mirror of
https://github.com/telemt/telemt.git
synced 2026-06-30 14:51:09 +03:00
Compare commits
14 Commits
0b580eccd3
...
3fefcdd11f
| Author | SHA1 | Date | |
|---|---|---|---|
 Alexey
|
3fefcdd11f | ||
|
Alexey
|
57dca639f0 | ||
|
Alexey
|
13f86062f4 | ||
|
Alexey
|
8267149b53 | ||
|
Alexey
|
30fab00bfd | ||
|
Vladislav Yaroslavlev
|
abff2fd7fe | ||
|
Alexey
|
5f5a3e3fa0 | ||
|
Alexey
|
f9e54ee739 | ||
|
Roman
|
d477d6ee29 | ||
|
TWRoman
|
1383dfcbb1 | ||
|
Artymediys
|
107a7cc758 | ||
|
Artymediys
|
4f3193fdaa | ||
|
Artymediys
|
d6be691c67 | ||
|
Artymediys
|
0b0be07a9c |
@@ -25,6 +25,7 @@ curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
|
||||
- [Quick Start Guide](docs/Quick_start/QUICK_START_GUIDE.en.md)
|
||||
- [Инструкция по быстрому запуску](docs/Quick_start/QUICK_START_GUIDE.ru.md)
|
||||
|
||||
## Features
|
||||
Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**: we are confident we have it right - [see evidence on our validation and traces](docs/FAQ.en.md#recognizability-for-dpi-and-crawler)
|
||||
|
||||
Our ***Middle-End Pool*** is fastest by design in standard scenarios, compared to other implementations of connecting to the Middle-End Proxy: non dramatically, but usual
|
||||
|
||||
@@ -54,7 +54,6 @@ curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
|
||||
- [FAQ EN](docs/FAQ.en.md)
|
||||
|
||||
## Сборка
|
||||
|
||||
```bash
|
||||
# Клонируйте репозиторий
|
||||
git clone https://github.com/telemt/telemt
|
||||
@@ -63,7 +62,6 @@ cd telemt
|
||||
# Начните процесс сборки
|
||||
cargo build --release
|
||||
|
||||
# Устройства с небольшим объёмом оперативной памяти (1 ГБ, например NanoPi Neo3 / Raspberry Pi Zero 2):
|
||||
# В текущем release-профиле используется lto = "fat" для максимальной оптимизации (см. Cargo.toml).
|
||||
# На системах с малым объёмом RAM (~1 ГБ) можно переопределить это значение на "thin".
|
||||
|
||||
|
||||
+8
-5
@@ -32,13 +32,13 @@ show = "*"
|
||||
port = 443
|
||||
# proxy_protocol = false # Enable if behind HAProxy/nginx with PROXY protocol
|
||||
# metrics_port = 9090
|
||||
# metrics_listen = "0.0.0.0:9090" # Listen address for metrics (overrides metrics_port)
|
||||
# metrics_whitelist = ["127.0.0.1", "::1", "0.0.0.0/0"]
|
||||
# metrics_listen = "127.0.0.1:9090" # Listen address for metrics (overrides metrics_port)
|
||||
# metrics_whitelist = ["127.0.0.1/32", "::1/128"]
|
||||
|
||||
[server.api]
|
||||
enabled = true
|
||||
listen = "0.0.0.0:9091"
|
||||
whitelist = ["127.0.0.0/8"]
|
||||
listen = "127.0.0.1:9091"
|
||||
whitelist = ["127.0.0.1/32", "::1/128"]
|
||||
minimal_runtime_enabled = false
|
||||
minimal_runtime_cache_ttl_ms = 1000
|
||||
|
||||
@@ -48,9 +48,12 @@ ip = "0.0.0.0"
|
||||
|
||||
# === Anti-Censorship & Masking ===
|
||||
[censorship]
|
||||
# Fake-TLS / SNI masking domain used in generated ee-links.
|
||||
# Changing tls_domain invalidates previously generated TLS links.
|
||||
tls_domain = "petrovich.ru"
|
||||
|
||||
mask = true
|
||||
tls_emulation = true # Fetch real cert lengths and emulate TLS records
|
||||
tls_emulation = true # Fetch real cert lengths and emulate TLS records
|
||||
tls_front_dir = "tlsfront" # Cache directory for TLS emulation
|
||||
|
||||
[access.users]
|
||||
|
||||
@@ -9,12 +9,12 @@ API runtime is configured in `[server.api]`.
|
||||
|
||||
| Field | Type | Default | Description |
|
||||
| --- | --- | --- | --- |
|
||||
| `enabled` | `bool` | `false` | Enables REST API listener. |
|
||||
| `listen` | `string` (`IP:PORT`) | `127.0.0.1:9091` | API bind address. |
|
||||
| `whitelist` | `CIDR[]` | `127.0.0.1/32, ::1/128` | Source IP allowlist. Empty list means allow all. |
|
||||
| `enabled` | `bool` | `true` | Enables REST API listener. |
|
||||
| `listen` | `string` (`IP:PORT`) | `0.0.0.0:9091` | API bind address. |
|
||||
| `whitelist` | `CIDR[]` | `127.0.0.0/8` | Source IP allowlist. Empty list means allow all. |
|
||||
| `auth_header` | `string` | `""` | Exact value for `Authorization` header. Empty disables header auth. |
|
||||
| `request_body_limit_bytes` | `usize` | `65536` | Maximum request body size. Must be `> 0`. |
|
||||
| `minimal_runtime_enabled` | `bool` | `false` | Enables runtime snapshot endpoints requiring ME pool read-lock aggregation. |
|
||||
| `minimal_runtime_enabled` | `bool` | `true` | Enables runtime snapshot endpoints requiring ME pool read-lock aggregation. |
|
||||
| `minimal_runtime_cache_ttl_ms` | `u64` | `1000` | Cache TTL for minimal snapshots. `0` disables cache; valid range is `[0, 60000]`. |
|
||||
| `runtime_edge_enabled` | `bool` | `false` | Enables runtime edge endpoints with cached aggregation payloads. |
|
||||
| `runtime_edge_cache_ttl_ms` | `u64` | `1000` | Cache TTL for runtime edge summary payloads. `0` disables cache. |
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
+3072
-3331
File diff suppressed because it is too large
Load Diff
@@ -27,7 +27,8 @@ cargo build --release
|
||||
./target/release/telemt --version
|
||||
```
|
||||
|
||||
For low-RAM systems, this repository already uses `lto = "thin"` in release profile.
|
||||
For low-RAM systems, note that this repository currently uses `lto = "fat"` in release profile.
|
||||
On constrained builders, a local override to `lto = "thin"` may be more practical.
|
||||
|
||||
## 3. Install binary and config
|
||||
|
||||
|
||||
@@ -110,15 +110,15 @@ show = "*"
|
||||
# === Server Binding ===
|
||||
[server]
|
||||
port = 443
|
||||
# proxy_protocol = false # Enable if behind HAProxy/nginx with PROXY protocol
|
||||
# proxy_protocol = false # Enable if behind HAProxy/nginx with PROXY protocol
|
||||
# metrics_port = 9090
|
||||
# metrics_listen = "0.0.0.0:9090" # Listen address for metrics (overrides metrics_port)
|
||||
# metrics_whitelist = ["127.0.0.1", "::1", "0.0.0.0/0"]
|
||||
# metrics_listen = "127.0.0.1:9090" # Listen address for metrics (overrides metrics_port)
|
||||
# metrics_whitelist = ["127.0.0.1/32", "::1/128"]
|
||||
|
||||
[server.api]
|
||||
enabled = true
|
||||
listen = "0.0.0.0:9091"
|
||||
whitelist = ["127.0.0.0/8"]
|
||||
listen = "127.0.0.1:9091"
|
||||
whitelist = ["127.0.0.1/32", "::1/128"]
|
||||
minimal_runtime_enabled = false
|
||||
minimal_runtime_cache_ttl_ms = 1000
|
||||
|
||||
@@ -128,9 +128,9 @@ ip = "0.0.0.0"
|
||||
|
||||
# === Anti-Censorship & Masking ===
|
||||
[censorship]
|
||||
tls_domain = "petrovich.ru"
|
||||
tls_domain = "petrovich.ru" # Fake-TLS / SNI masking domain used in generated ee-links
|
||||
mask = true
|
||||
tls_emulation = true # Fetch real cert lengths and emulate TLS records
|
||||
tls_emulation = true # Fetch real cert lengths and emulate TLS records
|
||||
tls_front_dir = "tlsfront" # Cache directory for TLS emulation
|
||||
|
||||
[access.users]
|
||||
@@ -141,9 +141,9 @@ hello = "00000000000000000000000000000000"
|
||||
then Ctrl+S -> Ctrl+X to save
|
||||
|
||||
> [!WARNING]
|
||||
> Replace the value of the hello parameter with the value you obtained in step 0.
|
||||
> Additionally, change the value of the tls_domain parameter to a different website.
|
||||
> Changing the tls_domain parameter will break all links that use the old domain!
|
||||
> Replace the value of the `hello` parameter with the value you obtained in step 0.
|
||||
> Additionally, change the value of the `tls_domain` parameter to a different website.
|
||||
> Changing the `tls_domain` parameter will break all links that use the old domain!
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -103,22 +103,22 @@ tls = true
|
||||
[general.links]
|
||||
show = "*"
|
||||
# show = ["alice", "bob"] # Показывать ссылки только для alice и bob
|
||||
# show = "*" # Показывать ссылки для всех пользователей
|
||||
# public_host = "proxy.example.com" # Хост (IP-адрес или домен) для ссылок tg://
|
||||
# public_port = 443 # Порт для ссылок tg:// (по умолчанию: server.port)
|
||||
# show = "*" # Показывать ссылки для всех пользователей
|
||||
# public_host = "proxy.example.com" # Хост (IP-адрес или домен) для ссылок tg://
|
||||
# public_port = 443 # Порт для ссылок tg:// (по умолчанию: server.port)
|
||||
|
||||
# === Привязка сервера ===
|
||||
[server]
|
||||
port = 443
|
||||
# proxy_protocol = false # Включите, если сервер находится за HAProxy/nginx с протоколом PROXY
|
||||
# proxy_protocol = false # Включите, если сервер находится за HAProxy/nginx с протоколом PROXY
|
||||
# metrics_port = 9090
|
||||
# metrics_listen = "0.0.0.0:9090" # Адрес прослушивания для метрик (переопределяет metrics_port)
|
||||
# metrics_whitelist = ["127.0.0.1", "::1", "0.0.0.0/0"]
|
||||
# metrics_listen = "127.0.0.1:9090" # Адрес прослушивания для метрик (переопределяет metrics_port)
|
||||
# metrics_whitelist = ["127.0.0.1/32", "::1/128"]
|
||||
|
||||
[server.api]
|
||||
enabled = true
|
||||
listen = "0.0.0.0:9091"
|
||||
whitelist = ["127.0.0.0/8"]
|
||||
listen = "127.0.0.1:9091"
|
||||
whitelist = ["127.0.0.1/32", "::1/128"]
|
||||
minimal_runtime_enabled = false
|
||||
minimal_runtime_cache_ttl_ms = 1000
|
||||
|
||||
@@ -128,9 +128,9 @@ ip = "0.0.0.0"
|
||||
|
||||
# === Обход блокировок и маскировка ===
|
||||
[censorship]
|
||||
tls_domain = "petrovich.ru"
|
||||
tls_domain = "petrovich.ru" # Домен Fake-TLS / SNI, который будет использоваться в сгенерированных ee-ссылках
|
||||
mask = true
|
||||
tls_emulation = true # Получить реальную длину сертификата и эмулировать запись TLS
|
||||
tls_emulation = true # Получить реальную длину сертификата и эмулировать запись TLS
|
||||
tls_front_dir = "tlsfront" # Директория кэша для эмуляции TLS
|
||||
|
||||
[access.users]
|
||||
@@ -141,9 +141,9 @@ hello = "00000000000000000000000000000000"
|
||||
Затем нажмите Ctrl+S -> Ctrl+X, чтобы сохранить
|
||||
|
||||
> [!WARNING]
|
||||
> Замените значение параметра hello на значение, которое вы получили в пункте 0.
|
||||
> Так же замените значение параметра tls_domain на другой сайт.
|
||||
> Изменение параметра tls_domain сделает нерабочими все ссылки, использующие старый домен!
|
||||
> Замените значение параметра `hello` на значение, которое вы получили в пункте 0.
|
||||
> Так же замените значение параметра `tls_domain` на другой сайт.
|
||||
> Изменение параметра `tls_domain` сделает нерабочими все ссылки, использующие старый домен!
|
||||
|
||||
---
|
||||
|
||||
|
||||
+26
-11
@@ -1,6 +1,6 @@
|
||||
#![allow(clippy::too_many_arguments)]
|
||||
|
||||
use std::convert::Infallible;
|
||||
use std::io::{Error as IoError, ErrorKind};
|
||||
use std::net::{IpAddr, SocketAddr};
|
||||
use std::path::PathBuf;
|
||||
use std::sync::Arc;
|
||||
@@ -16,7 +16,7 @@ use tokio::net::TcpListener;
|
||||
use tokio::sync::{Mutex, RwLock, watch};
|
||||
use tracing::{debug, info, warn};
|
||||
|
||||
use crate::config::ProxyConfig;
|
||||
use crate::config::{ApiGrayAction, ProxyConfig};
|
||||
use crate::ip_tracker::UserIpTracker;
|
||||
use crate::proxy::route_mode::RouteRuntimeController;
|
||||
use crate::startup::StartupTracker;
|
||||
@@ -184,7 +184,9 @@ pub async fn serve(
|
||||
.serve_connection(hyper_util::rt::TokioIo::new(stream), svc)
|
||||
.await
|
||||
{
|
||||
debug!(error = %error, "API connection error");
|
||||
if !error.is_user() {
|
||||
debug!(error = %error, "API connection error");
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
@@ -195,7 +197,7 @@ async fn handle(
|
||||
peer: SocketAddr,
|
||||
shared: Arc<ApiShared>,
|
||||
config_rx: watch::Receiver<Arc<ProxyConfig>>,
|
||||
) -> Result<Response<Full<Bytes>>, Infallible> {
|
||||
) -> Result<Response<Full<Bytes>>, IoError> {
|
||||
let request_id = shared.next_request_id();
|
||||
let cfg = config_rx.borrow().clone();
|
||||
let api_cfg = &cfg.server.api;
|
||||
@@ -213,14 +215,27 @@ async fn handle(
|
||||
|
||||
if !api_cfg.whitelist.is_empty() && !api_cfg.whitelist.iter().any(|net| net.contains(peer.ip()))
|
||||
{
|
||||
return Ok(error_response(
|
||||
request_id,
|
||||
ApiFailure::new(
|
||||
StatusCode::FORBIDDEN,
|
||||
"forbidden",
|
||||
"Source IP is not allowed",
|
||||
return match api_cfg.gray_action {
|
||||
ApiGrayAction::Api => Ok(error_response(
|
||||
request_id,
|
||||
ApiFailure::new(
|
||||
StatusCode::FORBIDDEN,
|
||||
"forbidden",
|
||||
"Source IP is not allowed",
|
||||
),
|
||||
)),
|
||||
ApiGrayAction::Ok200 => Ok(
|
||||
Response::builder()
|
||||
.status(StatusCode::OK)
|
||||
.header("content-type", "text/html; charset=utf-8")
|
||||
.body(Full::new(Bytes::new()))
|
||||
.unwrap(),
|
||||
),
|
||||
));
|
||||
ApiGrayAction::Drop => Err(IoError::new(
|
||||
ErrorKind::ConnectionAborted,
|
||||
"api request dropped by gray_action=drop",
|
||||
)),
|
||||
};
|
||||
}
|
||||
|
||||
if !api_cfg.auth_header.is_empty() {
|
||||
|
||||
@@ -560,6 +560,7 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
|
||||
if old.server.api.enabled != new.server.api.enabled
|
||||
|| old.server.api.listen != new.server.api.listen
|
||||
|| old.server.api.whitelist != new.server.api.whitelist
|
||||
|| old.server.api.gray_action != new.server.api.gray_action
|
||||
|| old.server.api.auth_header != new.server.api.auth_header
|
||||
|| old.server.api.request_body_limit_bytes != new.server.api.request_body_limit_bytes
|
||||
|| old.server.api.minimal_runtime_enabled != new.server.api.minimal_runtime_enabled
|
||||
|
||||
@@ -340,12 +340,29 @@ impl ProxyConfig {
|
||||
let update_every_is_explicit = general_table
|
||||
.map(|table| table.contains_key("update_every"))
|
||||
.unwrap_or(false);
|
||||
let beobachten_is_explicit = general_table
|
||||
.map(|table| table.contains_key("beobachten"))
|
||||
.unwrap_or(false);
|
||||
let beobachten_minutes_is_explicit = general_table
|
||||
.map(|table| table.contains_key("beobachten_minutes"))
|
||||
.unwrap_or(false);
|
||||
let beobachten_flush_secs_is_explicit = general_table
|
||||
.map(|table| table.contains_key("beobachten_flush_secs"))
|
||||
.unwrap_or(false);
|
||||
let beobachten_file_is_explicit = general_table
|
||||
.map(|table| table.contains_key("beobachten_file"))
|
||||
.unwrap_or(false);
|
||||
let legacy_secret_is_explicit = general_table
|
||||
.map(|table| table.contains_key("proxy_secret_auto_reload_secs"))
|
||||
.unwrap_or(false);
|
||||
let legacy_config_is_explicit = general_table
|
||||
.map(|table| table.contains_key("proxy_config_auto_reload_secs"))
|
||||
.unwrap_or(false);
|
||||
let legacy_top_level_beobachten = parsed_toml.get("beobachten").cloned();
|
||||
let legacy_top_level_beobachten_minutes = parsed_toml.get("beobachten_minutes").cloned();
|
||||
let legacy_top_level_beobachten_flush_secs =
|
||||
parsed_toml.get("beobachten_flush_secs").cloned();
|
||||
let legacy_top_level_beobachten_file = parsed_toml.get("beobachten_file").cloned();
|
||||
let stun_servers_is_explicit = network_table
|
||||
.map(|table| table.contains_key("stun_servers"))
|
||||
.unwrap_or(false);
|
||||
@@ -358,6 +375,63 @@ impl ProxyConfig {
|
||||
config.general.update_every = None;
|
||||
}
|
||||
|
||||
// Backward compatibility: legacy top-level beobachten* keys.
|
||||
// Prefer `[general].*` when both are present.
|
||||
let mut legacy_beobachten_applied = false;
|
||||
if !beobachten_is_explicit
|
||||
&& let Some(value) = legacy_top_level_beobachten.as_ref()
|
||||
{
|
||||
let parsed = value.as_bool().ok_or_else(|| {
|
||||
ProxyError::Config("beobachten (top-level) must be a boolean".to_string())
|
||||
})?;
|
||||
config.general.beobachten = parsed;
|
||||
legacy_beobachten_applied = true;
|
||||
}
|
||||
if !beobachten_minutes_is_explicit
|
||||
&& let Some(value) = legacy_top_level_beobachten_minutes.as_ref()
|
||||
{
|
||||
let raw = value.as_integer().ok_or_else(|| {
|
||||
ProxyError::Config("beobachten_minutes (top-level) must be an integer".to_string())
|
||||
})?;
|
||||
let parsed = u64::try_from(raw).map_err(|_| {
|
||||
ProxyError::Config(
|
||||
"beobachten_minutes (top-level) must be within u64 range".to_string(),
|
||||
)
|
||||
})?;
|
||||
config.general.beobachten_minutes = parsed;
|
||||
legacy_beobachten_applied = true;
|
||||
}
|
||||
if !beobachten_flush_secs_is_explicit
|
||||
&& let Some(value) = legacy_top_level_beobachten_flush_secs.as_ref()
|
||||
{
|
||||
let raw = value.as_integer().ok_or_else(|| {
|
||||
ProxyError::Config(
|
||||
"beobachten_flush_secs (top-level) must be an integer".to_string(),
|
||||
)
|
||||
})?;
|
||||
let parsed = u64::try_from(raw).map_err(|_| {
|
||||
ProxyError::Config(
|
||||
"beobachten_flush_secs (top-level) must be within u64 range".to_string(),
|
||||
)
|
||||
})?;
|
||||
config.general.beobachten_flush_secs = parsed;
|
||||
legacy_beobachten_applied = true;
|
||||
}
|
||||
if !beobachten_file_is_explicit
|
||||
&& let Some(value) = legacy_top_level_beobachten_file.as_ref()
|
||||
{
|
||||
let parsed = value.as_str().ok_or_else(|| {
|
||||
ProxyError::Config("beobachten_file (top-level) must be a string".to_string())
|
||||
})?;
|
||||
config.general.beobachten_file = parsed.to_string();
|
||||
legacy_beobachten_applied = true;
|
||||
}
|
||||
if legacy_beobachten_applied {
|
||||
warn!(
|
||||
"top-level beobachten* keys are deprecated; use general.beobachten* instead"
|
||||
);
|
||||
}
|
||||
|
||||
let legacy_nat_stun = config.general.middle_proxy_nat_stun.take();
|
||||
let legacy_nat_stun_servers =
|
||||
std::mem::take(&mut config.general.middle_proxy_nat_stun_servers);
|
||||
@@ -1289,6 +1363,7 @@ impl ProxyConfig {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1385,6 +1460,21 @@ mod tests {
|
||||
const TEST_SHADOWSOCKS_URL: &str =
|
||||
"ss://2022-blake3-aes-256-gcm:MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDE=@127.0.0.1:8388";
|
||||
|
||||
fn load_config_from_temp_toml(toml: &str) -> ProxyConfig {
|
||||
let nonce = std::time::SystemTime::now()
|
||||
.duration_since(std::time::UNIX_EPOCH)
|
||||
.unwrap()
|
||||
.as_nanos();
|
||||
let dir = std::env::temp_dir().join(format!("telemt_load_cfg_{nonce}"));
|
||||
std::fs::create_dir_all(&dir).unwrap();
|
||||
let path = dir.join("config.toml");
|
||||
std::fs::write(&path, toml).unwrap();
|
||||
let cfg = ProxyConfig::load(&path).unwrap();
|
||||
let _ = std::fs::remove_file(path);
|
||||
let _ = std::fs::remove_dir(dir);
|
||||
cfg
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn serde_defaults_remain_unchanged_for_present_sections() {
|
||||
let toml = r#"
|
||||
@@ -1481,6 +1571,7 @@ mod tests {
|
||||
cfg.general.rpc_proxy_req_every,
|
||||
default_rpc_proxy_req_every()
|
||||
);
|
||||
assert_eq!(cfg.general.beobachten_file, default_beobachten_file());
|
||||
assert_eq!(cfg.general.update_every, default_update_every());
|
||||
assert_eq!(cfg.server.listen_addr_ipv4, default_listen_addr_ipv4());
|
||||
assert_eq!(cfg.server.listen_addr_ipv6, default_listen_addr_ipv6_opt());
|
||||
@@ -1491,6 +1582,7 @@ mod tests {
|
||||
assert_eq!(cfg.censorship.unknown_sni_action, UnknownSniAction::Drop);
|
||||
assert_eq!(cfg.server.api.listen, default_api_listen());
|
||||
assert_eq!(cfg.server.api.whitelist, default_api_whitelist());
|
||||
assert_eq!(cfg.server.api.gray_action, ApiGrayAction::Drop);
|
||||
assert_eq!(
|
||||
cfg.server.api.request_body_limit_bytes,
|
||||
default_api_request_body_limit_bytes()
|
||||
@@ -1647,6 +1739,7 @@ mod tests {
|
||||
default_upstream_connect_failfast_hard_errors()
|
||||
);
|
||||
assert_eq!(general.rpc_proxy_req_every, default_rpc_proxy_req_every());
|
||||
assert_eq!(general.beobachten_file, default_beobachten_file());
|
||||
assert_eq!(general.update_every, default_update_every());
|
||||
|
||||
let server = ServerConfig::default();
|
||||
@@ -1661,6 +1754,7 @@ mod tests {
|
||||
);
|
||||
assert_eq!(server.api.listen, default_api_listen());
|
||||
assert_eq!(server.api.whitelist, default_api_whitelist());
|
||||
assert_eq!(server.api.gray_action, ApiGrayAction::Drop);
|
||||
assert_eq!(
|
||||
server.api.request_body_limit_bytes,
|
||||
default_api_request_body_limit_bytes()
|
||||
@@ -1808,6 +1902,107 @@ mod tests {
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn api_gray_action_parses_and_defaults_to_drop() {
|
||||
let cfg_default: ProxyConfig = toml::from_str(
|
||||
r#"
|
||||
[server]
|
||||
[general]
|
||||
[network]
|
||||
[access]
|
||||
"#,
|
||||
)
|
||||
.unwrap();
|
||||
assert_eq!(cfg_default.server.api.gray_action, ApiGrayAction::Drop);
|
||||
|
||||
let cfg_api: ProxyConfig = toml::from_str(
|
||||
r#"
|
||||
[server]
|
||||
[general]
|
||||
[network]
|
||||
[access]
|
||||
[server.api]
|
||||
gray_action = "api"
|
||||
"#,
|
||||
)
|
||||
.unwrap();
|
||||
assert_eq!(cfg_api.server.api.gray_action, ApiGrayAction::Api);
|
||||
|
||||
let cfg_200: ProxyConfig = toml::from_str(
|
||||
r#"
|
||||
[server]
|
||||
[general]
|
||||
[network]
|
||||
[access]
|
||||
[server.api]
|
||||
gray_action = "200"
|
||||
"#,
|
||||
)
|
||||
.unwrap();
|
||||
assert_eq!(cfg_200.server.api.gray_action, ApiGrayAction::Ok200);
|
||||
|
||||
let cfg_drop: ProxyConfig = toml::from_str(
|
||||
r#"
|
||||
[server]
|
||||
[general]
|
||||
[network]
|
||||
[access]
|
||||
[server.api]
|
||||
gray_action = "drop"
|
||||
"#,
|
||||
)
|
||||
.unwrap();
|
||||
assert_eq!(cfg_drop.server.api.gray_action, ApiGrayAction::Drop);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn top_level_beobachten_keys_migrate_to_general_when_general_not_explicit() {
|
||||
let cfg = load_config_from_temp_toml(
|
||||
r#"
|
||||
beobachten = false
|
||||
beobachten_minutes = 7
|
||||
beobachten_flush_secs = 3
|
||||
beobachten_file = "tmp/legacy-beob.txt"
|
||||
|
||||
[server]
|
||||
[general]
|
||||
[network]
|
||||
[access]
|
||||
"#,
|
||||
);
|
||||
|
||||
assert!(!cfg.general.beobachten);
|
||||
assert_eq!(cfg.general.beobachten_minutes, 7);
|
||||
assert_eq!(cfg.general.beobachten_flush_secs, 3);
|
||||
assert_eq!(cfg.general.beobachten_file, "tmp/legacy-beob.txt");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn general_beobachten_keys_have_priority_over_legacy_top_level() {
|
||||
let cfg = load_config_from_temp_toml(
|
||||
r#"
|
||||
beobachten = true
|
||||
beobachten_minutes = 30
|
||||
beobachten_flush_secs = 30
|
||||
beobachten_file = "tmp/legacy-beob.txt"
|
||||
|
||||
[server]
|
||||
[general]
|
||||
beobachten = false
|
||||
beobachten_minutes = 5
|
||||
beobachten_flush_secs = 2
|
||||
beobachten_file = "tmp/general-beob.txt"
|
||||
[network]
|
||||
[access]
|
||||
"#,
|
||||
);
|
||||
|
||||
assert!(!cfg.general.beobachten);
|
||||
assert_eq!(cfg.general.beobachten_minutes, 5);
|
||||
assert_eq!(cfg.general.beobachten_flush_secs, 2);
|
||||
assert_eq!(cfg.general.beobachten_file, "tmp/general-beob.txt");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn dc_overrides_allow_string_and_array() {
|
||||
let toml = r#"
|
||||
|
||||
@@ -1183,6 +1183,13 @@ pub struct ApiConfig {
|
||||
#[serde(default = "default_api_whitelist")]
|
||||
pub whitelist: Vec<IpNetwork>,
|
||||
|
||||
/// Behavior for requests from source IPs outside `whitelist`.
|
||||
/// - `api`: return structured API forbidden response.
|
||||
/// - `200`: return `200 OK` with an empty body.
|
||||
/// - `drop`: close the connection without HTTP response.
|
||||
#[serde(default)]
|
||||
pub gray_action: ApiGrayAction,
|
||||
|
||||
/// Optional static value for `Authorization` header validation.
|
||||
/// Empty string disables header auth.
|
||||
#[serde(default)]
|
||||
@@ -1227,6 +1234,7 @@ impl Default for ApiConfig {
|
||||
enabled: default_true(),
|
||||
listen: default_api_listen(),
|
||||
whitelist: default_api_whitelist(),
|
||||
gray_action: ApiGrayAction::default(),
|
||||
auth_header: String::new(),
|
||||
request_body_limit_bytes: default_api_request_body_limit_bytes(),
|
||||
minimal_runtime_enabled: default_api_minimal_runtime_enabled(),
|
||||
@@ -1240,6 +1248,19 @@ impl Default for ApiConfig {
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
|
||||
#[serde(rename_all = "lowercase")]
|
||||
pub enum ApiGrayAction {
|
||||
/// Preserve current API behavior for denied source IPs.
|
||||
Api,
|
||||
/// Mimic a plain web endpoint by returning `200 OK` with an empty body.
|
||||
#[serde(rename = "200")]
|
||||
Ok200,
|
||||
/// Drop connection without HTTP response for denied source IPs.
|
||||
#[default]
|
||||
Drop,
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
|
||||
#[serde(rename_all = "lowercase")]
|
||||
pub enum ConntrackMode {
|
||||
@@ -1856,6 +1877,10 @@ pub enum UpstreamType {
|
||||
interface: Option<String>,
|
||||
#[serde(default)]
|
||||
bind_addresses: Option<Vec<String>>,
|
||||
/// Linux-only hard interface pinning via `SO_BINDTODEVICE`.
|
||||
/// Optional alias: `force_bind`.
|
||||
#[serde(default, alias = "force_bind")]
|
||||
bindtodevice: Option<String>,
|
||||
},
|
||||
Socks4 {
|
||||
address: String,
|
||||
|
||||
+45
-28
@@ -81,23 +81,9 @@ pub async fn run() -> std::result::Result<(), Box<dyn std::error::Error>> {
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(unix)]
|
||||
async fn run_inner(
|
||||
daemon_opts: DaemonOptions,
|
||||
) -> std::result::Result<(), Box<dyn std::error::Error>> {
|
||||
// Acquire PID file if daemonizing or if explicitly requested
|
||||
// Keep it alive until shutdown (underscore prefix = intentionally kept for RAII cleanup)
|
||||
let _pid_file = if daemon_opts.daemonize || daemon_opts.pid_file.is_some() {
|
||||
let mut pf = PidFile::new(daemon_opts.pid_file_path());
|
||||
if let Err(e) = pf.acquire() {
|
||||
eprintln!("[telemt] {}", e);
|
||||
std::process::exit(1);
|
||||
}
|
||||
Some(pf)
|
||||
} else {
|
||||
None
|
||||
};
|
||||
|
||||
// Shared maestro startup and main loop. `drop_after_bind` runs on Unix after listeners are bound
|
||||
// (for privilege drop); it is a no-op on other platforms.
|
||||
async fn run_telemt_core(drop_after_bind: impl FnOnce()) -> std::result::Result<(), Box<dyn std::error::Error>> {
|
||||
let process_started_at = Instant::now();
|
||||
let process_started_at_epoch_secs = SystemTime::now()
|
||||
.duration_since(UNIX_EPOCH)
|
||||
@@ -761,17 +747,8 @@ async fn run_inner(
|
||||
std::process::exit(1);
|
||||
}
|
||||
|
||||
// Drop privileges after binding sockets (which may require root for port < 1024)
|
||||
if daemon_opts.user.is_some() || daemon_opts.group.is_some() {
|
||||
if let Err(e) = drop_privileges(
|
||||
daemon_opts.user.as_deref(),
|
||||
daemon_opts.group.as_deref(),
|
||||
_pid_file.as_ref(),
|
||||
) {
|
||||
error!(error = %e, "Failed to drop privileges");
|
||||
std::process::exit(1);
|
||||
}
|
||||
}
|
||||
// On Unix, caller supplies privilege drop after bind (may require root for port < 1024).
|
||||
drop_after_bind();
|
||||
|
||||
runtime_tasks::apply_runtime_log_filter(
|
||||
has_rust_log,
|
||||
@@ -819,3 +796,43 @@ async fn run_inner(
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[cfg(unix)]
|
||||
async fn run_inner(
|
||||
daemon_opts: DaemonOptions,
|
||||
) -> std::result::Result<(), Box<dyn std::error::Error>> {
|
||||
// Acquire PID file if daemonizing or if explicitly requested
|
||||
// Keep it alive until shutdown (underscore prefix = intentionally kept for RAII cleanup)
|
||||
let _pid_file = if daemon_opts.daemonize || daemon_opts.pid_file.is_some() {
|
||||
let mut pf = PidFile::new(daemon_opts.pid_file_path());
|
||||
if let Err(e) = pf.acquire() {
|
||||
eprintln!("[telemt] {}", e);
|
||||
std::process::exit(1);
|
||||
}
|
||||
Some(pf)
|
||||
} else {
|
||||
None
|
||||
};
|
||||
|
||||
let user = daemon_opts.user.clone();
|
||||
let group = daemon_opts.group.clone();
|
||||
|
||||
run_telemt_core(|| {
|
||||
if user.is_some() || group.is_some() {
|
||||
if let Err(e) = drop_privileges(
|
||||
user.as_deref(),
|
||||
group.as_deref(),
|
||||
_pid_file.as_ref(),
|
||||
) {
|
||||
error!(error = %e, "Failed to drop privileges");
|
||||
std::process::exit(1);
|
||||
}
|
||||
}
|
||||
})
|
||||
.await
|
||||
}
|
||||
|
||||
#[cfg(not(unix))]
|
||||
async fn run_inner() -> std::result::Result<(), Box<dyn std::error::Error>> {
|
||||
run_telemt_core(|| {}).await
|
||||
}
|
||||
|
||||
@@ -97,6 +97,7 @@ pub async fn run_probe(
|
||||
let UpstreamType::Direct {
|
||||
interface,
|
||||
bind_addresses,
|
||||
..
|
||||
} = &upstream.upstream_type
|
||||
else {
|
||||
continue;
|
||||
|
||||
@@ -31,6 +31,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -27,6 +27,7 @@ fn build_harness(config: ProxyConfig) -> PipelineHarness {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -11,6 +11,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -11,6 +11,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -25,6 +25,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -11,6 +11,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -11,6 +11,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -38,6 +38,7 @@ fn build_harness(secret_hex: &str, mask_port: u16) -> PipelineHarness {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -16,6 +16,7 @@ fn make_test_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -39,6 +39,7 @@ fn build_harness(secret_hex: &str, mask_port: u16) -> RedTeamHarness {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -229,6 +230,7 @@ async fn redteam_03_masking_duration_must_be_less_than_1ms_when_backend_down() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -470,6 +472,7 @@ async fn measure_invalid_probe_duration_ms(delay_ms: u64, tls_len: u16, body_sen
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -544,6 +547,7 @@ async fn capture_forwarded_probe_len(tls_len: u16, body_sent: usize) -> usize {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -13,6 +13,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -11,6 +11,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -11,6 +11,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -11,6 +11,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -11,6 +11,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -25,6 +25,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -332,6 +332,7 @@ async fn relay_task_abort_releases_user_gate_and_ip_reservation() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -446,6 +447,7 @@ async fn relay_cutover_releases_user_gate_and_ip_reservation() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -570,6 +572,7 @@ async fn integration_route_cutover_and_quota_overlap_fails_closed_and_releases_s
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -740,6 +743,7 @@ async fn proxy_protocol_header_is_rejected_when_trust_list_is_empty() {
|
||||
upstream_type: crate::config::UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -817,6 +821,7 @@ async fn proxy_protocol_header_from_untrusted_peer_range_is_rejected_under_load(
|
||||
upstream_type: crate::config::UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -977,6 +982,7 @@ async fn short_tls_probe_is_masked_through_client_pipeline() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1065,6 +1071,7 @@ async fn tls12_record_probe_is_masked_through_client_pipeline() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1151,6 +1158,7 @@ async fn handle_client_stream_increments_connects_all_exactly_once() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1244,6 +1252,7 @@ async fn running_client_handler_increments_connects_all_exactly_once() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1334,6 +1343,7 @@ async fn idle_pooled_connection_closes_cleanly_in_generic_stream_path() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1405,6 +1415,7 @@ async fn idle_pooled_connection_closes_cleanly_in_client_handler_path() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1491,6 +1502,7 @@ async fn partial_tls_header_stall_triggers_handshake_timeout() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1816,6 +1828,7 @@ async fn valid_tls_path_does_not_fall_back_to_mask_backend() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1925,6 +1938,7 @@ async fn valid_tls_with_invalid_mtproto_falls_back_to_mask_backend() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -2032,6 +2046,7 @@ async fn client_handler_tls_bad_mtproto_is_forwarded_to_mask_backend() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -2154,6 +2169,7 @@ async fn alpn_mismatch_tls_probe_is_masked_through_client_pipeline() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -2247,6 +2263,7 @@ async fn invalid_hmac_tls_probe_is_masked_through_client_pipeline() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -2346,6 +2363,7 @@ async fn burst_invalid_tls_probes_are_masked_verbatim() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -3251,6 +3269,7 @@ async fn relay_connect_error_releases_user_and_ip_before_return() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -3812,6 +3831,7 @@ async fn untrusted_proxy_header_source_is_rejected() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -3882,6 +3902,7 @@ async fn empty_proxy_trusted_cidrs_rejects_proxy_header_by_default() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -3979,6 +4000,7 @@ async fn oversized_tls_record_is_masked_in_generic_stream_pipeline() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -4082,6 +4104,7 @@ async fn oversized_tls_record_is_masked_in_client_handler_pipeline() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -4199,6 +4222,7 @@ async fn tls_record_len_min_minus_1_is_rejected_in_generic_stream_pipeline() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -4302,6 +4326,7 @@ async fn tls_record_len_min_minus_1_is_rejected_in_client_handler_pipeline() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -4408,6 +4433,7 @@ async fn tls_record_len_16384_is_accepted_in_generic_stream_pipeline() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -4509,6 +4535,7 @@ async fn tls_record_len_16384_is_accepted_in_client_handler_pipeline() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -24,6 +24,7 @@ fn make_test_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -26,6 +26,7 @@ fn make_test_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -27,6 +27,7 @@ fn make_test_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -41,6 +41,7 @@ fn build_harness(secret_hex: &str, mask_port: u16) -> PipelineHarness {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -1293,6 +1293,7 @@ async fn direct_relay_abort_midflight_releases_route_gauge() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1400,6 +1401,7 @@ async fn direct_relay_cutover_midflight_releases_route_gauge() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1522,6 +1524,7 @@ async fn direct_relay_cutover_storm_multi_session_keeps_generic_errors_and_relea
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
@@ -1758,6 +1761,7 @@ async fn negative_direct_relay_dc_connection_refused_fails_fast() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
selected_scope: String::new(),
|
||||
}],
|
||||
@@ -1849,6 +1853,7 @@ async fn adversarial_direct_relay_cutover_integrity() {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
selected_scope: String::new(),
|
||||
}],
|
||||
|
||||
@@ -53,6 +53,7 @@ fn new_client_harness() -> ClientHarness {
|
||||
upstream_type: UpstreamType::Direct {
|
||||
interface: None,
|
||||
bind_addresses: None,
|
||||
bindtodevice: None,
|
||||
},
|
||||
weight: 1,
|
||||
enabled: true,
|
||||
|
||||
@@ -67,6 +67,7 @@ pub fn format_sample_line(sample: &MePingSample) -> String {
|
||||
fn format_direct_with_config(
|
||||
interface: &Option<String>,
|
||||
bind_addresses: &Option<Vec<String>>,
|
||||
bindtodevice: &Option<String>,
|
||||
) -> Option<String> {
|
||||
let mut direct_parts: Vec<String> = Vec::new();
|
||||
if let Some(dev) = interface.as_deref().filter(|v| !v.is_empty()) {
|
||||
@@ -75,6 +76,9 @@ fn format_direct_with_config(
|
||||
if let Some(src) = bind_addresses.as_ref().filter(|v| !v.is_empty()) {
|
||||
direct_parts.push(format!("src={}", src.join(",")));
|
||||
}
|
||||
if let Some(device) = bindtodevice.as_deref().filter(|v| !v.is_empty()) {
|
||||
direct_parts.push(format!("bindtodevice={device}"));
|
||||
}
|
||||
if direct_parts.is_empty() {
|
||||
None
|
||||
} else {
|
||||
@@ -231,8 +235,11 @@ pub async fn format_me_route(
|
||||
UpstreamType::Direct {
|
||||
interface,
|
||||
bind_addresses,
|
||||
bindtodevice,
|
||||
} => {
|
||||
if let Some(route) = format_direct_with_config(interface, bind_addresses) {
|
||||
if let Some(route) =
|
||||
format_direct_with_config(interface, bind_addresses, bindtodevice)
|
||||
{
|
||||
route
|
||||
} else {
|
||||
detect_direct_route_details(reports, prefer_ipv6, v4_ok, v6_ok)
|
||||
|
||||
@@ -158,6 +158,56 @@ pub fn create_outgoing_socket_bound(addr: SocketAddr, bind_addr: Option<IpAddr>)
|
||||
Ok(socket)
|
||||
}
|
||||
|
||||
/// Pin an outgoing socket to a specific Linux network interface via SO_BINDTODEVICE.
|
||||
#[cfg(target_os = "linux")]
|
||||
pub fn bind_outgoing_socket_to_device(socket: &Socket, device: &str) -> Result<()> {
|
||||
use std::io::{Error, ErrorKind};
|
||||
use std::os::fd::AsRawFd;
|
||||
|
||||
let name = device.trim();
|
||||
if name.is_empty() {
|
||||
return Err(Error::new(
|
||||
ErrorKind::InvalidInput,
|
||||
"bindtodevice must not be empty",
|
||||
));
|
||||
}
|
||||
|
||||
// The kernel expects an interface name buffer with a trailing NUL.
|
||||
if name.len() >= libc::IFNAMSIZ {
|
||||
return Err(Error::new(
|
||||
ErrorKind::InvalidInput,
|
||||
"bindtodevice exceeds IFNAMSIZ",
|
||||
));
|
||||
}
|
||||
let mut ifname = [0u8; libc::IFNAMSIZ];
|
||||
ifname[..name.len()].copy_from_slice(name.as_bytes());
|
||||
|
||||
let rc = unsafe {
|
||||
libc::setsockopt(
|
||||
socket.as_raw_fd(),
|
||||
libc::SOL_SOCKET,
|
||||
libc::SO_BINDTODEVICE,
|
||||
ifname.as_ptr().cast::<libc::c_void>(),
|
||||
(name.len() + 1) as libc::socklen_t,
|
||||
)
|
||||
};
|
||||
if rc != 0 {
|
||||
return Err(Error::last_os_error());
|
||||
}
|
||||
debug!("Pinned outgoing socket to interface {}", name);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Stub for non-Linux targets where SO_BINDTODEVICE is unavailable.
|
||||
#[cfg(not(target_os = "linux"))]
|
||||
pub fn bind_outgoing_socket_to_device(_socket: &Socket, _device: &str) -> Result<()> {
|
||||
use std::io::{Error, ErrorKind};
|
||||
Err(Error::new(
|
||||
ErrorKind::Unsupported,
|
||||
"bindtodevice is supported only on Linux",
|
||||
))
|
||||
}
|
||||
|
||||
/// Get local address of a socket
|
||||
#[allow(dead_code)]
|
||||
pub fn get_local_addr(stream: &TcpStream) -> Option<SocketAddr> {
|
||||
|
||||
@@ -26,7 +26,9 @@ use crate::stats::Stats;
|
||||
use crate::transport::shadowsocks::{
|
||||
ShadowsocksStream, connect_shadowsocks, sanitize_shadowsocks_url,
|
||||
};
|
||||
use crate::transport::socket::{create_outgoing_socket_bound, resolve_interface_ip};
|
||||
use crate::transport::socket::{
|
||||
bind_outgoing_socket_to_device, create_outgoing_socket_bound, resolve_interface_ip,
|
||||
};
|
||||
use crate::transport::socks::{connect_socks4, connect_socks5};
|
||||
|
||||
/// Number of Telegram datacenters
|
||||
@@ -928,6 +930,7 @@ impl UpstreamManager {
|
||||
UpstreamType::Direct {
|
||||
interface,
|
||||
bind_addresses,
|
||||
bindtodevice,
|
||||
} => {
|
||||
let bind_ip = Self::resolve_bind_address(
|
||||
interface,
|
||||
@@ -943,6 +946,10 @@ impl UpstreamManager {
|
||||
}
|
||||
|
||||
let socket = create_outgoing_socket_bound(target, bind_ip)?;
|
||||
if let Some(device) = bindtodevice.as_deref().filter(|value| !value.is_empty()) {
|
||||
bind_outgoing_socket_to_device(&socket, device).map_err(ProxyError::Io)?;
|
||||
debug!(bindtodevice = %device, target = %target, "Pinned socket to interface");
|
||||
}
|
||||
if let Some(ip) = bind_ip {
|
||||
debug!(bind = %ip, target = %target, "Bound outgoing socket");
|
||||
} else if interface.is_some() || bind_addresses.is_some() {
|
||||
@@ -1209,6 +1216,7 @@ impl UpstreamManager {
|
||||
UpstreamType::Direct {
|
||||
interface,
|
||||
bind_addresses,
|
||||
bindtodevice,
|
||||
} => {
|
||||
let mut direct_parts = Vec::new();
|
||||
if let Some(dev) = interface.as_deref().filter(|v| !v.is_empty()) {
|
||||
@@ -1217,6 +1225,9 @@ impl UpstreamManager {
|
||||
if let Some(src) = bind_addresses.as_ref().filter(|v| !v.is_empty()) {
|
||||
direct_parts.push(format!("src={}", src.join(",")));
|
||||
}
|
||||
if let Some(device) = bindtodevice.as_deref().filter(|v| !v.is_empty()) {
|
||||
direct_parts.push(format!("bindtodevice={device}"));
|
||||
}
|
||||
if direct_parts.is_empty() {
|
||||
"direct".to_string()
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user