🐛 修复卡死的问题

catusax · catusax · commit c10b0749c973 · 2020-11-06T13:28:30.000+08:00
使用两个容器提高可用性，去掉nginx缓存
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,6 +14,19 @@ services:
     labels:
       - "autoheal=true"
 
+  overture2:
+    restart: always
+    image: coolrc/overture
+    volumes:
+      - ./config:/overture
+    healthcheck:
+      test: dig @127.0.0.1 -p 5353 www.google.com || exit 1
+      interval: 30s
+      timeout: 2s
+      retries: 3
+    labels:
+      - "autoheal=true"
+
   doh:
     restart: always
     image: satishweb/doh-server
diff --git a/doh-server.conf b/doh-server.conf
@@ -33,13 +33,14 @@ path = "/dns-query"
 # For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection.
 upstream = [
     "udp:overture:5353",
+    "udp:overture2:5353",
 ]
 
 # Upstream timeout
-timeout = 60
+timeout = 5
 
 # Number of tries if upstream DNS fails
-tries = 10
+tries = 3
 
 # Enable logging
 verbose = false
diff --git a/nginx.conf b/nginx.conf
@@ -16,7 +16,7 @@ stream {
   upstream dns {
     zone dns 64k;
     server overture:5353;
-#	server overture2:5353;
+	server overture2:5353;
   }
 
   # DNS(TCP) and DNS over TLS (DoT) Server
@@ -39,18 +39,33 @@ http {
   }
   access_log off; 
   # Proxy Cache storage - so we can cache the DoH response from the upstream
-  proxy_cache_path /var/run/doh_cache levels=1:2 keys_zone=doh_cache:10m;
   server{
     # Listen on standard HTTPS port, and accept HTTP2, with SSL termination
     listen 443 ssl http2;
     server_name  dns.coolrc.top;
+    server_tokens off;
+
+    ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.13.0
+  	ssl_prefer_server_ciphers on;
+  	ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+
+  	ssl_ecdh_curve secp384r1;               # Requires nginx >= 1.1.0
+  	ssl_session_timeout  10m;
+  	ssl_session_cache shared:SSL:10m;
+  	ssl_session_tickets off;                # Requires nginx >= 1.5.9
+  	ssl_stapling on;                        # Requires nginx >= 1.3.7
+  	ssl_stapling_verify on;                 # Requires nginx => 1.3.7
+  	ssl_early_data off;                     # 0-RTT, enable if desired - Requires nginx >= 1.15.4
+    resolver overture:5353 valid=300s;
+
     ssl_certificate /ssl/fullchain.pem;
     ssl_certificate_key /ssl/privkey.pem;
-    ssl_session_cache shared:ssl_cache:10m;
-    ssl_session_timeout 10m;
 
-    # DoH may use GET or POST requests, Cache both
-    proxy_cache_methods GET POST;
+  	# HTTP Security Headers
+  	add_header X-Frame-Options DENY;
+  	add_header X-Content-Type-Options nosniff;
+  	add_header X-XSS-Protection "1; mode=block";
+  	add_header Strict-Transport-Security "max-age=63072000";
 
     # Return 404 to all responses, except for those using our published DoH URI
     location / {
@@ -65,9 +80,6 @@ http {
         proxy_http_version 1.1;
         proxy_set_header Connection "";
 
-        # Enable Cache, and set the cache_key to include the request_body
-        proxy_cache doh_cache;
-        proxy_cache_key $scheme$proxy_host$uri$is_args$args$request_body;
         proxy_pass       http://dohsrv/dns-query;
         proxy_set_header Host      $host;
         proxy_set_header X-Real-IP $remote_addr;
