From 132841da61b81971e77bceb8fcfd05476ac135be Mon Sep 17 00:00:00 2001
From: lie-must-die <liemustdie@icloud.com>
Date: Sun, 19 Apr 2026 12:50:26 +0300
Subject: [PATCH] Update FAQ with SNI handling and metrics instructions

Added alternative configuration for unknown SNI handling and instructions for viewing metrics.
---
 docs/FAQ.en.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/FAQ.en.md b/docs/FAQ.en.md
index dec93f7..0e55c1f 100644
--- a/docs/FAQ.en.md
+++ b/docs/FAQ.en.md
@@ -210,6 +210,13 @@ If you need to allow connections with any domains (ignoring SNI mismatches), add
 unknown_sni_action = "mask"
 ```
 
+Alternatively, if you want telemt to behave like a vanilla nginx with `ssl_reject_handshake on;` on unknown SNI (emit a TLS `unrecognized_name` alert and close the connection), use:
+```toml
+[censorship]
+unknown_sni_action = "reject_handshake"
+```
+This does not recover stale clients, but it makes port 443 wire-indistinguishable from a stock web server that simply does not host the requested vhost.
+
 ### How to view metrics
 
 1. Open the configuration file: `nano /etc/telemt/telemt.toml`.