From ed93b0a030623b2fda179fc1a02c69c9800dae78 Mon Sep 17 00:00:00 2001
From: ivulit <ivulit@users.noreply.github.com>
Date: Sun, 1 Mar 2026 00:14:55 +0300
Subject: [PATCH] fix: send PROXY protocol header to mask unix socket

When mask_unix_sock is configured, mask_proxy_protocol was silently
ignored and no PROXY protocol header was sent to the backend. Apply
the same header-building logic as the TCP path in both masking relay
and TLS fetcher (raw and rustls).
---
 src/proxy/masking.rs     | 24 +++++++++++++++++++++++-
 src/tls_front/fetcher.rs |  4 ++--
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/proxy/masking.rs b/src/proxy/masking.rs
index b1e69d4..318071b 100644
--- a/src/proxy/masking.rs
+++ b/src/proxy/masking.rs
@@ -88,7 +88,29 @@ where
         let connect_result = timeout(MASK_TIMEOUT, UnixStream::connect(sock_path)).await;
         match connect_result {
             Ok(Ok(stream)) => {
-                let (mask_read, mask_write) = stream.into_split();
+                let (mask_read, mut mask_write) = stream.into_split();
+                let proxy_header: Option<Vec<u8>> = match config.censorship.mask_proxy_protocol {
+                    0 => None,
+                    version => {
+                        let header = match version {
+                            2 => ProxyProtocolV2Builder::new().with_addrs(peer, local_addr).build(),
+                            _ => match (peer, local_addr) {
+                                (SocketAddr::V4(src), SocketAddr::V4(dst)) =>
+                                    ProxyProtocolV1Builder::new().tcp4(src.into(), dst.into()).build(),
+                                (SocketAddr::V6(src), SocketAddr::V6(dst)) =>
+                                    ProxyProtocolV1Builder::new().tcp6(src.into(), dst.into()).build(),
+                                _ =>
+                                    ProxyProtocolV1Builder::new().build(),
+                            },
+                        };
+                        Some(header)
+                    }
+                };
+                if let Some(header) = proxy_header {
+                    if mask_write.write_all(&header).await.is_err() {
+                        return;
+                    }
+                }
                 if timeout(MASK_RELAY_TIMEOUT, relay_to_mask(reader, writer, mask_read, mask_write, initial_data)).await.is_err() {
                     debug!("Mask relay timed out (unix socket)");
                 }
diff --git a/src/tls_front/fetcher.rs b/src/tls_front/fetcher.rs
index 1731cdc..4d9067c 100644
--- a/src/tls_front/fetcher.rs
+++ b/src/tls_front/fetcher.rs
@@ -499,7 +499,7 @@ async fn fetch_via_raw_tls(
                     sock = %sock_path,
                     "Raw TLS fetch using mask unix socket"
                 );
-                return fetch_via_raw_tls_stream(stream, sni, connect_timeout, 0).await;
+                return fetch_via_raw_tls_stream(stream, sni, connect_timeout, proxy_protocol).await;
             }
             Ok(Err(e)) => {
                 warn!(
@@ -631,7 +631,7 @@ async fn fetch_via_rustls(
                     sock = %sock_path,
                     "Rustls fetch using mask unix socket"
                 );
-                return fetch_via_rustls_stream(stream, host, sni, 0).await;
+                return fetch_via_rustls_stream(stream, host, sni, proxy_protocol).await;
             }
             Ok(Err(e)) => {
                 warn!(