Add dynamic SNI mask target mode

Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
2026-06-12 14:01:44 +03:00 · 2026-06-11 10:36:37 +03:00
parent cd2bb9c8cd
commit db7ff8737c
4 changed files with 37 additions and 18 deletions
--- a/src/config/hot_reload.rs
+++ b/src/config/hot_reload.rs
@@ -620,6 +620,7 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
        || old.censorship.tls_domains != new.censorship.tls_domains
        || old.censorship.tls_fetch_scope != new.censorship.tls_fetch_scope
        || old.censorship.mask != new.censorship.mask
+        || old.censorship.mask_dynamic != new.censorship.mask_dynamic
        || old.censorship.mask_host != new.censorship.mask_host
        || old.censorship.mask_port != new.censorship.mask_port
        || old.censorship.exclusive_mask != new.censorship.exclusive_mask
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -372,6 +372,7 @@ const CENSORSHIP_CONFIG_KEYS: &[&str] = &[
    "tls_fetch_scope",
    "tls_fetch",
    "mask",
+    "mask_dynamic",
    "mask_host",
    "mask_port",
    "exclusive_mask",
@@ -2047,11 +2048,6 @@ impl ProxyConfig {
            *mask_host = normalize_mask_host_to_ascii(mask_host, "censorship.mask_host")?;
        }

-        // Default mask_host to tls_domain if not set and no unix socket configured.
-        if config.censorship.mask_host.is_none() && config.censorship.mask_unix_sock.is_none() {
-            config.censorship.mask_host = Some(config.censorship.tls_domain.clone());
-        }
-
        for (domain, target) in &config.censorship.exclusive_mask {
            if !is_valid_tls_domain_name(domain) {
                return Err(ProxyError::Config(format!(
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -1726,6 +1726,10 @@ pub struct AntiCensorshipConfig {
    #[serde(default = "default_true")]
    pub mask: bool,

+    /// Use the ClientHello SNI as the mask TCP target for configured TLS domains.
+    #[serde(default = "default_true")]
+    pub mask_dynamic: bool,
+
    #[serde(default)]
    pub mask_host: Option<String>,

@@ -1861,6 +1865,7 @@ impl Default for AntiCensorshipConfig {
            tls_fetch_scope: default_tls_fetch_scope(),
            tls_fetch: TlsFetchConfig::default(),
            mask: default_true(),
+            mask_dynamic: default_true(),
            mask_host: None,
            mask_port: default_mask_port(),
            exclusive_mask: HashMap::new(),