Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # DNS upstream pool
- upstream dns-servers {
- zone dns 64k;
- server 127.0.0.1:53;
- }
- # DoT server for decryption
- server {
- listen *:853 ssl; # managed by Certbot
- proxy_pass dns-servers;
- ssl_certificate /etc/letsencrypt/live/doh.example.com/fullchain.pem; # managed by Certbot
- ssl_certificate_key /etc/letsencrypt/live/doh.example.com/privkey.pem; # managed by Certbot
- ssl_session_timeout 4h;
- ssl_session_tickets off;
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
- ssl_handshake_timeout 10s;
- ssl_session_cache shared:DoT:10m;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement