Other HTTP services¶
Tip
In most distributions, the http
module is available from a separate package knot-resolver-module-http
. The module isn’t packaged for openSUSE.
This module does the heavy lifting to provide an HTTP and HTTP/2 enabled server which provides few built-in services and also allows other modules to export restful APIs and websocket streams.
One example is statistics module that can stream live metrics on the website, or publish metrics on request for Prometheus scraper.
By default this module provides two kinds of endpoints, and unlimited number of “used-defined kinds” can be added in configuration.
Kind | Explanation |
webmgmt | built-in web management APIs (includes DoH) |
doh_legacy |
Each network address and port combination can be configured to expose one kind of endpoint. This is done using the same mechanisms as network configuration for plain DNS and DNS-over-TLS, see chapter Networking and protocols for more details.
Warning
Management endpoint (webmgmt
) must not be directly exposed to untrusted parties. Use reverse-proxy like Apache or Nginx if you need to authenticate API clients for the management API.
By default all endpoints share the same configuration for TLS certificates etc. This can be changed using http.config()
configuration call explained below.
Example configuration¶
This section shows how to configure HTTP module itself. For information how to configure HTTP server’s IP addresses and ports please see chapter Networking and protocols.
-- load HTTP module with defaults (self-signed TLS cert)
modules.load('http')
-- optionally load geoIP database for server map
http.config({
geoip = 'GeoLite2-City.mmdb',
-- e.g. https://dev.maxmind.com/geoip/geoip2/geolite2/
-- and install mmdblua library
})
Now you can reach the web services and APIs, done!
$ curl -k https://localhost:8453
$ curl -k https://localhost:8453/stats
HTTPS (TLS for HTTP)¶
By default, the web interface starts HTTPS/2 on specified port using an ephemeral TLS certificate that is valid for 90 days and is automatically renewed. It is of course self-signed. Why not use something like Let’s Encrypt?
Warning
If you use package luaossl < 20181207
, intermediate certificate is not sent to clients, which may cause problems with validating the connection in some cases.
You can disable unencrypted HTTP and enforce HTTPS by passing tls = true
option for all HTTP endpoints:
http.config({
tls = true,
})
It is also possible to provide different configuration for each kind of endpoint, e.g. to enforce TLS and use custom certificate only for DoH:
http.config({
tls = true,
cert = '/etc/knot-resolver/mycert.crt',
key = '/etc/knot-resolver/mykey.key',
}, 'doh_legacy')
The format of both certificate and key is expected to be PEM, e.g. equivalent to the outputs of following:
openssl ecparam -genkey -name prime256v1 -out mykey.key
openssl req -new -key mykey.key -out csr.pem
openssl req -x509 -days 90 -key mykey.key -in csr.pem -out mycert.crt
It is also possible to disable HTTPS altogether by passing tls = false
option. Plain HTTP gets handy if you want to use reverse-proxy like Apache or Nginx for authentication to API etc. (Unencrypted HTTP could be fine for localhost tests as, for example, Safari doesn’t allow WebSockets over HTTPS with a self-signed certificate. Major drawback is that current browsers won’t do HTTP/2 over insecure connection.)
Warning
If you use multiple Knot Resolver instances with these automatically maintained ephemeral certificates, they currently won’t be shared. It’s assumed that you don’t want a self-signed certificate for serious deployments anyway.
Legacy DNS-over-HTTPS (DoH)¶
Warning
The legacy DoH implementation using http
module (kind='doh_legacy'
) is deprecated. It has known performance and stability issues that won’t be fixed. Use new DNS-over-HTTPS (DoH) implementation instead.
This was an experimental implementation of RFC 8484. It can be configured using doh_legacy
kind in net.listen()
. Its configuration (such as certificates) takes place in http.config()
.
Queries were served on /doh
and /dns-query
endpoints.
Built-in services¶
The HTTP module has several built-in services to use.
Endpoint | Service | Description |
---|---|---|
| Statistics/metrics | Exported metrics from Statistics collector in JSON format. |
| Prometheus metrics | Exported metrics for Prometheus. |
| Tracking | Trace resolution of a DNS query and return its debug-level logs. |
| Legacy DNS-over-HTTPS | RFC 8484 endpoint, see Legacy DNS-over-HTTPS (DoH). |
| Legacy DNS-over-HTTPS | RFC 8484 endpoint, see Legacy DNS-over-HTTPS (DoH). |
Dependencies¶
lua-http (>= 0.3) available in LuaRocks
If you’re installing via Homebrew on OS X, you need OpenSSL too.
$ brew update $ brew install openssl $ brew link openssl --force # Override system OpenSSL
Some other systems can install from LuaRocks directly:
$ luarocks --lua-version 5.1 install http
(optional) mmdblua available in LuaRocks
$ luarocks --lua-version 5.1 install --server=https://luarocks.org/dev mmdblua $ curl -O https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz $ gzip -d GeoLite2-City.mmdb.gz