default.conf

##
# Individual DoH server entries, one server per resolver.
# These establish proxy ports that the upstream resolvers
# can be reached via.
##
server {
  listen 8001 default_server;
  server_name _;
  location / {
    proxy_pass https://dns.google;
    add_header X-Resolved-By $upstream_addr always;
  }
}

server {
  listen 8002 default_server;
  server_name _;
  location / {
    proxy_pass https://cloudflare-dns.com;
    add_header X-Resolved-By $upstream_addr always;
  }
}

server {
  listen 8003 default_server;
  server_name _;
  location / {
    proxy_pass https://doh.opendns.com;
    add_header X-Resolved-By $upstream_addr always;
  }
}

server {
  listen 8004 default_server;
  server_name _;
  location / {
    proxy_pass https://doh.42l.fr/dns-query;
    add_header X-Resolved-By $upstream_addr always;
  }
}

##
# Aggregate our resolver proxies into a single upstream
##
upstream dohproviders {
  server 127.0.0.1:8001;
  server 127.0.0.1:8002;
  server 127.0.0.1:8003;
  server 127.0.0.1:8004;
}

server {
  listen [::]:443 ssl http2 ipv6only=on;
  listen 443 ssl http2;
  server_name _;
  # Changeme: if you put your static site root elsewhere, change that here
  root /srv/proxy_static;

  ##
  # SSL Configuration
  # Changme: you'll need to change these to reflect your actual cert and key location
  ##
  ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

  # not all of these are compatible with all nginx versions
  # sourced from https://cipherli.st/
  ssl_protocols TLSv1.3 TLSv1.2; # Requires nginx >= 1.13.0 else use TLSv1.2
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/dhparam.pem;
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
  ssl_session_timeout 10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off; # Requires nginx >= 1.5.9
  ssl_stapling on; # Requires nginx >= 1.3.7
  ssl_stapling_verify on; # Requires nginx => 1.3.7
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";

  ##
  # Actual DNS endpoint
  ##
  location /dns-query {
    proxy_pass http://dohproviders;
  }

  ##
  # Secondary ".well-known" endpoint
  ##
  location /.well-known/dns-query {
    rewrite ^/\.well-known/(.*) /$1 break;
    proxy_pass http://dohproviders;
  }

  ##
  # Default greeting page for web browsers
  ##
  location / {
    index index.html;
  }
}

##
# HTTP => HTTPS redirect
##
server {
  listen 80 default_server;
  server_name _;
  return 301 https://$host$request_uri;
}