Run as non-root user, Fix acl hot reload

Seji64 · Mar 20, 2024 · f2c153b · f2c153b
1 parent 59da3d4
commit f2c153b
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 9 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -60,10 +60,16 @@ COPY configs/sniproxy/config.yaml /etc/sniproxy/config.yaml
 COPY entrypoint.sh /entrypoint.sh
 COPY generateACL.sh /generateACL.sh
 COPY dynDNSCron.sh /dynDNSCron.sh
-RUN chown -R dnsdist:dnsdist /etc/dnsdist/ && \
+
+RUN addgroup snidust && adduser -D -H -G snidust snidust
+
+RUN chown -R snidust:snidust /etc/dnsdist/ && \
+    chown -R snidust:snidust /etc/sniproxy/ && \
     chmod +x /entrypoint.sh && \
     chmod +x /generateACL.sh && \
     chmod +x dynDNSCron.sh
 
+USER snidust
+
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ["/bin/bash", "/entrypoint.sh"]
diff --git a/configs/dnsdist/conf.d/00-SniDust.conf b/configs/dnsdist/conf.d/00-SniDust.conf
@@ -57,6 +57,7 @@ function ReloadACL(dq)
     dq.dh:setQR(true)
 
     infolog("[INFO] [SniDust] *** Reloading ACL... ***")
+    os.execute("/generateACL.sh && touch /tmp/reload_sni_proxy && PID_SNIPROXY=$(pidof sniproxy) && kill -HUP $PID_SNIPROXY")
     setACLFromFile("/etc/dnsdist/allowedClients.acl")
     infolog("[INFO] [SniDust] *** ACL reload complete! ***")
 

diff --git a/configs/sniproxy/config.yaml b/configs/sniproxy/config.yaml
@@ -5,8 +5,8 @@ general:
   upstream_dns_over_socks5: false
   # Use a SOCKS proxy for upstream HTTP/HTTPS traffic. Example: socks5://admin:
   upstream_socks5:
-  # DNS Port to listen on. Should remain 53 in most cases. MUST NOT be empty
-  bind_dns_over_udp: "0.0.0.0:53"
+  # DNS Port to listen on. Should remain 53 in most cases. MUST NOT be empty. Bind to dummy Port cause we use dnsdist
+  bind_dns_over_udp: "127.0.0.1:1234"
   # enable DNS over TCP. empty disables it. example: "127.0.0.1:53"
   bind_dns_over_tcp:
   # enable DNS over TLS. empty disables it. example: "127.0.0.1:853"
@@ -59,8 +59,8 @@ acl:
     priority: 10
     # Path to the CIDR list. eg: /tmp/cidr.csv. Look at the example file for the format.
     path: /etc/sniproxy/allowedClients.acl
-    # Interval to re-fetch the domain list
-    refresh_interval: 0h1m0s
+    # Interval to re-fetch the cidr list
+    refresh_interval: 1h0m0s
   # FQDN override. This ACL is used to override the destination IP to not be the one resolved by the upstream DNS or the proxy itself, rather a custom IP and port
   # if the destination is HTTP, it uses tls_cert and tls_key certificate to terminate the original connection. 
   override:

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -34,13 +34,12 @@ echo "[INFO] Generating DNSDist Configs..."
 if [ "$DYNDNS_CRON_ENABLED" = true ];
 then
   echo "[INFO] DynDNS Address in ALLOWED_CLIENTS detected => Enable cron job"
-  echo "$DNYDNS_CRON_SCHEDULE /bin/bash /dynDNSCron.sh" > /etc/crontabs/root
+  echo "$DNYDNS_CRON_SCHEDULE /bin/bash /dynDNSCron.sh" > /etc/crontabs/snidust
   crond -f &
 fi
 
 echo "[INFO] Starting DNSDist..."
-chown -R dnsdist:dnsdist /etc/dnsdist/
-/usr/bin/dnsdist -C /etc/dnsdist/dnsdist.conf --supervised --disable-syslog --uid dnsdist --gid dnsdist &
+/usr/bin/dnsdist -C /etc/dnsdist/dnsdist.conf --supervised --disable-syslog --uid snidust --gid snidust &
 
 echo "[INFO] Starting sniproxy"
 (until /usr/local/bin/sniproxy --config "/etc/sniproxy/config.yaml"; do

diff --git a/generateACL.sh b/generateACL.sh
@@ -6,7 +6,7 @@ if [ -n "${ALLOWED_CLIENTS_FILE}" ];
 then
   if [ -f "${ALLOWED_CLIENTS_FILE}" ];
   then
-    cat "$ALLOWED_CLIENTS_FILE" >> /etc/dnsdist/allowedClients.acl
+    cat "$ALLOWED_CLIENTS_FILE" > /etc/dnsdist/allowedClients.acl
   else
     echo "[ERROR] ALLOWED_CLIENTS_FILE is set but file does not exists or is not accessible!"
   fi