Merge branch 'master' into AGDNS-2750-find-client

client/src/helpers/filters/filters.ts

@@ -28,6 +28,12 @@ export default {
             "homepage": "https://badmojr.github.io/1Hosts/",
             "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt"
         },
+        "1hosts_pro": {
+            "name": "1Hosts (Pro)",
+            "categoryId": "general",
+            "homepage": "https://badmojr.github.io/1Hosts/",
+            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_64.txt"
+        },
         "CHN_adrules": {
             "name": "CHN: AdRules DNS List",
             "categoryId": "regional",

internal/home/dns.go

@@ -317,13 +317,7 @@ func newDNSTLSConfig(
 		return &dnsforward.TLSConfig{}, nil
 	}
 
-	cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
-	if err != nil {
-		return nil, fmt.Errorf("parsing tls key pair: %w", err)
-	}
-
 	dnsConf = &dnsforward.TLSConfig{
-		Cert:           &cert,
 		ServerName:     conf.ServerName,
 		StrictSNICheck: conf.StrictSNICheck,
 	}
@@ -340,6 +334,28 @@ func newDNSTLSConfig(
 		dnsConf.QUICListenAddrs = ipsToUDPAddrs(addrs, conf.PortDNSOverQUIC)
 	}
 
+	cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
+	if err != nil {
+		const format = "parsing tls key pair: %w"
+		if conf.AllowUnencryptedDoH {
+			// TODO(s.chzhen):  Use [slog.Logger].
+			log.Info("warning: %s: %s", format, err)
+
+			return dnsConf, nil
+		}
+
+		return nil, fmt.Errorf(format, err)
+	}
+
+	// Unencrypted DoH is managed by AdGuard Home itself, not by dnsproxy.
+	// Therefore, avoid setting the certificate property to prevent dnsproxy
+	// from starting encrypted listeners.  See [dnsforward.Server.prepareTLS].
+	if conf.AllowUnencryptedDoH {
+		return dnsConf, nil
+	}
+
+	dnsConf.Cert = &cert
+
 	return dnsConf, nil
 }