Version bump

Windows auto update
fix #775
2026-05-22 23:41:44 +03:00 · 2026-04-26 16:58:48 +03:00 · 2026-04-26 16:58:17 +03:00 · 2026-04-26 16:26:50 +03:00 · 2026-04-19 17:32:54 +03:00 · 2026-04-18 18:59:46 +03:00
20 changed files with 610 additions and 236 deletions
--- a/.github/cfproxy-domains.txt
+++ b/.github/cfproxy-domains.txt
@@ -3,3 +3,6 @@ vmmzovy.com
 mkuosckvso.com
 zaewayzmplad.com
 twdmbzcm.com
 awzwsldi.com
 clngqrflngqin.com
 tjacxbqtj.com
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -26,7 +26,7 @@ jobs:
      - name: Setup Python
        uses: actions/setup-python@v6
        with:
-          python-version: "3.12"
+          python-version: "3.11"
          cache: "pip"
      - name: Setup MSVC 14.40 toolset
@@ -38,10 +38,11 @@ jobs:
        run: pip install .
      - name: Build PyInstaller bootloader from source
        run: |
          pip install "pyinstaller==6.16.0" --no-binary pyinstaller
        env:
-          PYINSTALLER_COMPILE_BOOTLOADER: 1
+          PYINSTALLER_COMPILE_BOOTLOADER: "1"
        run: |
          pip download --no-binary pyinstaller --no-deps --no-cache-dir -d pyinstaller_src "pyinstaller==6.10.0"
          pip install (Get-ChildItem pyinstaller_src\*.tar.gz).FullName
      - name: Build EXE with PyInstaller
        run: pyinstaller packaging/windows.spec --noconfirm
@@ -193,7 +194,7 @@ jobs:
          python3.12 -m pip install --no-deps wheelhouse/universal2/*.whl
          python3.12 -m pip install .
-          python3.12 -m pip install pyinstaller==6.16.0
+          python3.12 -m pip install pyinstaller==6.13.0
      - name: Create macOS icon from ICO
        run: |
@@ -295,7 +296,7 @@ jobs:
        run: |
          .venv/bin/pip install --upgrade pip
          .venv/bin/pip install .
-          .venv/bin/pip install "pyinstaller==6.16.0"
+          .venv/bin/pip install "pyinstaller==6.13.0"
      - name: Build binary with PyInstaller
        run: .venv/bin/pyinstaller packaging/linux.spec --noconfirm
@@ -383,7 +384,8 @@ jobs:
          tag_name: ${{ github.event.inputs.version }}
          name: "TG WS Proxy ${{ github.event.inputs.version }}"
          body: |
-            ## TG WS Proxy ${{ github.event.inputs.version }}
+            ## 
            ### [❤️ Поддержать развитие проекта](https://github.com/Flowseal/tg-ws-proxy/blob/main/docs/Funding.md)
          files: |
            dist/TgWsProxy_windows.exe
            dist/TgWsProxy_windows_7_64bit.exe
--- a/.gitignore
+++ b/.gitignore
@@ -24,9 +24,4 @@ Thumbs.db
 Desktop.ini
 .DS_Store
 # Project-specific (not for the repo)
 scan_ips.py
 scan.txt
 AyuGramDesktop-dev/
 tweb-master/
 /icon.icns
--- a/docs/Funding.md
+++ b/docs/Funding.md
@@ -0,0 +1,14 @@
 > [!TIP]
 >
 > ### 🎉 Поддержать меня
 >
 > **USDT (TRC20)**: `TXPnKs2Ww1RD8JN6nChFUVmi5r2hqrWjuu`  
 > **BTC**: `bc1qr8vd6jelkyyry3m4mq6z5txdx4pl856fu6ss0w`  
 > **ETH**: `0x1417878fdc5047E670a77748B34819b9A49C72F1`  
 > **Другие монеты**: https://nowpayments.io/donation/flowseal
 ##
 ### Проект полностью бесплатен для использования всеми.
 ### Однако его развитие и стабильная работа при росте числа пользователей требуют от меня определённых вложений.
 ### Буду благодарен за любую форму поддержки! Спасибо ❤️
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,6 +1,6 @@
 > [!TIP]
 >
-> ### 🎉 Поддержать меня
+> ### [🎉 Поддержать меня](https://github.com/Flowseal/tg-ws-proxy/blob/main/docs/Funding.md)
 >
 > **USDT (TRC20)**: `TXPnKs2Ww1RD8JN6nChFUVmi5r2hqrWjuu`  
 > **BTC**: `bc1qr8vd6jelkyyry3m4mq6z5txdx4pl856fu6ss0w`  
@@ -11,13 +11,13 @@
 >
 > ### Реакция антивирусов
 >
-> Windows Defender часто ошибочно помечает приложение как **Wacatac**.  
+> Антивирусы часто ошибочно помечают приложение как вирус из-за упаковщика.  
-> Если вы не можете скачать из-за блокировки, то:
+> Если вы не можете скачать из-за блокировки антивирусом, то:
 >
-> 1) Попробуйте скачать версию win7 (она ничем не отличается в плане функционала)
+> 1) **Попробуйте скачать версию win7 (она ничем не отличается в плане функционала)**
 > 2) Отключите антивирус на время скачивания, добавьте файл в исключения и включите обратно  
 >
-> **Всегда проверяйте, что скачиваете из интернета, тем более из непроверенных источников. Всегда лучше смотреть на детекты широко известных антивирусов на VirusTotal**
+> Всегда проверяйте, что скачиваете из интернета, тем более из непроверенных источников. Всегда лучше смотреть на детекты широко известных антивирусов на VirusTotal
 # TG WS Proxy
@@ -280,7 +280,7 @@ Tray-приложение хранит данные в:
 ## Автоматическая сборка
-Проект содержит спецификации PyInstaller ([`packaging/windows.spec`](packaging/windows.spec), [`packaging/macos.spec`](packaging/macos.spec), [`packaging/linux.spec`](packaging/linux.spec)) и GitHub Actions workflow ([`.github/workflows/build.yml`](.github/workflows/build.yml)) для автоматической сборки.
+Проект содержит спецификации PyInstaller ([`packaging/windows.spec`](../packaging/windows.spec), [`packaging/macos.spec`](../packaging/macos.spec), [`packaging/linux.spec`](../packaging/linux.spec)) и GitHub Actions workflow ([`.github/workflows/build.yml`](../.github/workflows/build.yml)) для автоматической сборки.
 Минимально поддерживаемые версии ОС для текущих бинарных сборок:
@@ -293,4 +293,4 @@ Tray-приложение хранит данные в:
 ## Лицензия
-[MIT License](LICENSE)
+[MIT License](https://github.com/Flowseal/tg-ws-proxy/blob/main/LICENSE)
--- a/linux.py
+++ b/linux.py
@@ -273,7 +273,7 @@ def run_tray() -> None:
 def main() -> None:
-    if not acquire_lock("linux.py"):
+    if not acquire_lock():
        _show_info("Приложение уже запущено.", os.path.basename(sys.argv[0]))
        return
    try:
--- a/macos.py
+++ b/macos.py
@@ -309,7 +309,7 @@ def _maybe_notify_update_async() -> None:
            ):
                webbrowser.open(url)
        except Exception as exc:
-            log.debug("Update check failed: %s", exc)
+            log.warning("Update check failed: %s", exc)
    threading.Thread(target=_work, daemon=True, name="update-check").start()
@@ -610,7 +610,7 @@ def run_menubar() -> None:
 def main() -> None:
-    if not acquire_lock("macos.py"):
+    if not acquire_lock():
        _show_info("Приложение уже запущено.")
        return
    try:
--- a/packaging/version_info.txt
+++ b/packaging/version_info.txt
@@ -4,8 +4,8 @@
 # http://msdn.microsoft.com/en-us/library/ms646997.aspx
 VSVersionInfo(
  ffi=FixedFileInfo(
-    filevers=(1, 0, 0, 0),
+    filevers=(1, 6, 5, 0),
-    prodvers=(1, 0, 0, 0),
+    prodvers=(1, 6, 5, 0),
    mask=0x3f,
    flags=0x0,
    OS=0x40004,
@@ -21,12 +21,12 @@ VSVersionInfo(
          [
            StringStruct(u'CompanyName', u'Flowseal'),
            StringStruct(u'FileDescription', u'Telegram Desktop WebSocket Bridge Proxy'),
-            StringStruct(u'FileVersion', u'1.0.0.0'),
+            StringStruct(u'FileVersion', u'1.6.5.0'),
            StringStruct(u'InternalName', u'TgWsProxy'),
            StringStruct(u'LegalCopyright', u'Copyright (c) Flowseal. MIT License.'),
            StringStruct(u'OriginalFilename', u'TgWsProxy.exe'),
            StringStruct(u'ProductName', u'TG WS Proxy'),
-            StringStruct(u'ProductVersion', u'1.0.0.0'),
+            StringStruct(u'ProductVersion', u'1.6.5.0'),
          ]
        )
      ]
--- a/proxy/init.py
+++ b/proxy/init.py
@@ -1,6 +1,6 @@
 from .config import parse_dc_ip_list, proxy_config
 from .utils import get_link_host
-__version__ = "1.6.1"
+__version__ = "1.6.5"
 __all__ = ["__version__", "get_link_host", "proxy_config", "parse_dc_ip_list"]
--- a/proxy/balancer.py
+++ b/proxy/balancer.py
@@ -0,0 +1,43 @@
 import random
 from collections import Counter
 from typing import Dict, List, Iterator 
 class _Balancer:
    def __init__(self):
        self.domains: List[str] = []
        self._dc_to_domain: Dict[int, str] = {}
    def update_domains_list(self, domains_list: List[str]) -> None:
        if Counter(self.domains) == Counter(domains_list):
            return
        self.domains = domains_list[:]
        self._dc_to_domain = {
            dc_id: random.choice(self.domains)
            for dc_id in (1, 2, 3, 4, 5, 203)
        }
    def update_domain_for_dc(self, dc_id: int, domain: str) -> bool:
        if self._dc_to_domain.get(dc_id) == domain:
            return False
        self._dc_to_domain[dc_id] = domain
        return True
    def get_domains_for_dc(self, dc_id: int) -> Iterator[str]:
        current_domain = self._dc_to_domain.get(dc_id)
        if current_domain is not None:
            yield current_domain
        shuffled_domains = self.domains[:]
        random.shuffle(shuffled_domains)
        for domain in shuffled_domains:
            if domain != current_domain:
                yield domain
 balancer = _Balancer()
--- a/proxy/bridge.py
+++ b/proxy/bridge.py
@@ -7,6 +7,7 @@ from typing import Dict, List, Optional
 from .utils import *
 from .stats import stats
 from .balancer import balancer
 from .config import proxy_config
 from .raw_websocket import RawWebSocket
@@ -126,7 +127,7 @@ class MsgSplitter:
 async def do_fallback(reader, writer, relay_init, label,
-                       dc, is_media, media_tag,
+                       dc: int, is_media: bool, media_tag: str,
                       ctx: CryptoCtx, splitter=None):
    fallback_dst = DC_DEFAULT_IPS.get(dc)
    use_cf = proxy_config.fallback_cfproxy
@@ -140,9 +141,9 @@ async def do_fallback(reader, writer, relay_init, label,
    for method in methods:
        if method == 'cf':
            ok = await _cfproxy_fallback(
-                reader, writer, relay_init, label,
+                reader, writer, relay_init, label, ctx,
                dc=dc, is_media=is_media,
-                ctx=ctx, splitter=splitter)
+                splitter=splitter)
            if ok:
                return True
        elif method == 'tcp' and fallback_dst:
@@ -150,27 +151,24 @@ async def do_fallback(reader, writer, relay_init, label,
                     label, dc, media_tag, fallback_dst)
            ok = await _tcp_fallback(
                reader, writer, fallback_dst, 443,
-                relay_init, label, dc=dc, is_media=is_media, ctx=ctx)
+                relay_init, label, ctx)
            if ok:
                return True
    return False
 async def _cfproxy_fallback(reader, writer, relay_init, label,
-                            dc=None, is_media=False,
+                            ctx: CryptoCtx,
-                            ctx: CryptoCtx = None, splitter=None):
+                            dc: int, is_media: bool,
                            splitter=None):
    media_tag = ' media' if is_media else ''
    active = proxy_config.active_cfproxy_domain
    others = [d for d in proxy_config.cfproxy_domains if d != active]
    ws = None
    chosen_domain = None
    log.info("[%s] DC%d%s -> trying CF proxy",
            label, dc, media_tag)
-    for base_domain in ([active] + others):
+    for base_domain in balancer.get_domains_for_dc(dc):
        domain = f'kws{dc}.{base_domain}'
        try:
            ws = await RawWebSocket.connect(domain, domain, timeout=10.0)
@@ -178,45 +176,42 @@ async def _cfproxy_fallback(reader, writer, relay_init, label,
            break
        except Exception as exc:
            log.warning("[%s] DC%d%s CF proxy failed: %s",
-                        label, dc, media_tag, exc)
+                        label, dc, media_tag, repr(exc))
    if ws is None:
        return False
-    if chosen_domain and chosen_domain != proxy_config.active_cfproxy_domain:
+    if chosen_domain and balancer.update_domain_for_dc(dc, chosen_domain):
-        log.info("[%s] Switching active CF domain", label)
+        log.info("[%s] Switched active CF domain", label)
        proxy_config.active_cfproxy_domain = chosen_domain
    stats.connections_cfproxy += 1
    await ws.send(relay_init)
-    await bridge_ws_reencrypt(reader, writer, ws, label,
+    await bridge_ws_reencrypt(reader, writer, ws, label, ctx,
                               dc=dc, is_media=is_media,
-                               ctx=ctx, splitter=splitter)
+                               splitter=splitter)
    return True
-async def _tcp_fallback(reader, writer, dst, port, relay_init, label,
+async def _tcp_fallback(reader, writer, dst, port, relay_init, label, ctx: CryptoCtx):
                        dc=None, is_media=False, ctx: CryptoCtx = None):
    try:
        rr, rw = await asyncio.wait_for(
            asyncio.open_connection(dst, port), timeout=10)
    except Exception as exc:
        log.warning("[%s] TCP fallback to %s:%d failed: %s",
-                    label, dst, port, exc)
+                    label, dst, port, repr(exc))
        return False
    stats.connections_tcp_fallback += 1
    rw.write(relay_init)
    await rw.drain()
-    await _bridge_tcp_reencrypt(reader, writer, rr, rw, label,
+    await _bridge_tcp_reencrypt(reader, writer, rr, rw, label, ctx)
                                dc=dc, is_media=is_media, ctx=ctx)
    return True
 async def bridge_ws_reencrypt(reader, writer, ws: RawWebSocket, label,
                               ctx: CryptoCtx,
                               dc=None, is_media=False,
-                               ctx: CryptoCtx = None,
+                               splitter: Optional[MsgSplitter] = None):
                               splitter: MsgSplitter = None):
    """
    Bidirectional TCP(client) <-> WS(telegram) with re-encryption.
    client ciphertext → decrypt(clt_key) → encrypt(tg_key) → WS
@@ -313,8 +308,7 @@ async def bridge_ws_reencrypt(reader, writer, ws: RawWebSocket, label,
 async def _bridge_tcp_reencrypt(reader, writer, remote_reader, remote_writer,
-                                label, dc=None, is_media=False,
+                                label, ctx: CryptoCtx):
                                ctx: CryptoCtx = None):
    """Bidirectional TCP <-> TCP with re-encryption."""
    async def forward(src, dst_w, is_up):
--- a/proxy/config.py
+++ b/proxy/config.py
@@ -9,6 +9,8 @@ from dataclasses import dataclass, field
 from typing import Dict, List
 from urllib.request import Request, urlopen
 from .balancer import balancer
 log = logging.getLogger('tg-mtproto-proxy')
 CFPROXY_DOMAINS_URL = (
@@ -45,8 +47,6 @@ class ProxyConfig:
    fallback_cfproxy: bool = True
    fallback_cfproxy_priority: bool = True
    cfproxy_user_domain: str = ''
    cfproxy_domains: List[str] = field(default_factory=lambda: list(CFPROXY_DEFAULT_DOMAINS))
    active_cfproxy_domain: str = field(default_factory=lambda: random.choice(CFPROXY_DEFAULT_DOMAINS))
    fake_tls_domain: str = ''
    proxy_protocol: bool = False
@@ -66,7 +66,7 @@ def _fetch_cfproxy_domain_list() -> List[str]:
        ]
        return [_dd(d) for d in encoded]
    except Exception as exc:
-        log.warning("Failed to fetch CF proxy domain list: %s", exc)
+        log.warning("Failed to fetch CF proxy domain list: %s", repr(exc))
        return []
@@ -79,12 +79,8 @@ def refresh_cfproxy_domains() -> None:
    if fetched:
        seen = set()
        pool = [d for d in fetched if not (d in seen or seen.add(d))]
        balancer.update_domains_list(pool)
        log.info("CF proxy domain pool updated from GitHub (%d domains)", len(pool))
    else:
        pool = list(proxy_config.cfproxy_domains) or list(CFPROXY_DEFAULT_DOMAINS)
    proxy_config.cfproxy_domains = pool
    proxy_config.active_cfproxy_domain = random.choice(pool)
 _refresh_stop: threading.Event = threading.Event()
@@ -96,6 +92,8 @@ def start_cfproxy_domain_refresh() -> None:
    _refresh_stop = threading.Event()
    stop = _refresh_stop
    balancer.update_domains_list(CFPROXY_DEFAULT_DOMAINS)
    def _loop():
        refresh_cfproxy_domains()
        while not stop.wait(timeout=3600):
--- a/proxy/fake_tls.py
+++ b/proxy/fake_tls.py
@@ -213,8 +213,8 @@ async def proxy_to_masking_domain(reader, writer, initial_data: bytes,
        up_reader, up_writer = await asyncio.wait_for(
            asyncio.open_connection(domain, 443), timeout=10)
    except Exception as exc:
-        log.debug("[%s] masking: cannot connect to %s:443: %s",
+        log.warning("[%s] masking: cannot connect to %s:443: %s",
-                  label, domain, exc)
+                  label, domain, repr(exc))
        return
    log.debug("[%s] masking -> %s:443", label, domain)
--- a/proxy/raw_websocket.py
+++ b/proxy/raw_websocket.py
@@ -25,7 +25,7 @@ _ssl_ctx.verify_mode = ssl.CERT_NONE
 class WsHandshakeError(Exception):
    def __init__(self, status_code: int, status_line: str,
-                 headers: dict = None, location: str = None):
+                 headers: Optional[dict] = None, location: Optional[str] = None):
        self.status_code = status_code
        self.status_line = status_line
        self.headers = headers or {}
@@ -96,9 +96,6 @@ class RawWebSocket:
            f'Sec-WebSocket-Key: {ws_key}\r\n'
            f'Sec-WebSocket-Version: 13\r\n'
            f'Sec-WebSocket-Protocol: binary\r\n'
            f'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) '
            f'AppleWebKit/537.36 (KHTML, like Gecko) '
            f'Chrome/131.0.0.0 Safari/537.36\r\n'
            f'\r\n'
        )
        writer.write(req.encode())
--- a/proxy/tg_ws_proxy.py
+++ b/proxy/tg_ws_proxy.py
@@ -4,7 +4,6 @@ import os
 import sys
 import time
 import struct
 import random
 import asyncio
 import hashlib
 import argparse
@@ -25,18 +24,19 @@ if __name__ == '__main__' and (__package__ is None or __package__ == ''):
 from .utils import *
 from .stats import stats
-from .config import proxy_config, parse_dc_ip_list, start_cfproxy_domain_refresh, CFPROXY_DEFAULT_DOMAINS
+from .config import proxy_config, parse_dc_ip_list, start_cfproxy_domain_refresh
 from .bridge import MsgSplitter, CryptoCtx, do_fallback, bridge_ws_reencrypt
 from .raw_websocket import RawWebSocket, WsHandshakeError, set_sock_opts
 from .fake_tls import proxy_to_masking_domain, verify_client_hello, build_server_hello, FakeTlsStream, TLS_RECORD_HANDSHAKE
 from .balancer import balancer
 log = logging.getLogger('tg-mtproto-proxy')
 DC_FAIL_COOLDOWN = 30.0
 WS_FAIL_TIMEOUT = 2.0
-ws_blacklist: Set[Tuple[int, bool]] = set()
+ws_blacklist: Set[str] = set()
-dc_fail_until: Dict[Tuple[int, bool], float] = {}
+dc_fail_until: Dict[str, float] = {}
 def _try_handshake(handshake: bytes, secret: bytes) -> Optional[Tuple[int, bool, bytes, bytes]]:
@@ -191,7 +191,7 @@ class _WsPool:
        except Exception:
            pass
-    async def warmup(self, dc_redirects: Dict[int, Optional[str]]):
+    async def warmup(self, dc_redirects: Dict[int, str]):
        for dc, target_ip in dc_redirects.items():
            if target_ip is None:
                continue
@@ -207,6 +207,146 @@ class _WsPool:
 _ws_pool = _WsPool()
 async def _read_client_init(reader, writer, secret, label, masking):
    if proxy_config.proxy_protocol:
        try:
            pp_line = await asyncio.wait_for(
                reader.readline(), timeout=10)
        except asyncio.IncompleteReadError:
            log.debug("[%s] disconnected during PROXY header", label)
            return None
        pp_text = pp_line.decode('ascii', errors='replace').strip()
        if pp_text.startswith('PROXY '):
            parts = pp_text.split()
            if len(parts) >= 6:
                label = f"{parts[2]}:{parts[4]}"
            log.debug("[%s] PROXY protocol: %s", label, pp_text)
        else:
            log.debug("[%s] expected PROXY header, got: %r", label,
                      pp_text[:60])
    try:
        first_byte = await asyncio.wait_for(
            reader.readexactly(1), timeout=10)
    except asyncio.IncompleteReadError:
        log.debug("[%s] client disconnected before handshake", label)
        return None
    if first_byte[0] == TLS_RECORD_HANDSHAKE and masking:
        try:
            hdr_rest = await asyncio.wait_for(
                reader.readexactly(4), timeout=10)
        except asyncio.IncompleteReadError:
            log.debug("[%s] incomplete TLS record header", label)
            return None
        tls_header = first_byte + hdr_rest
        record_len = struct.unpack('>H', tls_header[3:5])[0]
        try:
            record_body = await asyncio.wait_for(
                reader.readexactly(record_len), timeout=10)
        except asyncio.IncompleteReadError:
            log.debug("[%s] incomplete TLS record body", label)
            return None
        client_hello = tls_header + record_body
        tls_result = verify_client_hello(client_hello, secret)
        if tls_result is None:
            log.debug("[%s] Fake TLS verify failed (size=%d rec=%d) "
                      "-> masking",
                      label, len(client_hello), record_len)
            await proxy_to_masking_domain(
                reader, writer, client_hello, masking, label)
            return None
        client_random, session_id, ts = tls_result
        log.debug("[%s] Fake TLS handshake ok (ts=%d)", label, ts)
        server_hello = build_server_hello(secret, client_random, session_id)
        writer.write(server_hello)
        await writer.drain()
        tls_stream = FakeTlsStream(reader, writer)
        try:
            handshake = await asyncio.wait_for(
                tls_stream.readexactly(HANDSHAKE_LEN), timeout=10)
        except asyncio.IncompleteReadError:
            log.debug("[%s] incomplete obfs2 init inside TLS", label)
            return None
        return handshake, tls_stream, tls_stream, label
    elif masking:
        log.debug("[%s] non-TLS byte 0x%02X -> HTTP redirect", label,
                  first_byte[0])
        redirect = (
            f"HTTP/1.1 301 Moved Permanently\r\n"
            f"Location: https://{masking}/\r\n"
            f"Content-Length: 0\r\n"
            f"Connection: close\r\n\r\n"
        ).encode()
        writer.write(redirect)
        await writer.drain()
        return None
    else:
        try:
            rest = await asyncio.wait_for(
                reader.readexactly(HANDSHAKE_LEN - 1), timeout=10)
        except asyncio.IncompleteReadError:
            log.debug("[%s] client disconnected before handshake", label)
            return None
        return first_byte + rest, reader, writer, label
 def _build_crypto_ctx(client_dec_prekey_iv, secret, relay_init):
    # key = SHA256(prekey + secret), iv from handshake
    # "dec" = decrypt data from client; "enc" = encrypt data to client
    clt_dec_prekey = client_dec_prekey_iv[:PREKEY_LEN]
    clt_dec_iv = client_dec_prekey_iv[PREKEY_LEN:]
    clt_dec_key = hashlib.sha256(clt_dec_prekey + secret).digest()
    clt_enc_prekey_iv = client_dec_prekey_iv[::-1]
    clt_enc_key = hashlib.sha256(
        clt_enc_prekey_iv[:PREKEY_LEN] + secret).digest()
    clt_enc_iv = clt_enc_prekey_iv[PREKEY_LEN:]
    clt_decryptor = Cipher(
        algorithms.AES(clt_dec_key), modes.CTR(clt_dec_iv)
    ).encryptor()
    clt_encryptor = Cipher(
        algorithms.AES(clt_enc_key), modes.CTR(clt_enc_iv)
    ).encryptor()
    # fast-forward client decryptor past the 64-byte init
    clt_decryptor.update(ZERO_64)
    # relay side: standard obfuscation (no secret hash, raw key)
    relay_enc_key = relay_init[SKIP_LEN:SKIP_LEN + PREKEY_LEN]
    relay_enc_iv = relay_init[SKIP_LEN + PREKEY_LEN:
                              SKIP_LEN + PREKEY_LEN + IV_LEN]
    relay_dec_prekey_iv = relay_init[SKIP_LEN:
                                     SKIP_LEN + PREKEY_LEN + IV_LEN][::-1]
    relay_dec_key = relay_dec_prekey_iv[:KEY_LEN]
    relay_dec_iv = relay_dec_prekey_iv[KEY_LEN:]
    tg_encryptor = Cipher(
        algorithms.AES(relay_enc_key), modes.CTR(relay_enc_iv)
    ).encryptor()
    tg_decryptor = Cipher(
        algorithms.AES(relay_dec_key), modes.CTR(relay_dec_iv)
    ).encryptor()
    tg_encryptor.update(ZERO_64)
    return CryptoCtx(clt_decryptor, clt_encryptor, tg_encryptor, tg_decryptor)
 async def _handle_client(reader, writer, secret: bytes):
    stats.connections_total += 1
    stats.connections_active += 1
@@ -215,115 +355,25 @@ async def _handle_client(reader, writer, secret: bytes):
    set_sock_opts(writer.transport, proxy_config.buffer_size)
    tls_stream = None
    masking = proxy_config.fake_tls_domain
    try:
-        if proxy_config.proxy_protocol:
+        init = await _read_client_init(
-            try:
+            reader, writer, secret, label, proxy_config.fake_tls_domain)
-                pp_line = await asyncio.wait_for(
+        if init is None:
                    reader.readline(), timeout=10)
            except asyncio.IncompleteReadError:
                log.debug("[%s] disconnected during PROXY header", label)
                return
            pp_text = pp_line.decode('ascii', errors='replace').strip()
            if pp_text.startswith('PROXY '):
                parts = pp_text.split()
                if len(parts) >= 6:
                    label = f"{parts[2]}:{parts[4]}"
                log.debug("[%s] PROXY protocol: %s", label, pp_text)
            else:
                log.debug("[%s] expected PROXY header, got: %r", label,
                          pp_text[:60])
        try:
            first_byte = await asyncio.wait_for(
                reader.readexactly(1), timeout=10)
        except asyncio.IncompleteReadError:
            log.debug("[%s] client disconnected before handshake", label)
            return
-        if first_byte[0] == TLS_RECORD_HANDSHAKE and masking:
+        handshake, clt_reader, clt_writer, label = init
            try:
                hdr_rest = await asyncio.wait_for(
                    reader.readexactly(4), timeout=10)
            except asyncio.IncompleteReadError:
                log.debug("[%s] incomplete TLS record header", label)
                return
            tls_header = first_byte + hdr_rest
            record_len = struct.unpack('>H', tls_header[3:5])[0]
            try:
                record_body = await asyncio.wait_for(
                    reader.readexactly(record_len), timeout=10)
            except asyncio.IncompleteReadError:
                log.debug("[%s] incomplete TLS record body", label)
                return
            client_hello = tls_header + record_body
            tls_result = verify_client_hello(client_hello, secret)
            if tls_result is None:
                log.debug("[%s] Fake TLS verify failed (size=%d rec=%d) "
                          "-> masking",
                          label, len(client_hello), record_len)
                await proxy_to_masking_domain(
                    reader, writer, client_hello, masking, label)
                return
            client_random, session_id, ts = tls_result
            log.debug("[%s] Fake TLS handshake ok (ts=%d)", label, ts)
            server_hello = build_server_hello(secret, client_random, session_id)
            writer.write(server_hello)
            await writer.drain()
            tls_stream = FakeTlsStream(reader, writer)
            try:
                handshake = await asyncio.wait_for(
                    tls_stream.readexactly(HANDSHAKE_LEN), timeout=10)
            except asyncio.IncompleteReadError:
                log.debug("[%s] incomplete obfs2 init inside TLS", label)
                return
        elif masking:
            log.debug("[%s] non-TLS byte 0x%02X -> HTTP redirect", label,
                      first_byte[0])
            redirect = (
                f"HTTP/1.1 301 Moved Permanently\r\n"
                f"Location: https://{masking}/\r\n"
                f"Content-Length: 0\r\n"
                f"Connection: close\r\n\r\n"
            ).encode()
            writer.write(redirect)
            await writer.drain()
            return
        else:
            try:
                rest = await asyncio.wait_for(
                    reader.readexactly(HANDSHAKE_LEN - 1), timeout=10)
            except asyncio.IncompleteReadError:
                log.debug("[%s] client disconnected before handshake", label)
                return
            handshake = first_byte + rest
        result = _try_handshake(handshake, secret)
        if result is None:
            stats.connections_bad += 1
-            log.debug("[%s] bad handshake (wrong secret or proto)", label)
+            log.warning("[%s] bad handshake (wrong secret or proto)", label)
            try:
-                drain_src = tls_stream or reader
+                while await clt_reader.read(4096):
                while await drain_src.read(4096):
                    pass
            except Exception:
                pass
            return
        clt_reader = tls_stream or reader
        clt_writer = tls_stream or writer
        dc, is_media, proto_tag, client_dec_prekey_iv = result
        if proto_tag == PROTO_TAG_ABRIDGED:
@@ -339,48 +389,7 @@ async def _handle_client(reader, writer, secret: bytes):
                  label, dc, ' media' if is_media else '', proto_int)
        relay_init = _generate_relay_init(proto_tag, dc_idx)
-
+        ctx = _build_crypto_ctx(client_dec_prekey_iv, secret, relay_init)
        # key = SHA256(prekey + secret), iv from handshake
        # "dec" = decrypt data from client; "enc" = encrypt data to client
        clt_dec_prekey = client_dec_prekey_iv[:PREKEY_LEN]
        clt_dec_iv = client_dec_prekey_iv[PREKEY_LEN:]
        clt_dec_key = hashlib.sha256(clt_dec_prekey + secret).digest()
        clt_enc_prekey_iv = client_dec_prekey_iv[::-1]
        clt_enc_key = hashlib.sha256(
            clt_enc_prekey_iv[:PREKEY_LEN] + secret).digest()
        clt_enc_iv = clt_enc_prekey_iv[PREKEY_LEN:]
        clt_decryptor = Cipher(
            algorithms.AES(clt_dec_key), modes.CTR(clt_dec_iv)
        ).encryptor()
        clt_encryptor = Cipher(
            algorithms.AES(clt_enc_key), modes.CTR(clt_enc_iv)
        ).encryptor()
        # fast-forward client decryptor past the 64-byte init
        clt_decryptor.update(ZERO_64)
        # relay side: standard obfuscation (no secret hash, raw key)
        relay_enc_key = relay_init[SKIP_LEN:SKIP_LEN + PREKEY_LEN]
        relay_enc_iv = relay_init[SKIP_LEN + PREKEY_LEN:
                                  SKIP_LEN + PREKEY_LEN + IV_LEN]
        relay_dec_prekey_iv = relay_init[SKIP_LEN:
                                         SKIP_LEN + PREKEY_LEN + IV_LEN][::-1]
        relay_dec_key = relay_dec_prekey_iv[:KEY_LEN]
        relay_dec_iv = relay_dec_prekey_iv[KEY_LEN:]
        tg_encryptor = Cipher(
            algorithms.AES(relay_enc_key), modes.CTR(relay_enc_iv)
        ).encryptor()
        tg_decryptor = Cipher(
            algorithms.AES(relay_dec_key), modes.CTR(relay_dec_iv)
        ).encryptor()
        tg_encryptor.update(ZERO_64)
        ctx = CryptoCtx(clt_decryptor, clt_encryptor, tg_encryptor, tg_decryptor)
        dc_key = f'{dc}{"m" if is_media else ""}'
        media_tag = " media" if is_media else ""
@@ -448,7 +457,7 @@ async def _handle_client(reader, writer, secret: bytes):
                    stats.ws_errors += 1
                    all_redirects = False
                    log.warning("[%s] DC%d%s WS connect failed: %s",
-                                label, dc, media_tag, exc)
+                                label, dc, media_tag, repr(exc))
        # WS failed -> fallback
        if ws is None:
@@ -490,9 +499,9 @@ async def _handle_client(reader, writer, secret: bytes):
        await ws.send(relay_init)
-        await bridge_ws_reencrypt(clt_reader, clt_writer, ws, label,
+        await bridge_ws_reencrypt(clt_reader, clt_writer, ws, label, ctx,
                                   dc=dc, is_media=is_media,
-                                   ctx=ctx, splitter=splitter)
+                                   splitter=splitter)
    except asyncio.TimeoutError:
        log.warning("[%s] timeout during handshake", label)
@@ -506,7 +515,7 @@ async def _handle_client(reader, writer, secret: bytes):
        if getattr(exc, 'winerror', None) == 1236:
            log.debug("[%s] connection aborted by local system", label)
        else:
-            log.error("[%s] unexpected OS error: %s", label, exc)
+            log.error("[%s] unexpected OS error: %s", label, repr(exc))
    except Exception as exc:
        log.error("[%s] unexpected: %s", label, exc, exc_info=True)
    finally:
@@ -535,11 +544,8 @@ async def _run(stop_event: Optional[asyncio.Event] = None):
    if proxy_config.fallback_cfproxy:
        user = proxy_config.cfproxy_user_domain
        if user:
-            proxy_config.cfproxy_domains = [user]
+            balancer.update_domains_list([user])
            proxy_config.active_cfproxy_domain = user
        else:
            proxy_config.cfproxy_domains = list(CFPROXY_DEFAULT_DOMAINS)
            proxy_config.active_cfproxy_domain = random.choice(CFPROXY_DEFAULT_DOMAINS)
            start_cfproxy_domain_refresh()
    secret_bytes = bytes.fromhex(proxy_config.secret)
@@ -585,12 +591,11 @@ async def _run(stop_event: Optional[asyncio.Event] = None):
        user_domain = "user" if proxy_config.cfproxy_user_domain else "auto"
        log.info("  CF proxy:      enabled (%s | %s)", prio, user_domain)
    log.info("=" * 60)
-    log.info("  Connect links:")
+    log.info("  Connect:")
    if ftls:
-        log.info("    ee (Fake TLS):        %s", ee_link)
+        log.info("    %s", ee_link)
    else:
-        log.info("       (standard):        %s", proxy_config.secret)
+        log.info("    %s", dd_link)
        log.info("    dd (random padding):  %s", dd_link)
    log.info("=" * 60)
    async def log_stats():
@@ -716,7 +721,7 @@ def main():
    proxy_config.pool_size = max(0, args.pool_size)
    proxy_config.fallback_cfproxy = not args.no_cfproxy
    proxy_config.fallback_cfproxy_priority = args.cfproxy_priority
-    proxy_config.cfproxy_user_domain = args.cfproxy_domain
+    proxy_config.cfproxy_user_domain = args.cfproxy_domain.strip()
    proxy_config.fake_tls_domain = args.fake_tls_domain.strip()
    proxy_config.proxy_protocol = args.proxy_protocol
--- a/proxy/utils.py
+++ b/proxy/utils.py
@@ -31,7 +31,7 @@ def human_bytes(n: int) -> str:
    for unit in ('B', 'KB', 'MB', 'GB'):
        if abs(n) < 1024:
            return f"{n:.1f}{unit}"
-        n /= 1024
+        n /= 1024  # type: ignore
    return f"{n:.1f}TB"
--- a/ui/ctk_tray_ui.py
+++ b/ui/ctk_tray_ui.py
@@ -6,7 +6,7 @@ from dataclasses import dataclass
 from typing import Any, Callable, Dict, List, Optional, Tuple, Union
 from proxy import __version__, get_link_host, parse_dc_ip_list
-from proxy.config import proxy_config
+from proxy.balancer import balancer
 from utils.update_check import RELEASES_PAGE_URL, get_status
@@ -358,7 +358,7 @@ def install_tray_config_form(
        text_color="#ffffff", border_width=0,
        command=lambda: (
            header.winfo_toplevel().iconify(),
-            webbrowser.open("https://github.com/Flowseal/tg-ws-proxy/blob/main/docs/README.md"),
+            webbrowser.open("https://github.com/Flowseal/tg-ws-proxy/blob/main/docs/Funding.md"),
        ),
    ).pack(side="right", padx=(0, 6))
@@ -451,7 +451,7 @@ def install_tray_config_form(
            _threading.Thread(target=_worker, daemon=True).start()
        else:
            def _worker_auto():
-                ok_domain, res = _run_cfproxy_auto_test(proxy_config.cfproxy_domains)
+                ok_domain, res = _run_cfproxy_auto_test(balancer.domains)
                if btn:
                    btn.after(0, lambda: btn.configure(text="Тест", state="normal"))
                    btn.after(0, lambda: _cfproxy_show_auto_test_results(ok_domain, res))
--- a/utils/tray_common.py
+++ b/utils/tray_common.py
@@ -51,7 +51,7 @@ def ensure_dirs() -> None:
 _lock_file_path: Optional[Path] = None
-def _same_process(meta: dict, proc: psutil.Process, script_hint: str) -> bool:
+def _same_process(meta: dict, proc: psutil.Process) -> bool:
    try:
        lock_ct = float(meta.get("create_time", 0.0))
        if lock_ct > 0 and abs(lock_ct - proc.create_time()) > 1.0:
@@ -63,7 +63,7 @@ def _same_process(meta: dict, proc: psutil.Process, script_hint: str) -> bool:
    return False
-def acquire_lock(script_hint: str = "") -> bool:
+def acquire_lock() -> bool:
    global _lock_file_path
    ensure_dirs()
    for f in list(APP_DIR.glob("*.lock")):
@@ -84,7 +84,7 @@ def acquire_lock(script_hint: str = "") -> bool:
            pass
        is_running = False
        try:
-            is_running = _same_process(meta, psutil.Process(pid), script_hint)
+            is_running = _same_process(meta, psutil.Process(pid))
        except Exception:
            pass
        if is_running:
@@ -132,7 +132,7 @@ def load_config() -> dict:
                data.setdefault(k, v)
            return data
        except Exception as exc:
-            log.warning("Failed to load config: %s", exc)
+            log.warning("Failed to load config: %s", repr(exc))
    return dict(DEFAULT_CONFIG)
@@ -242,7 +242,7 @@ def _run_proxy_thread(on_port_busy: Callable[[str], None]) -> None:
    try:
        loop.run_until_complete(_run(stop_event=stop_ev))
    except Exception as exc:
-        log.error("Proxy thread crashed: %s", exc)
+        log.error("Proxy thread crashed: %s", repr(exc))
        if "Address already in use" in str(exc) or "10048" in str(exc):
            on_port_busy(
                "Не удалось запустить прокси:\n"
@@ -391,7 +391,7 @@ def maybe_notify_update(
            ):
                webbrowser.open(url)
        except Exception as exc:
-            log.debug("Update check failed: %s", exc)
+            log.warning("Update check failed: %s", repr(exc))
    threading.Thread(target=_work, daemon=True, name="update-check").start()
--- a/utils/update_check.py
+++ b/utils/update_check.py
@@ -30,6 +30,7 @@ _state: Dict[str, Any] = {
    "latest": None,
    "html_url": None,
    "error": None,
    "assets": [],
 }
@@ -162,6 +163,7 @@ def run_check(current_version: str) -> None:
        tag = (cache.get("tag_name") or "").strip()
        if tag:
            _apply_release_tag(tag, cache.get("html_url") or "", current_version)
            _state["assets"] = cache.get("assets") or []
            return
        err = cache.get("last_error")
        _state["error"] = (
@@ -181,6 +183,7 @@ def run_check(current_version: str) -> None:
            tag = (cache.get("tag_name") or "").strip()
            url = (cache.get("html_url") or "").strip() or RELEASES_PAGE_URL
            _apply_release_tag(tag, url, current_version)
            _state["assets"] = cache.get("assets") or []
            if new_etag:
                cache["etag"] = new_etag
            _save_cache(cache_path, cache)
@@ -200,6 +203,13 @@ def run_check(current_version: str) -> None:
            cache["etag"] = new_etag
        cache["tag_name"] = tag
        cache["html_url"] = html_url
        assets = [
            {"name": a.get("name", ""), "url": a.get("browser_download_url", ""), "digest": a.get("digest", "")}
            for a in (data.get("assets") or [])
            if a.get("name") and a.get("browser_download_url")
        ]
        _state["assets"] = assets
        cache["assets"] = assets
        cache.pop("last_error", None)
        _save_cache(cache_path, cache)
    except (HTTPError, URLError, OSError, TimeoutError, ValueError, json.JSONDecodeError) as e:
@@ -221,3 +231,45 @@ def run_check(current_version: str) -> None:
 def get_status() -> Dict[str, Any]:
    """Снимок состояния после run_check (для подписей в настройках)."""
    return dict(_state)
 def get_update_asset(exe_path: Path) -> Optional[Tuple[str, str]]:
    assets = _state.get("assets") or []
    if not assets:
        return None
    # Try SHA256 match against release asset digests
    try:
        import hashlib
        h = hashlib.sha256()
        with open(exe_path, "rb") as f:
            while True:
                chunk = f.read(65536)
                if not chunk:
                    break
                h.update(chunk)
        exe_sha = h.hexdigest().lower()
        for a in assets:
            d = (a.get("digest") or "").lower()
            if d.startswith("sha256:") and d[7:] == exe_sha:
                return a["url"], a["name"]
    except Exception:
        pass
    # Fallback
    import struct
    is_64 = struct.calcsize("P") * 8 == 64
    try:
        is_modern = sys.getwindowsversion().major >= 10
    except Exception:
        is_modern = True
    if is_modern:
        name = "TgWsProxy_windows.exe"
    elif is_64:
        name = "TgWsProxy_windows_7_64bit.exe"
    else:
        name = "TgWsProxy_windows_7_32bit.exe"
    for a in assets:
        if a.get("name") == name:
            return a["url"], a["name"]
    return None
--- a/windows.py
+++ b/windows.py
@@ -2,6 +2,7 @@ from __future__ import annotations
 import ctypes
 import os
 import subprocess
 import sys
 import threading
 import time
@@ -40,7 +41,7 @@ from utils.tray_common import (
    APP_NAME, DEFAULT_CONFIG, FIRST_RUN_MARKER, IS_FROZEN, LOG_FILE,
    acquire_lock, bootstrap, check_ipv6_warning, ctk_run_dialog,
    ensure_ctk_thread, ensure_dirs, load_config, load_icon, log,
-    maybe_notify_update, quit_ctk, release_lock, restart_proxy,
+    quit_ctk, release_lock, restart_proxy,
    save_config, start_proxy, stop_proxy, tg_proxy_url,
 )
 from ui.ctk_tray_ui import (
@@ -56,6 +57,39 @@ from ui.ctk_theme import (
 _tray_icon: Optional[object] = None
 _config: dict = {}
 _exiting = False
 _win_mutex_handle = None
 _ERROR_ALREADY_EXISTS = 183
 def _acquire_win_mutex() -> bool | None:
    global _win_mutex_handle
    try:
        kernel32 = ctypes.windll.kernel32
        kernel32.CreateMutexW.restype = ctypes.c_void_p
        kernel32.CreateMutexW.argtypes = [ctypes.c_void_p, ctypes.c_bool, ctypes.c_wchar_p]
        handle = kernel32.CreateMutexW(None, True, "Local\\TgWsProxy_SingleInstance")
        if kernel32.GetLastError() == _ERROR_ALREADY_EXISTS:
            kernel32.CloseHandle(ctypes.c_void_p(handle))
            return False
        if not handle:
            return None
        _win_mutex_handle = handle
        return True
    except Exception:
        return None
 def _release_win_mutex() -> None:
    global _win_mutex_handle
    if _win_mutex_handle:
        try:
            kernel32 = ctypes.windll.kernel32
            kernel32.ReleaseMutex(ctypes.c_void_p(_win_mutex_handle))
            kernel32.CloseHandle(ctypes.c_void_p(_win_mutex_handle))
        except Exception:
            pass
        _win_mutex_handle = None
 ICON_PATH = str(Path(__file__).parent / "icon.ico")
@@ -68,7 +102,9 @@ _u32.MessageBoxW.restype = ctypes.c_int
 _MB_OK_ERR = 0x10
 _MB_OK_INFO = 0x40
 _MB_YESNO_Q = 0x24
 _MB_YESNOCANCEL_Q = 0x23
 _IDYES = 6
 _IDNO = 7
 def _show_error(text: str, title: str = "TG WS Proxy — Ошибка") -> None:
@@ -83,6 +119,227 @@ def _ask_yes_no(text: str, title: str = "TG WS Proxy") -> bool:
    return _u32.MessageBoxW(None, text, title, _MB_YESNO_Q) == _IDYES
 def update_ctk_form(
    text: str, title: str = "TG WS Proxy", download_url: Optional[str] = None,
    release_url: Optional[str] = None,
 ) -> str:
    if ctk is None or not ensure_ctk_thread(ctk, _config.get("appearance", "auto")):
        result = _u32.MessageBoxW(None, text, title, _MB_YESNOCANCEL_Q)
        if result == _IDYES:
            return "update"
        if result == _IDNO:
            return "open"
        return "close"
    result = {"value": "close"}
    def _build(done: threading.Event) -> None:
        theme = ctk_theme_for_platform()
        root = create_ctk_toplevel(
            ctk,
            title=title,
            width=310 if IS_FROZEN else 210,
            height=130 if IS_FROZEN else 100,
            theme=theme,
            after_create=lambda r: r.iconbitmap(ICON_PATH),
        )
        frame = main_content_frame(ctk, root, theme, padx=16, pady=14)
        ctk.CTkLabel(
            frame,
            text=text,
            justify="left",
            anchor="w",
            wraplength=270,
            font=(theme.ui_font_family, 12),
            text_color=theme.text_primary,
        ).pack(fill="x", pady=(0, 10))
        row = ctk.CTkFrame(frame, fg_color="transparent")
        row.pack(fill="x")
        status_label = ctk.CTkLabel(
            frame, text="", justify="left", anchor="w", wraplength=270,
            font=(theme.ui_font_family, 11), text_color=theme.text_secondary,
        )
        status_label.pack(fill="x", pady=(6, 0))
        btns: list = []
        def _set_status(msg: str) -> None:
            root.after(0, lambda: status_label.configure(text=msg))
        def _close_with(value: str) -> None:
            result["value"] = value
            root.destroy()
            done.set()
        def _on_update() -> None:
            if not download_url:
                if release_url:
                    webbrowser.open(release_url)
                _close_with("open")
                return
            for b in btns:
                b.configure(state="disabled")
            root.protocol("WM_DELETE_WINDOW", lambda: None)
            def _run():
                _perform_update(download_url, set_status=_set_status)
                root.after(0, lambda: [b.configure(state="normal") for b in btns])
                root.after(0, lambda: root.protocol("WM_DELETE_WINDOW", lambda: _close_with("close")))
            threading.Thread(target=_run, daemon=True).start()
        if IS_FROZEN:
            btn_upd = ctk.CTkButton(
                row, text="Обновить", width=88, height=34,
                font=(theme.ui_font_family, 13), command=_on_update,
            )
            btn_upd.pack(side="left", padx=(0, 6))
            btns.append(btn_upd)
        btn_pg = ctk.CTkButton(
            row, text="Страница", width=88, height=34,
            font=(theme.ui_font_family, 13), command=lambda: _close_with("open"),
        )
        btn_pg.pack(side="left", padx=(0, 6))
        btns.append(btn_pg)
        btn_cl = ctk.CTkButton(
            row, text="Закрыть", width=88, height=34,
            font=(theme.ui_font_family, 13),
            fg_color=theme.field_bg, hover_color=theme.field_border,
            text_color=theme.text_primary, border_width=1, border_color=theme.field_border,
            command=lambda: _close_with("close"),
        )
        btn_cl.pack(side="left")
        btns.append(btn_cl)
        root.protocol("WM_DELETE_WINDOW", lambda: _close_with("close"))
    ctk_run_dialog(_build)
    return result["value"]
 def _perform_update(download_url: str, set_status=None) -> None:
    import tempfile
    import urllib.request
    def _step(msg: str) -> None:
        log.info("Update: %s", msg)
        if set_status:
            set_status(msg)
            time.sleep(0.8)
    def _err(msg: str) -> None:
        log.error("Update error: %s", msg)
        if set_status:
            set_status(f"Ошибка: {msg}")
        else:
            _show_error(msg)
    _step("Скачивание...")
    cur_exe = Path(sys.executable)
    old_exe = cur_exe.with_name(cur_exe.stem + "_oldtgws.exe")
    tmp_path = None
    try:
        fd, tmp_name = tempfile.mkstemp(dir=cur_exe.parent, suffix=".tmp")
        os.close(fd)
        tmp_path = Path(tmp_name)
        log.info("Downloading update from %s", download_url)
        urllib.request.urlretrieve(download_url, str(tmp_path))
    except Exception as exc:
        _err(f"Не удалось скачать:\n{exc}")
        if tmp_path:
            try:
                tmp_path.unlink(missing_ok=True)
            except OSError:
                pass
        return
    _step("Замена файла...")
    try:
        if old_exe.exists():
            old_exe.unlink()
        cur_exe.rename(old_exe)
    except Exception as exc:
        _err(f"Не удалось переименовать файл:\n{exc}")
        try:
            tmp_path.unlink(missing_ok=True)
        except OSError:
            pass
        return
    try:
        tmp_path.rename(cur_exe)
    except Exception as exc:
        _err(f"Не удалось переместить файл:\n{exc}")
        try:
            old_exe.rename(cur_exe)
        except OSError:
            pass
        try:
            tmp_path.unlink(missing_ok=True)
        except OSError:
            pass
        return
    _step("Перезапуск...")
    _release_win_mutex()
    stop_proxy()
    # Don't reuse existing _MEI* dir
    env = os.environ.copy()
    for _k in [k for k in env if k.startswith("_PYI_") or k == "_MEIPASS"]:
        del env[_k]
    if hasattr(sys, "_MEIPASS"):
        _mei = os.path.normcase(sys._MEIPASS.rstrip("\\/"))
        env["PATH"] = os.pathsep.join(
            p for p in env.get("PATH", "").split(os.pathsep)
            if os.path.normcase(p.rstrip("\\/")) != _mei
        )
    try:
        subprocess.Popen(
            [str(cur_exe)],
            env=env,
            creationflags=subprocess.DETACHED_PROCESS | subprocess.CREATE_NEW_PROCESS_GROUP,
        )
    except Exception as exc:
        log.error("Failed to launch updated exe: %s", exc)
    time.sleep(0.5)
    os._exit(0)
 def _maybe_do_update(cfg: dict, is_exiting) -> None:
    if not cfg.get("check_updates", True):
        return
    def _work():
        time.sleep(1.5)
        if is_exiting():
            return
        try:
            from proxy import __version__
            from utils.update_check import RELEASES_PAGE_URL, get_status, get_update_asset, run_check
            run_check(__version__)
            st = get_status()
            if not st.get("has_update") or is_exiting():
                return
            url = (st.get("html_url") or "").strip() or RELEASES_PAGE_URL
            ver = st.get("latest") or "?"
            asset = get_update_asset(Path(sys.executable)) if IS_FROZEN else None
            choice = update_ctk_form(
                f"Доступна новая версия: {ver}",
                download_url=asset[0] if asset else None,
                release_url=url,
            )
            if choice == "open":
                webbrowser.open(url)
        except Exception as exc:
            log.warning("Update check failed: %s", repr(exc))
    threading.Thread(target=_work, daemon=True, name="update-check").start()
 # autostart (registry)
 _RUN_KEY = r"Software\Microsoft\Windows\CurrentVersion\Run"
@@ -337,7 +594,7 @@ def run_tray() -> None:
        return
    start_proxy(_config, _show_error)
-    maybe_notify_update(_config, lambda: _exiting, _ask_yes_no)
+    _maybe_do_update(_config, lambda: _exiting)
    _show_first_run()
    check_ipv6_warning(_show_info)
@@ -350,13 +607,27 @@ def run_tray() -> None:
 def main() -> None:
-    if not acquire_lock("windows.py"):
+    if (mutex_result := _acquire_win_mutex()) is False or mutex_result is None and not acquire_lock():
        _show_info("Приложение уже запущено.", os.path.basename(sys.argv[0]))
        return
    if IS_FROZEN:
        def _cleanup_old_exes():
            exe_dir = Path(sys.executable).parent
            time.sleep(3)
            for _f in exe_dir.glob("*_oldtgws.exe"):
                try:
                    _f.unlink()
                    log.info("Deleted leftover: %s", _f)
                except OSError:
                    pass
        threading.Thread(target=_cleanup_old_exes, daemon=True, name="cleanup-old").start()
    try:
        run_tray()
    finally:
        release_lock()
        _release_win_mutex()
 if __name__ == "__main__":
Author	SHA1	Message	Date
Flowseal	cc00c6d040	Version bump	2026-04-26 16:58:48 +03:00
Flowseal	b3ed5c09db	Windows auto update	2026-04-26 16:58:17 +03:00
Flowseal	b8556dc702	fix #775	2026-04-26 16:26:50 +03:00
Flowseal	28be00ea9e	docs update	2026-04-19 17:32:54 +03:00
Flowseal	5795de00b1	Version bump	2026-04-18 18:59:46 +03:00
Flowseal	c5fa5b7f3e	fix: cfproxy user domain not set via CLI #741	2026-04-18 18:59:16 +03:00
Flowseal	a70e50b9f3	refactor	2026-04-18 16:58:49 +03:00
Flowseal	059ca8760f	moved some dubug logs to warning level	2026-04-18 15:49:42 +03:00
Flowseal	0c8d0f160a	better exception logging	2026-04-18 15:45:15 +03:00
Flowseal	791708cc3d	ws_blacklsit annotation fix	2026-04-18 15:25:11 +03:00
Flowseal	1abcbf86fe	gitignore clear	2026-04-18 15:23:56 +03:00
Flowseal	d84b9eadc4	version fix	2026-04-16 18:20:47 +03:00
Flowseal	c1b4cb0204	docs update	2026-04-16 18:01:48 +03:00
Flowseal	5d08e16e5d	removed repeated annotation	2026-04-16 17:56:48 +03:00
Flowseal	a844a88f38	docs update	2026-04-16 17:52:58 +03:00
Flowseal	e5f1d02737	docs links update	2026-04-16 17:51:41 +03:00
Flowseal	3a6e82c2a8	docs update	2026-04-16 17:50:32 +03:00
Flowseal	e56ada1a34	CF domains balancer	2026-04-16 17:08:03 +03:00
Flowseal	b44d79a933	docs update	2026-04-16 17:08:03 +03:00
Aksarin Mikhail	77723d875f	Update README.md (#711 ) Fix relative links	2026-04-16 00:29:58 +03:00
Flowseal	548ec05fc5	docs update	2026-04-14 21:56:14 +03:00
Flowseal	03c7719c39	mutex check simplify	2026-04-14 16:58:54 +03:00
Flowseal	db4cebe0b2	build test	2026-04-14 16:51:26 +03:00
Flowseal	ca81d037f7	docs update	2026-04-14 03:11:13 +03:00
Flowseal	07615af49c	bootloader build fix	2026-04-14 02:44:15 +03:00
Flowseal	f8ee37370d	Version bump	2026-04-14 00:27:27 +03:00
Flowseal	4cbb9e555c	windows mutex-lock	2026-04-14 00:27:27 +03:00
Flowseal	25ae4b0a24	build version changes	2026-04-14 00:27:27 +03:00