Apply [timeouts] tg_connect to upstream DC TCP connect attempts

Wire config.timeouts.tg_connect into UpstreamManager; per-attempt timeout uses
the same .max(1) pattern as connect_budget_ms.

Reject timeouts.tg_connect = 0 at config load (consistent with
general.upstream_connect_budget_ms and related checks). Default when the key
is omitted remains default_connect_timeout() via serde.

Fixes telemt/telemt#439

.github/workflows/release.yml

@@ -6,34 +6,36 @@ on:
       - '[0-9]+.[0-9]+.[0-9]+'
   workflow_dispatch:
 
-concurrency:
-  group: release-${{ github.ref }}
-  cancel-in-progress: true
-
 permissions:
   contents: read
   packages: write
 
 env:
   CARGO_TERM_COLOR: always
-  BINARY_NAME: telemt
 
 jobs:
-# ==========================
-# GNU / glibc
-# ==========================
-  build-gnu:
-    name: GNU ${{ matrix.target }}
+  build:
+    name: Build ${{ matrix.target }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
       matrix:
         include:
           - target: x86_64-unknown-linux-gnu
-            asset: telemt-x86_64-linux-gnu
+            artifact_name: telemt
+            asset_name: telemt-x86_64-linux-gnu
           - target: aarch64-unknown-linux-gnu
-            asset: telemt-aarch64-linux-gnu
+            artifact_name: telemt
+            asset_name: telemt-aarch64-linux-gnu
+          - target: x86_64-unknown-linux-musl
+            artifact_name: telemt
+            asset_name: telemt-x86_64-linux-musl
+          - target: aarch64-unknown-linux-musl
+            artifact_name: telemt
+            asset_name: telemt-aarch64-linux-musl
 
     steps:
       - uses: actions/checkout@v4
@@ -41,20 +43,12 @@ jobs:
       - uses: dtolnay/rust-toolchain@v1
         with:
           toolchain: stable
-          targets: |
-            x86_64-unknown-linux-gnu
-            aarch64-unknown-linux-gnu
+          targets: ${{ matrix.target }}
 
-      - name: Install deps
+      - name: Install cross-compilation tools
         run: |
           sudo apt-get update
-          sudo apt-get install -y \
-            build-essential \
-            clang \
-            lld \
-            pkg-config \
-            gcc-aarch64-linux-gnu \
-            g++-aarch64-linux-gnu
+          sudo apt-get install -y gcc-aarch64-linux-gnu
 
       - uses: actions/cache@v4
         with:
@@ -62,183 +56,41 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             target
-          key: gnu-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ matrix.target }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ matrix.target }}-cargo-
 
-      - name: Build
+      - name: Install cross
+        run: cargo install cross --git https://github.com/cross-rs/cross
+
+      - name: Build Release
+        env:
+          RUSTFLAGS: ${{ contains(matrix.target, 'musl') && '-C target-feature=+crt-static' || '' }}
+        run: cross build --release --target ${{ matrix.target }}
+
+      - name: Package binary
         run: |
-          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then
-            export CC=aarch64-linux-gnu-gcc
-            export CXX=aarch64-linux-gnu-g++
-            export CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc
-            export CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++
-            export RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc"
-          else
-            export CC=clang
-            export CXX=clang++
-            export CC_x86_64_unknown_linux_gnu=clang
-            export CXX_x86_64_unknown_linux_gnu=clang++
-            export RUSTFLAGS="-C linker=clang -C link-arg=-fuse-ld=lld"
-          fi
-
-          cargo build --release --target ${{ matrix.target }}
-
-      - name: Package
-        run: |
-          mkdir -p dist
-          BIN=target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}
-
-          cp "$BIN" dist/${{ env.BINARY_NAME }}-${{ matrix.target }}
-
-          cd dist
-          tar -czf ${{ matrix.asset }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }}
-          sha256sum ${{ matrix.asset }}.tar.gz > ${{ matrix.asset }}.sha256
+          cd target/${{ matrix.target }}/release
+          tar -czvf ${{ matrix.asset_name }}.tar.gz ${{ matrix.artifact_name }}
+          sha256sum ${{ matrix.asset_name }}.tar.gz > ${{ matrix.asset_name }}.sha256
 
       - uses: actions/upload-artifact@v4
         with:
-          name: ${{ matrix.asset }}
+          name: ${{ matrix.asset_name }}
           path: |
-            dist/${{ matrix.asset }}.tar.gz
-            dist/${{ matrix.asset }}.sha256
+            target/${{ matrix.target }}/release/${{ matrix.asset_name }}.tar.gz
+            target/${{ matrix.target }}/release/${{ matrix.asset_name }}.sha256
 
-# ==========================
-# MUSL
-# ==========================
-  build-musl:
-    name: MUSL ${{ matrix.target }}
+  build-docker-image:
+    needs: build
     runs-on: ubuntu-latest
-
-    container:
-      image: rust:slim-bookworm
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - target: x86_64-unknown-linux-musl
-            asset: telemt-x86_64-linux-musl
-          - target: aarch64-unknown-linux-musl
-            asset: telemt-aarch64-linux-musl
+    permissions:
+      contents: read
+      packages: write
 
     steps:
       - uses: actions/checkout@v4
 
-      - name: Install deps
-        run: |
-          apt-get update
-          apt-get install -y \
-            musl-tools \
-            pkg-config \
-            curl
-
-      # 💾 cache toolchain
-      - uses: actions/cache@v4
-        if: matrix.target == 'aarch64-unknown-linux-musl'
-        with:
-          path: ~/.musl-aarch64
-          key: musl-toolchain-aarch64-v1
-
-      # 🔥 надёжная установка
-      - name: Install aarch64 musl toolchain
-        if: matrix.target == 'aarch64-unknown-linux-musl'
-        run: |
-          set -e
-
-          TOOLCHAIN_DIR="$HOME/.musl-aarch64"
-          ARCHIVE="aarch64-linux-musl-cross.tgz"
-
-          if [ -x "$TOOLCHAIN_DIR/bin/aarch64-linux-musl-gcc" ]; then
-            echo "✅ musl toolchain already installed"
-          else
-            echo "⬇️ downloading musl toolchain..."
-
-            download() {
-              url="$1"
-              echo "→ trying $url"
-              curl -fL \
-                --retry 5 \
-                --retry-delay 3 \
-                --connect-timeout 10 \
-                --max-time 120 \
-                -o "$ARCHIVE" "$url" && return 0
-              return 1
-            }
-
-            download "https://musl.cc/$ARCHIVE" || \
-            download "https://more.musl.cc/$ARCHIVE" || \
-            { echo "❌ failed to download musl toolchain"; exit 1; }
-
-            mkdir -p "$TOOLCHAIN_DIR"
-            tar -xzf "$ARCHIVE" --strip-components=1 -C "$TOOLCHAIN_DIR"
-          fi
-
-          echo "$TOOLCHAIN_DIR/bin" >> $GITHUB_PATH
-
-      - name: Add rust target
-        run: rustup target add ${{ matrix.target }}
-
-      - uses: actions/cache@v4
-        with:
-          path: |
-            /usr/local/cargo/registry
-            /usr/local/cargo/git
-            target
-          key: musl-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
-
-      - name: Build
-        run: |
-          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
-            export CC=aarch64-linux-musl-gcc
-            export CC_aarch64_unknown_linux_musl=aarch64-linux-musl-gcc
-            export RUSTFLAGS="-C target-feature=+crt-static -C linker=aarch64-linux-musl-gcc"
-          else
-            export CC=musl-gcc
-            export CC_x86_64_unknown_linux_musl=musl-gcc
-            export RUSTFLAGS="-C target-feature=+crt-static"
-          fi
-
-          cargo build --release --target ${{ matrix.target }}
-
-      - name: Package
-        run: |
-          mkdir -p dist
-          BIN=target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}
-
-          cp "$BIN" dist/${{ env.BINARY_NAME }}-${{ matrix.target }}
-
-          cd dist
-          tar -czf ${{ matrix.asset }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }}
-          sha256sum ${{ matrix.asset }}.tar.gz > ${{ matrix.asset }}.sha256
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.asset }}
-          path: |
-            dist/${{ matrix.asset }}.tar.gz
-            dist/${{ matrix.asset }}.sha256
-
-# ==========================
-# Docker
-# ==========================
-  docker:
-    name: Docker
-    runs-on: ubuntu-latest
-    needs: [build-gnu, build-musl]
-    continue-on-error: true
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/download-artifact@v4
-        with:
-          path: artifacts
-
-      - name: Extract binaries
-        run: |
-          mkdir dist
-          find artifacts -name "*.tar.gz" -exec tar -xzf {} -C dist \;
-
-          cp dist/telemt-x86_64-unknown-linux-musl dist/telemt || true
-
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
 
@@ -253,43 +105,35 @@ jobs:
         id: vars
         run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
 
-      - name: Build & Push
+      - name: Build and push
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
-          platforms: linux/amd64,linux/arm64
           tags: |
             ghcr.io/${{ github.repository }}:${{ steps.vars.outputs.VERSION }}
             ghcr.io/${{ github.repository }}:latest
-          build-args: |
-            BINARY=dist/telemt
 
-# ==========================
-# Release
-# ==========================
   release:
-    name: Release
+    name: Create Release
+    needs: build
     runs-on: ubuntu-latest
-    needs: [build-gnu, build-musl]
-
     permissions:
       contents: write
 
     steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
       - uses: actions/download-artifact@v4
         with:
           path: artifacts
 
-      - name: Flatten artifacts
-        run: |
-          mkdir dist
-          find artifacts -type f -exec cp {} dist/ \;
-
       - name: Create Release
         uses: softprops/action-gh-release@v2
         with:
-          files: dist/*
+          files: artifacts/**/*
           generate_release_notes: true
           draft: false
           prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-beta') || contains(github.ref, '-alpha') }}

Dockerfile

@@ -1,5 +1,3 @@
-# syntax=docker/dockerfile:1
-
 # ==========================
 # Stage 1: Build
 # ==========================
@@ -7,87 +5,36 @@ FROM rust:1.88-slim-bookworm AS builder
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     pkg-config \
-    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /build
 
-# Depcache
 COPY Cargo.toml Cargo.lock* ./
 RUN mkdir src && echo 'fn main() {}' > src/main.rs && \
     cargo build --release 2>/dev/null || true && \
     rm -rf src
 
-# Build
 COPY . .
 RUN cargo build --release && strip target/release/telemt
 
 # ==========================
-# Stage 2: Compress (strip + UPX)
+# Stage 2: Runtime
 # ==========================
-FROM debian:12-slim AS minimal
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    upx \
-    binutils \
-    && rm -rf /var/lib/apt/lists/*
-
-COPY --from=builder /build/target/release/telemt /telemt
-
-RUN strip /telemt || true
-RUN upx --best --lzma /telemt || true
-
-# ==========================
-# Stage 3: Debug base
-# ==========================
-FROM debian:12-slim AS debug-base
+FROM debian:bookworm-slim
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
-    tzdata \
-    curl \
-    iproute2 \
-    busybox \
     && rm -rf /var/lib/apt/lists/*
 
-# ==========================
-# Stage 4: Debug image
-# ==========================
-FROM debug-base AS debug
+RUN useradd -r -s /usr/sbin/nologin telemt
 
 WORKDIR /app
 
-COPY --from=minimal /telemt /app/telemt
+COPY --from=builder /build/target/release/telemt /app/telemt
 COPY config.toml /app/config.toml
 
-USER root
-
-EXPOSE 443
-EXPOSE 9090
-EXPOSE 9091
-
-ENTRYPOINT ["/app/telemt"]
-CMD ["config.toml"]
-
-# ==========================
-# Stage 5: Production (distroless)
-# ==========================
-FROM gcr.io/distroless/base-debian12 AS prod
-
-WORKDIR /app
-
-COPY --from=minimal /telemt /app/telemt
-COPY config.toml /app/config.toml
-
-# TLS + timezone + shell
-COPY --from=debug-base /etc/ssl/certs /etc/ssl/certs
-COPY --from=debug-base /usr/share/zoneinfo /usr/share/zoneinfo
-COPY --from=debug-base /bin/busybox /bin/busybox
-
-RUN ["/bin/busybox", "--install", "-s", "/bin"]
-
-# distroless user
-USER nonroot:nonroot
+RUN chown -R telemt:telemt /app
+USER telemt
 
 EXPOSE 443
 EXPOSE 9090

docs/QUICK_START_GUIDE.ru.md

@@ -178,7 +178,7 @@ docker compose down
 > - По умолчанию публикуются порты 443:443, а контейнер запускается со сброшенными привилегиями (добавлена только `NET_BIND_SERVICE`)  
 > - Если вам действительно нужна сеть хоста (обычно это требуется только для некоторых конфигураций IPv6), раскомментируйте `network_mode: host`
 
-**Запуск без Docker Compose**
+**Запуск в Docker Compose**
 ```bash
 docker build -t telemt:local .
 docker run --name telemt --restart unless-stopped \

src/config/load.rs

@@ -346,6 +346,12 @@ impl ProxyConfig {
             ));
         }
 
+        if config.timeouts.tg_connect == 0 {
+            return Err(ProxyError::Config(
+                "timeouts.tg_connect must be > 0".to_string(),
+            ));
+        }
+
         if config.general.upstream_unhealthy_fail_threshold == 0 {
             return Err(ProxyError::Config(
                 "general.upstream_unhealthy_fail_threshold must be > 0".to_string(),
@@ -1625,6 +1631,26 @@ mod tests {
         let _ = std::fs::remove_file(path);
     }
 
+    #[test]
+    fn tg_connect_zero_is_rejected() {
+        let toml = r#"
+            [timeouts]
+            tg_connect = 0
+
+            [censorship]
+            tls_domain = "example.com"
+
+            [access.users]
+            user = "00000000000000000000000000000000"
+        "#;
+        let dir = std::env::temp_dir();
+        let path = dir.join("telemt_tg_connect_zero_test.toml");
+        std::fs::write(&path, toml).unwrap();
+        let err = ProxyConfig::load(&path).unwrap_err().to_string();
+        assert!(err.contains("timeouts.tg_connect must be > 0"));
+        let _ = std::fs::remove_file(path);
+    }
+
     #[test]
     fn rpc_proxy_req_every_out_of_range_is_rejected() {
         let toml = r#"

src/maestro/mod.rs

@@ -191,6 +191,7 @@ pub async fn run() -> std::result::Result<(), Box<dyn std::error::Error>> {
         config.general.upstream_connect_retry_attempts,
         config.general.upstream_connect_retry_backoff_ms,
         config.general.upstream_connect_budget_ms,
+        config.timeouts.tg_connect,
         config.general.upstream_unhealthy_fail_threshold,
         config.general.upstream_connect_failfast_hard_errors,
         stats.clone(),

src/transport/upstream.rs

@@ -34,8 +34,6 @@ const NUM_DCS: usize = 5;
 
 /// Timeout for individual DC ping attempt
 const DC_PING_TIMEOUT_SECS: u64 = 5;
-/// Timeout for direct TG DC TCP connect readiness.
-const DIRECT_CONNECT_TIMEOUT_SECS: u64 = 10;
 /// Interval between upstream health-check cycles.
 const HEALTH_CHECK_INTERVAL_SECS: u64 = 30;
 /// Timeout for a single health-check connect attempt.
@@ -319,6 +317,8 @@ pub struct UpstreamManager {
     connect_retry_attempts: u32,
     connect_retry_backoff: Duration,
     connect_budget: Duration,
+    /// Per-attempt TCP connect timeout to Telegram DC (`[timeouts] tg_connect`, seconds).
+    tg_connect_timeout_secs: u64,
     unhealthy_fail_threshold: u32,
     connect_failfast_hard_errors: bool,
     no_upstreams_warn_epoch_ms: Arc<AtomicU64>,
@@ -332,6 +332,7 @@ impl UpstreamManager {
         connect_retry_attempts: u32,
         connect_retry_backoff_ms: u64,
         connect_budget_ms: u64,
+        tg_connect_timeout_secs: u64,
         unhealthy_fail_threshold: u32,
         connect_failfast_hard_errors: bool,
         stats: Arc<Stats>,
@@ -347,6 +348,7 @@ impl UpstreamManager {
             connect_retry_attempts: connect_retry_attempts.max(1),
             connect_retry_backoff: Duration::from_millis(connect_retry_backoff_ms),
             connect_budget: Duration::from_millis(connect_budget_ms.max(1)),
+            tg_connect_timeout_secs: tg_connect_timeout_secs.max(1),
             unhealthy_fail_threshold: unhealthy_fail_threshold.max(1),
             connect_failfast_hard_errors,
             no_upstreams_warn_epoch_ms: Arc::new(AtomicU64::new(0)),
@@ -797,8 +799,8 @@ impl UpstreamManager {
                 break;
             }
             let remaining_budget = self.connect_budget.saturating_sub(elapsed);
-            let attempt_timeout =
-                Duration::from_secs(DIRECT_CONNECT_TIMEOUT_SECS).min(remaining_budget);
+            let attempt_timeout = Duration::from_secs(self.tg_connect_timeout_secs)
+                .min(remaining_budget);
             if attempt_timeout.is_zero() {
                 last_error = Some(ProxyError::ConnectionTimeout {
                     addr: target.to_string(),
@@ -1901,6 +1903,7 @@ mod tests {
             1,
             100,
             1000,
+            10,
             1,
             false,
             Arc::new(Stats::new()),