Debian 使用Nginx + SmartDNS 建DoH

删除默认源的Nginx（如果安装了Nginx）

sudo apt remove nginx-*

配置Nginx官方源

Nginx Debian Packages Install

安装Nginx的njs模块

sudo apt install nginx-module-njs

打开/etc/nginx/nginx.conf，在顶层添加以下配置加载模块

load_module modules/ngx_http_js_module.so;
load_module modules/ngx_stream_js_module.so;

下载SmartDNS的deb安装

SmartDNS

sudo apt install smartdns.*

配置tcp端口

修改/etc/smartdns/smartdns.conf添加以下配置

bind 127.0.0.1:53
bind-tcp 127.0.0.1:53

其余关于SmartDNS的配置参考SmartDNS Doc

配置Nginx

参考Using NGINX as a DoT or DoH Gateway
下载nginx-dns，拷贝njs.d目录到/etc/nginx/目录下
编辑/etc/nginx/nginx.conf，在文件末尾追加以下配置

stream {
    js_import /etc/nginx/njs.d/dns/dns.js;

    # DNS upstream pool
    upstream dns {
        zone dns 64k;
        server 127.0.0.1:53;
    }

    # DNS over HTTPS (gateway) service
    # This time we’ve used a DoT upstream
    server {
        listen 127.0.0.1:8053;
        js_filter dns.filter_doh_request;
        proxy_ssl on;
        proxy_pass dot;
    }
}

新增Nginx文件配置文件/etc/nginx/sites-available/doh.conf

sudo nano /etc/nginx/sites-available/doh.conf

添加以下配置：

# This is our upstream connection to the njs translation process
upstream dohloop {
    zone dohloop 64k;
    server 127.0.0.1:8053;
}

# This virtual server accepts HTTP/2 over HTTPS
server {
    listen 443 ssl http2;
    ssl_certificate /etc/nginx/ssl/certs/doh.local.pem;
    ssl_certificate_key /etc/nginx/ssl/private/doh.local.pem;

    # Return 404 for non-DoH requests
    location / {
        return 404 "404 Not Found\n";
    }

    # Here we downgrade the HTTP/2 request to HTTP/1.1 and forward it to
    # the DoH loop service
    location /dns-query {
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_pass http://dohloop;
    }
}

修改证书地址为自己域名的证书。

启动服务

sudo ln -s /etc/nginx/sites-available/doh.conf /etc/nginx/sites-enabled/doh.conf

sudo systemctl enable smartdns
sudo systemctl enable nginx
sudo systemctl start smartdns
sudo systemctl start nginx