicate between both is fine.
 
 If both are on distinct networks, such as when using a CDN, `doh-proxy` can handle HTTPS requests, provided that it was compiled with the `tls` feature.
 
@@ -136,7 +136,7 @@ This can be achieved with the `--allow-odoh-post` command-line switch.
 * When using DoH, DNS stamps should include a resolver IP address in order to remove a dependency on non-encrypted, non-authenticated, easy-to-block resolvers.
 * Unlike DNSCrypt where users must explicitly trust a DNS server's public key, the security of DoH relies on traditional public Certificate Authorities. Additional root certificates (required by governments, security software, enterprise gateways) installed on a client immediately make DoH vulnerable to MITM. In order to prevent this, DNS stamps should include the hash of the parent certificate.
 * TLS certificates are tied to host names. But domains expire, get reassigned and switch hands all the time. If a domain originally used for a DoH service gets a new, possibly malicious owner, clients still configured to use the service will blindly keep trusting it if the CA is the same. As a mitigation, the CA should sign an intermediate certificate (the only one present in the stamp), itself used to sign the name used by the DoH server. While commercial CAs offer this, Let's Encrypt currently doesn't.
-* Make sure that the front-end supports HTTP/2 and TLS 1.3.
+* Make sure that the front-end supports at least HTTP/2 and TLS 1.3.
 * Internal DoH servers still require TLS certificates. So, if you are planning to deploy an internal server, you need to set up an internal CA, or add self-signed certificates to every single client.
 
 ## Example usage with `encrypted-dns-server`
@@ -195,10 +195,14 @@ This [Go code snippet](https://gist.github.com/d6cb41742a1ceb54d48cc286f3d5c5fa)
 
 ### Common certificate hashes
 
-* Let's Encrypt R3:
-  * `444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce`
 * Let's Encrypt E1:
   * `cc1060d39c8329b62b6fbc7d0d6df9309869b981e7e6392d5cd8fa408f4d80e6`
+* Let's Encrypt R3:
+  * `444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce`
+* Let's Encrypt R10:
+  * `e644ba6963e335fe765cb9976b12b10eb54294b42477764ccb3a3acca3acb2fc`
+* ZeroSSL:
+  * `9a3a34f727deb9bca51003d9ce9c39f8f27dd9c5242901c2bab1a44e635a0219`
 
 ## Clients
 

src/config.rs

@@ -232,47 +232,50 @@ pub fn parse_opts(globals: &mut Globals) {
     #[cfg(feature = "tls")]
     {
         globals.tls_cert_path = matches
-            .get_one::<PathBuf>("tls_cert_path")
+            .get_one::<String>("tls_cert_path")
             .map(PathBuf::from);
         globals.tls_cert_key_path = matches
-            .get_one::<PathBuf>("tls_cert_key_path")
+            .get_one::<String>("tls_cert_key_path")
             .map(PathBuf::from)
             .or_else(|| globals.tls_cert_path.clone());
     }
 
-    if let Some(hostname) = matches.get_one::<String>("hostname") {
+    match matches.get_one::<String>("hostname") {
-        let mut builder =
+        Some(hostname) => {
-            dnsstamps::DoHBuilder::new(hostname.to_string(), globals.path.to_string());
+            let mut builder =
-        if let Some(public_address) = matches.get_one::<String>("public_address") {
+                dnsstamps::DoHBuilder::new(hostname.to_string(), globals.path.to_string());
-            builder = builder.with_address(public_address.to_string());
+            if let Some(public_address) = matches.get_one::<String>("public_address") {
-        }
+                builder = builder.with_address(public_address.to_string());
-        if let Some(public_port) = matches.get_one::<String>("public_port") {
+            }
-            let public_port = public_port.parse().expect("Invalid public port");
+            if let Some(public_port) = matches.get_one::<String>("public_port") {
-            builder = builder.with_port(public_port);
+                let public_port = public_port.parse().expect("Invalid public port");
-        }
+                builder = builder.with_port(public_port);
-        println!(
+            }
-            "Test DNS stamp to reach [{}] over DoH: [{}]\n",
+            println!(
-            hostname,
+                "Test DNS stamp to reach [{}] over DoH: [{}]\n",
-            builder.serialize().unwrap()
+                hostname,
-        );
+                builder.serialize().unwrap()
+            );
 
-        let mut builder =
+            let mut builder =
-            dnsstamps::ODoHTargetBuilder::new(hostname.to_string(), globals.path.to_string());
+                dnsstamps::ODoHTargetBuilder::new(hostname.to_string(), globals.path.to_string());
-        if let Some(public_port) = matches.get_one::<String>("public_port") {
+            if let Some(public_port) = matches.get_one::<String>("public_port") {
-            let public_port = public_port.parse().expect("Invalid public port");
+                let public_port = public_port.parse().expect("Invalid public port");
-            builder = builder.with_port(public_port);
+                builder = builder.with_port(public_port);
-        }
+            }
-        println!(
+            println!(
-            "Test DNS stamp to reach [{}] over Oblivious DoH: [{}]\n",
+                "Test DNS stamp to reach [{}] over Oblivious DoH: [{}]\n",
-            hostname,
+                hostname,
-            builder.serialize().unwrap()
+                builder.serialize().unwrap()
-        );
+            );
 
-        println!("Check out https://dnscrypt.info/stamps/ to compute the actual stamps.\n")
+            println!("Check out https://dnscrypt.info/stamps/ to compute the actual stamps.\n")
-    } else {
+        }
-        println!(
+        _ => {
+            println!(
             "Please provide a fully qualified hostname (-H <hostname> command-line option) to get \
              test DNS stamps for your server.\n"
         );
+        }
     }
 }

src/libdoh/Cargo.toml

@@ -1,13 +1,13 @@
 [package]
 name = "libdoh"
-version = "0.9.6"
+version = "0.9.11"
 authors = ["Frank Denis <github@pureftpd.org>"]
 description = "DoH and Oblivious DoH library for the rust-doh app"
-keywords = ["dns","https","doh","odoh","proxy"]
+keywords = ["dns", "https", "doh", "odoh", "proxy"]
 license = "MIT"
 homepage = "https://github.com/jedisct1/rust-doh"
 repository = "https://github.com/jedisct1/rust-doh"
-categories = ["asynchronous", "network-programming","command-line-utilities"]
+categories = ["asynchronous", "network-programming", "command-line-utilities"]
 edition = "2018"
 
 [features]
@@ -15,18 +15,31 @@ default = ["tls"]
 tls = ["tokio-rustls"]
 
 [dependencies]
-anyhow = "1.0.68"
+anyhow = "1.0.97"
-arc-swap = "1.6.0"
+arc-swap = "1.7.1"
-base64 = "0.20.0"
+base64 = "0.22.1"
-byteorder = "1.4.3"
+byteorder = "1.5.0"
-bytes = "1.3.0"
+bytes = "1.10.1"
-futures = "0.3.25"
+futures = "0.3.31"
-hyper = { version = "0.14.23", default-features = false, features = ["server", "http1", "http2", "stream"] }
+hyper = { version = "^0.14.32", default-features = false, features = [
-odoh-rs = "1.0.0"
+    "server",
-rand = "0.8.5"
+    "http1",
-tokio = { version = "1.23.0", features = ["net", "rt-multi-thread", "time", "sync"] }
+    "http2",
-tokio-rustls = { version = "0.23.4", features = ["early-data"], optional = true }
+    "stream",
-rustls-pemfile = "1.0.1"
+    "runtime",
+] }
+odoh-rs = "1.0.3"
+rand = "^0.8.5"
+tokio = { version = "1.44.1", features = [
+    "net",
+    "rt-multi-thread",
+    "time",
+    "sync",
+] }
+tokio-rustls = { version = "^0.24.1", features = [
+    "early-data",
+], optional = true }
+rustls-pemfile = "^1.0.4"
 
 [profile.release]
 codegen-units = 1

src/libdoh/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2018-2023 Frank Denis
+Copyright (c) 2018-2025 Frank Denis
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

src/libdoh/src/lib.rs

@@ -11,6 +11,7 @@ use std::pin::Pin;
 use std::sync::Arc;
 use std::time::Duration;
 
+use base64::engine::Engine;
 use byteorder::{BigEndian, ByteOrder};
 use futures::prelude::*;
 use futures::task::{Context, Poll};
@@ -29,10 +30,12 @@ pub mod reexports {
     pub use tokio;
 }
 
-const BASE64_URL_SAFE_NO_PAD: base64::engine::fast_portable::FastPortable =
+const BASE64_URL_SAFE_NO_PAD: base64::engine::GeneralPurpose =
-    base64::engine::fast_portable::FastPortable::from(
+    base64::engine::general_purpose::GeneralPurpose::new(
         &base64::alphabet::URL_SAFE,
-        base64::engine::fast_portable::NO_PAD,
+        base64::engine::general_purpose::GeneralPurposeConfig::new()
+            .with_encode_padding(false)
+            .with_decode_padding_mode(base64::engine::DecodePaddingMode::Indifferent),
     );
 
 #[derive(Clone, Debug)]
@@ -167,9 +170,9 @@ impl DoH {
                 return None;
             }
         }
-        let query = match question_str.and_then(|question_str| {
+        let query = match question_str
-            base64::decode_engine(question_str, &BASE64_URL_SAFE_NO_PAD).ok()
+            .and_then(|question_str| BASE64_URL_SAFE_NO_PAD.decode(question_str).ok())
-        }) {
+        {
             Some(query) => query,
             _ => return None,
         };
@@ -254,10 +257,7 @@ impl DoH {
         content_types: &[&'static str],
     ) -> Option<&'static str> {
         let accept = headers.get(hyper::header::ACCEPT);
-        let accept = match accept {
+        let accept = accept?;
-            None => return None,
-            Some(accept) => accept,
-        };
         for part in accept.to_str().unwrap_or("").split(',').map(|s| s.trim()) {
             if let Some(found) = part
                 .split(';')
@@ -433,7 +433,8 @@ impl DoH {
             .header(
                 hyper::header::CACHE_CONTROL,
                 format!(
-                    "max-age={ttl}, stale-if-error={STALE_IF_ERROR_SECS}, stale-while-revalidate={STALE_WHILE_REVALIDATE_SECS}"
+                    "max-age={ttl}, stale-if-error={STALE_IF_ERROR_SECS}, \
+                     stale-while-revalidate={STALE_WHILE_REVALIDATE_SECS}"
                 )
                 .as_str(),
             );

src/libdoh/src/odoh.rs

@@ -77,7 +77,7 @@ impl ODoHPublicKey {
 
 impl ODoHQueryContext {
     pub fn encrypt_response(self, response_body: Vec<u8>) -> Result<Vec<u8>, DoHError> {
-        let response_nonce = rand::thread_rng().gen::<ResponseNonce>();
+        let response_nonce = rand::thread_rng().r#gen::<ResponseNonce>();
         let response_body_ = ObliviousDoHMessagePlaintext::new(response_body, 0);
         let encrypted_response = odoh_rs::encrypt_response(
             &self.query,

src/libdoh/src/tls.rs

@@ -29,9 +29,7 @@ where
         let mut reader = BufReader::new(File::open(certs_path).map_err(|e| {
             io::Error::new(
                 e.kind(),
-                format!(
+                format!("Unable to load the certificates [{certs_path_str}]: {e}"),
-                    "Unable to load the certificates [{certs_path_str}]: {e}"
-                ),
             )
         })?);
         rustls_pemfile::certs(&mut reader).map_err(|_| {
@@ -52,9 +50,7 @@ where
                 .map_err(|e| {
                     io::Error::new(
                         e.kind(),
-                        format!(
+                        format!("Unable to load the certificate keys [{certs_keys_path_str}]: {e}"),
-                            "Unable to load the certificate keys [{certs_keys_path_str}]: {e}"
-                        ),
                     )
                 })?
                 .read_to_end(&mut encoded_keys)?;
@@ -91,12 +87,9 @@ where
             let server_config_builder = ServerConfig::builder()
                 .with_safe_defaults()
                 .with_no_client_auth();
-            if let Ok(found_config) =
+            match server_config_builder.with_single_cert(certs.clone(), certs_key) {
-                server_config_builder.with_single_cert(certs.clone(), certs_key)
+                Ok(found_config) => Some(found_config),
-            {
+                _ => None,
-                Some(found_config)
-            } else {
-                None
             }
         })
         .ok_or_else(|| {