fix: send PROXY protocol header to mask unix socket

When mask_unix_sock is configured, mask_proxy_protocol was silently ignored and no PROXY protocol header was sent to the backend. Apply the same header-building logic as the TCP path in both masking relay and TLS fetcher (raw and rustls).
2026-03-01 00:14:55 +03:00 · 2026-03-01 00:14:55 +03:00 · ed93b0a030
parent 2370c8d5e4
commit ed93b0a030
2 changed files with 25 additions and 3 deletions
--- a/src/proxy/masking.rs
+++ b/src/proxy/masking.rs
@ -88,7 +88,29 @@ where
        let connect_result = timeout(MASK_TIMEOUT, UnixStream::connect(sock_path)).await;
        match connect_result {
            Ok(Ok(stream)) => {
-                let (mask_read, mask_write) = stream.into_split();
+                let (mask_read, mut mask_write) = stream.into_split();
+                let proxy_header: Option<Vec<u8>> = match config.censorship.mask_proxy_protocol {
+                    0 => None,
+                    version => {
+                        let header = match version {
+                            2 => ProxyProtocolV2Builder::new().with_addrs(peer, local_addr).build(),
+                            _ => match (peer, local_addr) {
+                                (SocketAddr::V4(src), SocketAddr::V4(dst)) =>
+                                    ProxyProtocolV1Builder::new().tcp4(src.into(), dst.into()).build(),
+                                (SocketAddr::V6(src), SocketAddr::V6(dst)) =>
+                                    ProxyProtocolV1Builder::new().tcp6(src.into(), dst.into()).build(),
+                                _ =>
+                                    ProxyProtocolV1Builder::new().build(),
+                            },
+                        };
+                        Some(header)
+                    }
+                };
+                if let Some(header) = proxy_header {
+                    if mask_write.write_all(&header).await.is_err() {
+                        return;
+                    }
+                }
                if timeout(MASK_RELAY_TIMEOUT, relay_to_mask(reader, writer, mask_read, mask_write, initial_data)).await.is_err() {
                    debug!("Mask relay timed out (unix socket)");
                }
--- a/src/tls_front/fetcher.rs
+++ b/src/tls_front/fetcher.rs
@ -499,7 +499,7 @@ async fn fetch_via_raw_tls(
                    sock = %sock_path,
                    "Raw TLS fetch using mask unix socket"
                );
-                return fetch_via_raw_tls_stream(stream, sni, connect_timeout, 0).await;
+                return fetch_via_raw_tls_stream(stream, sni, connect_timeout, proxy_protocol).await;
            }
            Ok(Err(e)) => {
                warn!(
@ -631,7 +631,7 @@ async fn fetch_via_rustls(
                    sock = %sock_path,
                    "Rustls fetch using mask unix socket"
                );
-                return fetch_via_rustls_stream(stream, host, sni, 0).await;
+                return fetch_via_rustls_stream(stream, host, sni, proxy_protocol).await;
            }
            Ok(Err(e)) => {
                warn!(