MRU Search + Runtime user snapshot + Ordered candidate auth + Sticky hints + Overload Budgets

2026-04-18 19:14:09 +03:00 · 2026-04-06 15:02:52 +03:00
parent a14f8b14d2
commit 8d865a980c
5 changed files with 1074 additions and 86 deletions
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -4,6 +4,7 @@ use std::collections::{BTreeSet, HashMap, HashSet};
 use std::hash::{DefaultHasher, Hash, Hasher};
 use std::net::{IpAddr, SocketAddr};
 use std::path::{Path, PathBuf};
+use std::sync::Arc;

 use rand::RngExt;
 use serde::{Deserialize, Serialize};
@@ -15,6 +16,8 @@ use crate::error::{ProxyError, Result};
 use super::defaults::*;
 use super::types::*;

+const ACCESS_SECRET_BYTES: usize = 16;
+
 #[derive(Debug, Clone)]
 pub(crate) struct LoadedConfig {
    pub(crate) config: ProxyConfig,
@@ -22,6 +25,104 @@ pub(crate) struct LoadedConfig {
    pub(crate) rendered_hash: u64,
 }

+/// Precomputed, immutable user authentication data used by handshake hot paths.
+#[derive(Debug, Clone, Default)]
+pub(crate) struct UserAuthSnapshot {
+    entries: Vec<UserAuthEntry>,
+    by_name: HashMap<String, u32>,
+    sni_index: HashMap<u64, Vec<u32>>,
+    sni_initial_index: HashMap<u8, Vec<u32>>,
+}
+
+#[derive(Debug, Clone)]
+pub(crate) struct UserAuthEntry {
+    pub(crate) user: String,
+    pub(crate) secret: [u8; ACCESS_SECRET_BYTES],
+}
+
+impl UserAuthSnapshot {
+    fn from_users(users: &HashMap<String, String>) -> Result<Self> {
+        let mut entries = Vec::with_capacity(users.len());
+        let mut by_name = HashMap::with_capacity(users.len());
+        let mut sni_index = HashMap::with_capacity(users.len());
+        let mut sni_initial_index = HashMap::with_capacity(users.len());
+
+        for (user, secret_hex) in users {
+            let decoded = hex::decode(secret_hex).map_err(|_| ProxyError::InvalidSecret {
+                user: user.clone(),
+                reason: "Must be 32 hex characters".to_string(),
+            })?;
+            if decoded.len() != ACCESS_SECRET_BYTES {
+                return Err(ProxyError::InvalidSecret {
+                    user: user.clone(),
+                    reason: "Must be 32 hex characters".to_string(),
+                });
+            }
+
+            let user_id = u32::try_from(entries.len()).map_err(|_| {
+                ProxyError::Config("Too many users for runtime auth snapshot".to_string())
+            })?;
+
+            let mut secret = [0u8; ACCESS_SECRET_BYTES];
+            secret.copy_from_slice(&decoded);
+            entries.push(UserAuthEntry {
+                user: user.clone(),
+                secret,
+            });
+            by_name.insert(user.clone(), user_id);
+            sni_index
+                .entry(Self::sni_lookup_hash(user))
+                .or_insert_with(Vec::new)
+                .push(user_id);
+            if let Some(initial) = user.as_bytes().first().map(|byte| byte.to_ascii_lowercase()) {
+                sni_initial_index
+                    .entry(initial)
+                    .or_insert_with(Vec::new)
+                    .push(user_id);
+            }
+        }
+
+        Ok(Self {
+            entries,
+            by_name,
+            sni_index,
+            sni_initial_index,
+        })
+    }
+
+    pub(crate) fn entries(&self) -> &[UserAuthEntry] {
+        &self.entries
+    }
+
+    pub(crate) fn user_id_by_name(&self, user: &str) -> Option<u32> {
+        self.by_name.get(user).copied()
+    }
+
+    pub(crate) fn entry_by_id(&self, user_id: u32) -> Option<&UserAuthEntry> {
+        let idx = usize::try_from(user_id).ok()?;
+        self.entries.get(idx)
+    }
+
+    pub(crate) fn sni_candidates(&self, sni: &str) -> Option<&[u32]> {
+        self.sni_index
+            .get(&Self::sni_lookup_hash(sni))
+            .map(Vec::as_slice)
+    }
+
+    pub(crate) fn sni_initial_candidates(&self, sni: &str) -> Option<&[u32]> {
+        let initial = sni.as_bytes().first().map(|byte| byte.to_ascii_lowercase())?;
+        self.sni_initial_index.get(&initial).map(Vec::as_slice)
+    }
+
+    fn sni_lookup_hash(value: &str) -> u64 {
+        let mut hasher = DefaultHasher::new();
+        for byte in value.bytes() {
+            hasher.write_u8(byte.to_ascii_lowercase());
+        }
+        hasher.finish()
+    }
+}
+
 fn normalize_config_path(path: &Path) -> PathBuf {
    path.canonicalize().unwrap_or_else(|_| {
        if path.is_absolute() {
@@ -196,6 +297,10 @@ pub struct ProxyConfig {
    /// If not set, defaults to 2 (matching Telegram's official `default 2;` in proxy-multi.conf).
    #[serde(default)]
    pub default_dc: Option<u8>,
+
+    /// Precomputed authentication snapshot for handshake hot paths.
+    #[serde(skip)]
+    pub(crate) runtime_user_auth: Option<Arc<UserAuthSnapshot>>,
 }

 impl ProxyConfig {
@@ -1164,6 +1269,7 @@ impl ProxyConfig {
            .or_insert_with(|| vec!["91.105.192.100:443".to_string()]);

        validate_upstreams(&config)?;
+        config.rebuild_runtime_user_auth()?;

        Ok(LoadedConfig {
            config,
@@ -1172,6 +1278,16 @@ impl ProxyConfig {
        })
    }

+    pub(crate) fn rebuild_runtime_user_auth(&mut self) -> Result<()> {
+        let snapshot = UserAuthSnapshot::from_users(&self.access.users)?;
+        self.runtime_user_auth = Some(Arc::new(snapshot));
+        Ok(())
+    }
+
+    pub(crate) fn runtime_user_auth(&self) -> Option<&UserAuthSnapshot> {
+        self.runtime_user_auth.as_deref()
+    }
+
    pub fn validate(&self) -> Result<()> {
        if self.access.users.is_empty() {
            return Err(ProxyError::Config("No users configured".to_string()));