Difference between revisions of "Talk:Dnscrypt-proxy"

From ArchWiki
Jump to navigation Jump to search
(As you'll see a few edits back I did test this; this is the case.)
(if users who want redundancy / instances have to specify their options on the command line, i have less changes to propose.)
Line 50: Line 50:
 
  [Service]
 
  [Service]
 
  ExecStart=
 
  ExecStart=
  ExecStart=/usr/bin/dnscrypt-proxy /etc/dnscrypt-proxy.conf -R short-name.here
+
  ExecStart=/usr/bin/dnscrypt-proxy -R short-name.here
  
 
Save this as a new service file and make a copy of {{ic|dnscrypt-proxy.socket}} from [[#Configuration]] with the new service's name, then change the port in the new socket.
 
Save this as a new service file and make a copy of {{ic|dnscrypt-proxy.socket}} from [[#Configuration]] with the new service's name, then change the port in the new socket.
Line 57: Line 57:
 
:{{Comment|If this is the case, it is a bug - the man page says {{ic|OPTIONS (ignored when a configuration file is provided)}}. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:18, 24 January 2017 (UTC)}}
 
:{{Comment|If this is the case, it is a bug - the man page says {{ic|OPTIONS (ignored when a configuration file is provided)}}. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:18, 24 January 2017 (UTC)}}
 
::{{Comment|That's bad news; this is definetly the case. So users who want redundant / instanced services need to specify all their options on the command line and that's fine with me. [[User:Quequotion|quequotion]] ([[User talk:Quequotion|talk]]) 13:34, 24 January 2017 (UTC)}}
 
::{{Comment|That's bad news; this is definetly the case. So users who want redundant / instanced services need to specify all their options on the command line and that's fine with me. [[User:Quequotion|quequotion]] ([[User talk:Quequotion|talk]]) 13:34, 24 January 2017 (UTC)}}
 
===== Create systemd file =====
 
 
First, create {{ic|/etc/systemd/system/dnscrypt-proxy@.service}} containing:
 
 
[Unit]
 
Description=DNSCrypt client proxy
 
Documentation=man:dnscrypt-proxy(8)
 
Requires=dnscrypt-proxy@%i.socket
 
 
[Service]
 
Type=notify
 
NonBlocking=true
 
ExecStart=/usr/bin/dnscrypt-proxy \
 
    /etc/dnscrypt-proxy.conf \
 
    --resolver-name=%i
 
Restart=always
 
  
 
=== dnscrypt runs with root privileges ===
 
=== dnscrypt runs with root privileges ===

Revision as of 13:38, 24 January 2017

Refactoring to include dnscrypt-wrapper information & configuration.

Hello, I'm new so bear with me if I get any of this wrong. I would like to refactor the page to reflect the addition of dnscrypt-wrapperAUR to the AUR. dnscrypt-wrapper is the server-side wrapper for dnscrypt-proxy. Any advice on the best way to do this would be appreciated. Would adding sub-headings for both packages below Installation & Configuration be the best approach?

Thanks MeZee (talk) 17:57, 10 January 2016 (UTC)

Just add it to the Installation section and describe what it does. Rdeckard (talk) 17:13, 23 September 2016 (UTC)

1.8.1 Update: New /etc/dnscrypt-proxy.conf

There's a new configuration file that is not reflected in the article, as well as a new systemd unit. Users should now use that configuration file, but at least for me, the update to 1.8.1 did not break my old units (since I used systemd edit. This is a section for discussing modifications needed for the update. -- Rdeckard (talk) 22:45, 27 December 2016 (UTC)

This may just need to be in an advanced section. [1]. -- Rdeckard (talk) 23:00, 27 December 2016 (UTC)

It seems like the configuration file is not useful if using systemd: [2] -- Rdeckard (talk) 13:18, 28 December 2016 (UTC)

You may be jumping to conclusions. Only the ListenAddress option is discussed there; it cannot be inferred that this means all of the options in the configuration file are ignored if they are already set in the systemd socket/service files. IMHO, if there is an independent configuration file that can set options (and use .pac{new,save}) then it is superior to use it rather than edit the sytemd files which are overwritten by every install and less confusing than putting custom options in places like cat /etc/systemd/system/dnscrypt-proxy.{service,socket}.d/override.conf
If it can be done, I think it would be prudent to ship dnscrypt-proxy with systemd files that don't set options that can be set by its native configuration file, and change the wiki to describe setting it up by its own configuration file. quequotion (talk) 12:23, 23 January 2017 (UTC)
And it appears this cannot be done for the socket. If one intends to use systemd to open the socket, the listen address must be set in the socket file or its override.conf. quequotion (talk) 12:36, 23 January 2017 (UTC)
You will need to file a bug report / feature request if you want to make changes with what files are shipped with the package (possibly with both Arch and upstream). This is a place to discuss what needs to be done on the wiki page to reflect that a configuration file is available. -- Rdeckard (talk) 18:00, 23 January 2017 (UTC)
True, but since they'd need to be done simultaneously--and the bug report / feature request will be dismissed out of hand without a proposal here to back it up (and probably dismissed anyway just because), I'm going to go ahead and get started with a changes proposal here first. quequotion (talk) 07:02, 24 January 2017 (UTC)
I have no idea where you are going, but the current dnscrypt-proxy.service looks like this, i.e. it does not specify any option besides the config file path. -- Lahwaacz (talk) 12:13, 24 January 2017 (UTC)
Oh. Is that what's shipping in arch's package? If so, the changes I'm proposing are ready for debate as a (partially) new page. The point is to avoid making changes to the .service file. This file will be overwritten when dnscrypt-proxy gets upgraded, potentially breaking internet connectivity; it's much safer to configure dnscrypt-proxy outside of this file. Furthermore the config file is quite user-friendly; the included dnscrypt-proxy.conf.example documents the options quite well (in English at least). Only users who want to do something special like instanced services should be editing the .service file. quequotion (talk) 13:26, 24 January 2017 (UTC)

Proposal: Configuration by config file

The premise of this proposal is that we would ship dnscrypt-proxy with a systemd service file that does not specify command-line options other than the configuration file:

[Service]
ExecStart=
ExecStart=/usr/bin/dnscrypt-proxy /etc/dnscrypt-proxy.conf

This seems more sane to me as users will not need to edit the service file--which is overwritten by upgrades--to make changes (exept for advanced needs like multiple instances) and can avoid several systemctl daemon-reloads, etc. only needing to restart the service after changing the config file. Pending the requisite feature request, maintenance of dnscrypt-proxy can be made much more user-friendly by saving the above lines in /etc/systemd/system/dnscrypt-proxy.service.d/override.conf quequotion (talk) 11:28, 24 January 2017 (UTC)

Select resolver

Select a resolver from /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv and edit /etc/dsncrypt-proxy.conf, using the short name from the csv file's first column. For example, to select dnscrypt.eu-nl as the resolver:

ResolverName dnscrypt.eu-nl
Comment: I think the language change regarding the csv file should go in regardless, but I didn't just go ahead with it in case that only sounds less confusing to me.

Redundant DNSCrypt providers

To use several different dnscrypt providers, edit dnscrypt-proxy.service, using the short name from the first column of dnscrypt-resolvers.csv with -R.

[Service]
ExecStart=
ExecStart=/usr/bin/dnscrypt-proxy -R short-name.here

Save this as a new service file and make a copy of dnscrypt-proxy.socket from #Configuration with the new service's name, then change the port in the new socket.

Comment: command-line options override the configuration file.
Comment: If this is the case, it is a bug - the man page says OPTIONS (ignored when a configuration file is provided). -- Lahwaacz (talk) 13:18, 24 January 2017 (UTC)
Comment: That's bad news; this is definetly the case. So users who want redundant / instanced services need to specify all their options on the command line and that's fine with me. quequotion (talk) 13:34, 24 January 2017 (UTC)

dnscrypt runs with root privileges

See FS#49881. To work around this, create an unprivileged user manually.

Create the user as follows:

# useradd -r -d /var/dnscrypt -m -s /sbin/nologin dnscrypt

Edit /etc/dnscrypt-proxy.conf, appending the new user:

User dnscrypt

Backup DNSCrypt resolver - especially with the new configuration file

Usually when setting a dns resolver you will always have the option to set a second/backup dns resolver (android,windows,networkmanager,router, what ever).

I think the wiki should cover a way on how to achieve the same with dnscrypt. Especially as some if the dnscrypt resolvers like to go offline every now and then (looking at you dnscrypt.eu-nl).

I have a running setup (which caused me some struggles to achieve that setup) but I have no idea how to replicate it. Espcially with the new configuration file which seems like it will only cover one dnscrypt instance?

Right now I have 2x dnscrypt running in systemd and the resolver.conf will choose which ever is online/working.

—This unsigned comment is by Utini2000 (talk) 11:56, 30 December 2016‎. Please sign your posts with ~~~~!

It already describes that: DNSCrypt#Redundant_DNSCrypt_providers -- Lahwaacz (talk) 12:02, 30 December 2016 (UTC)
But this is with the old configuration file, not the new one? Also it seems like this only covers unbound but what about e.g. dnsmasq? —This unsigned comment is by Utini2000 (talk) 16:21, 30 December 2016. Please sign your posts with ~~~~!