Add multi-secret support and per-user stats API

Support multiple named secrets in [secrets] config section. During
FakeTLS handshake each secret is tried until HMAC validates. Matched
secret name is logged and used for per-user statistics tracking.

Built-in HTTP stats API (configurable via api-bind-to) exposes
GET /stats with per-user connection counts, bytes in/out, and
last-seen timestamps.

Backward compatible: single "secret" config key still works.

example.config.toml

 # should either be base64-encoded or starts with ee.
 secret = "ee367a189aee18fa31c190054efd4a8e9573746f726167652e676f6f676c65617069732e636f6d"
 
+# For multi-user support, use the [secrets] section instead of "secret".
+# Each key is a user name, used for per-user stats tracking.
+# All secrets must use the same hostname.
+# [secrets]
+# alice = "ee367a189aee18fa31c190054efd4a8e9573746f726167652e676f6f676c65617069732e636f6d"
+# bob = "ee0123456789abcdef0123456789abcd9573746f726167652e676f6f676c65617069732e636f6d"
+
+# Host:port pair to bind the built-in stats HTTP API server.
+# GET /stats returns per-user connection counts and traffic.
+# If not set, the stats API is not started.
+# api-bind-to = "127.0.0.1:9090"
+
 # Host:port pair to run proxy on.
 bind-to = "0.0.0.0:3128"
 

internal/cli/access.go

 	"net"
 	"net/url"
 	"os"
+	"sort"
 	"strconv"
 	"sync"
 
 	"github.com/9seconds/mtg/v2/internal/config"
 	"github.com/9seconds/mtg/v2/internal/utils"
+	"github.com/9seconds/mtg/v2/mtglib"
 )
 
+type accessResponseSecret struct {
+	Hex    string `json:"hex"`
+	Base64 string `json:"base64"`
+}
+
 type accessResponse struct {
-	IPv4   *accessResponseURLs `json:"ipv4,omitempty"`
-	IPv6   *accessResponseURLs `json:"ipv6,omitempty"`
-	Secret struct {
-		Hex    string `json:"hex"`
-		Base64 string `json:"base64"`
-	} `json:"secret"`
+	IPv4    *accessResponseURLs             `json:"ipv4,omitempty"`
+	IPv6    *accessResponseURLs             `json:"ipv6,omitempty"`
+	Secret  accessResponseSecret            `json:"secret"`
+	Secrets map[string]accessResponseSecret `json:"secrets,omitempty"`
 }
 
 type accessResponseURLs struct {
 	}
 
 	resp := &accessResponse{}
-	resp.Secret.Base64 = conf.Secret.Base64()
-	resp.Secret.Hex = conf.Secret.Hex()
+	secrets := conf.GetSecrets()
+
+	// Sort secret names for deterministic "first secret" selection.
+	sortedNames := make([]string, 0, len(secrets))
+	for name := range secrets {
+		sortedNames = append(sortedNames, name)
+	}
+
+	sort.Strings(sortedNames)
+
+	// For backward compatibility, populate the single Secret field with the
+	// first secret (sorted alphabetically).
+	if len(sortedNames) > 0 {
+		first := secrets[sortedNames[0]]
+		resp.Secret.Base64 = first.Base64()
+		resp.Secret.Hex = first.Hex()
+	}
+
+	if len(secrets) > 1 {
+		resp.Secrets = make(map[string]accessResponseSecret, len(secrets))
+
+		for name, s := range secrets {
+			resp.Secrets[name] = accessResponseSecret{
+				Hex:    s.Hex(),
+				Base64: s.Base64(),
+			}
+		}
+	}
 
 	ntw, err := makeNetwork(conf, version)
 	if err != nil {
 	values.Set("server", ip.String())
 	values.Set("port", strconv.Itoa(int(portNo)))
 
+	// Use the first available secret (sorted) for URL generation.
+	secrets := conf.GetSecrets()
+	names := make([]string, 0, len(secrets))
+
+	for name := range secrets {
+		names = append(names, name)
+	}
+
+	sort.Strings(names)
+
+	var firstSecret mtglib.Secret
+	if len(names) > 0 {
+		firstSecret = secrets[names[0]]
+	}
+
 	if a.Hex {
-		values.Set("secret", conf.Secret.Hex())
+		values.Set("secret", firstSecret.Hex())
 	} else {
-		values.Set("secret", conf.Secret.Base64())
+		values.Set("secret", firstSecret.Base64())
 	}
 
 	urlQuery := values.Encode()

internal/cli/doctor.go

 	return err
 }
 
+func (d *Doctor) getFirstSecretHost() string {
+	for _, s := range d.conf.GetSecrets() {
+		return s.Host
+	}
+
+	return ""
+}
+
 func (d *Doctor) checkFrontingDomain(ntw mtglib.Network) bool {
-	host := d.conf.Secret.Host
+	host := d.getFirstSecretHost()
 	if ip := d.conf.GetDomainFrontingIP(nil); ip != "" {
 		host = ip
 	}
 }
 
 func (d *Doctor) checkSecretHost(resolver *net.Resolver, ntw mtglib.Network) bool {
-	addresses, err := resolver.LookupIPAddr(context.Background(), d.conf.Secret.Host)
+	addresses, err := resolver.LookupIPAddr(context.Background(), d.getFirstSecretHost())
 	if err != nil {
 		tplError.Execute(os.Stdout, map[string]any{ //nolint: errcheck
-			"description": fmt.Sprintf("cannot resolve DNS name of %s", d.conf.Secret.Host),
+			"description": fmt.Sprintf("cannot resolve DNS name of %s", d.getFirstSecretHost()),
 			"error":       err,
 		})
 		return false
 			(ourIP6 != nil && value.IP.String() == ourIP6.String()) {
 			tplODNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
 				"ip":       value.IP,
-				"hostname": d.conf.Secret.Host,
+				"hostname": d.getFirstSecretHost(),
 			})
 			return true
 		}
 	}
 
 	tplEDNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
-		"hostname": d.conf.Secret.Host,
+		"hostname": d.getFirstSecretHost(),
 		"resolved": strings.Join(strAddresses, ", "),
 		"ip4":      ourIP4,
 		"ip6":      ourIP6,

internal/cli/run_proxy.go

 		IPAllowlist:     allowlist,
 		EventStream:     eventStream,
 
-		Secret:                      conf.Secret,
+		Secrets:                     conf.GetSecrets(),
 		Concurrency:                 conf.GetConcurrency(mtglib.DefaultConcurrency),
 		DomainFrontingPort:          conf.GetDomainFrontingPort(mtglib.DefaultDomainFrontingPort),
 		DomainFrontingIP:            conf.GetDomainFrontingIP(nil),
 		DoppelGangerPerRaid: conf.Defense.Doppelganger.Repeats.Get(mtglib.DoppelGangerPerRaid),
 		DoppelGangerEach:    conf.Defense.Doppelganger.UpdateEach.Get(mtglib.DoppelGangerEach),
 		DoppelGangerDRS:     conf.Defense.Doppelganger.DRS.Get(false),
+
+		APIBindTo: conf.APIBindTo.Get(""),
 	}
 
 	proxy, err := mtglib.NewProxy(opts)

internal/config/config.go

 }
 
 type Config struct {
-	Debug                       TypeBool        `json:"debug"`
-	AllowFallbackOnUnknownDC    TypeBool        `json:"allowFallbackOnUnknownDc"`
-	Secret                      mtglib.Secret   `json:"secret"`
-	BindTo                      TypeHostPort    `json:"bindTo"`
+	Debug                       TypeBool                   `json:"debug"`
+	AllowFallbackOnUnknownDC    TypeBool                   `json:"allowFallbackOnUnknownDc"`
+	Secret                      mtglib.Secret              `json:"secret"`
+	Secrets                     map[string]mtglib.Secret   `json:"secrets"`
+	BindTo                      TypeHostPort               `json:"bindTo"`
 	ProxyProtocolListener       TypeBool        `json:"proxyProtocolListener"`
 	PreferIP                    TypePreferIP    `json:"preferIp"`
 	AutoUpdate                  TypeBool        `json:"autoUpdate"`
 		DNS     TypeDNSURI     `json:"dns"`
 		Proxies []TypeProxyURL `json:"proxies"`
 	} `json:"network"`
-	Stats struct {
+	APIBindTo TypeHostPort `json:"apiBindTo"`
+	Stats     struct {
 		StatsD struct {
 			Optional
 
 }
 
 func (c *Config) Validate() error {
-	if !c.Secret.Valid() {
-		return fmt.Errorf("invalid secret %s", c.Secret.String())
+	if len(c.Secrets) == 0 {
+		if !c.Secret.Valid() {
+			return fmt.Errorf("invalid secret %s", c.Secret.String())
+		}
+	} else {
+		for name, s := range c.Secrets {
+			if !s.Valid() {
+				return fmt.Errorf("invalid secret %q: %s", name, s.String())
+			}
+		}
 	}
 
 	if c.BindTo.Get("") == "" {
 	return nil
 }
 
+// GetSecrets returns all secrets as a map. If the new [secrets] section is used,
+// returns that map. Otherwise, wraps the single Secret as {"default": Secret}.
+func (c *Config) GetSecrets() map[string]mtglib.Secret {
+	if len(c.Secrets) > 0 {
+		return c.Secrets
+	}
+
+	return map[string]mtglib.Secret{"default": c.Secret}
+}
+
 func (c *Config) String() string {
 	buf := &bytes.Buffer{}
 	encoder := json.NewEncoder(buf)

internal/config/parse.go

 type tomlConfig struct {
 	Debug                       bool   `toml:"debug" json:"debug,omitempty"`
 	AllowFallbackOnUnknownDC    bool   `toml:"allow-fallback-on-unknown-dc" json:"allowFallbackOnUnknownDc,omitempty"`
-	Secret                      string `toml:"secret" json:"secret"`
-	BindTo                      string `toml:"bind-to" json:"bindTo"`
+	Secret                      string            `toml:"secret" json:"secret,omitempty"`
+	Secrets                     map[string]string `toml:"secrets" json:"secrets,omitempty"`
+	BindTo                      string            `toml:"bind-to" json:"bindTo"`
 	ProxyProtocolListener       bool   `toml:"proxy-protocol-listener" json:"proxyProtocolListener"`
 	PreferIP                    string `toml:"prefer-ip" json:"preferIp,omitempty"`
 	AutoUpdate                  bool   `toml:"auto-update" json:"autoUpdate,omitempty"`
 		DNS     string   `toml:"dns" json:"dns,omitempty"`
 		Proxies []string `toml:"proxies" json:"proxies,omitempty"`
 	} `toml:"network" json:"network,omitempty"`
-	Stats struct {
+	APIBindTo string `toml:"api-bind-to" json:"apiBindTo,omitempty"`
+	Stats     struct {
 		StatsD struct {
 			Enabled      bool   `toml:"enabled" json:"enabled,omitempty"`
 			Address      string `toml:"address" json:"address,omitempty"`

mtglib/counting_conn.go

+package mtglib
+
+import (
+	"github.com/9seconds/mtg/v2/essentials"
+)
+
+// countingConn wraps essentials.Conn and counts bytes through a cached
+// *secretStats pointer. The pointer is resolved once at construction time
+// so Read/Write never need to acquire a lock.
+type countingConn struct {
+	essentials.Conn
+	st *secretStats
+}
+
+func newCountingConn(conn essentials.Conn, stats *ProxyStats, secretName string) *countingConn {
+	return &countingConn{Conn: conn, st: stats.getOrCreate(secretName)}
+}
+
+func (c *countingConn) Read(p []byte) (int, error) {
+	n, err := c.Conn.Read(p)
+	if n > 0 {
+		c.st.bytesIn.Add(int64(n))
+	}
+
+	return n, err
+}
+
+func (c *countingConn) Write(p []byte) (int, error) {
+	n, err := c.Conn.Write(p)
+	if n > 0 {
+		c.st.bytesOut.Add(int64(n))
+	}
+
+	return n, err
+}

mtglib/internal/tls/fake/client_side.go

 	CipherSuite uint16
 }
 
+// ReadClientHelloResult contains the parsed ClientHello and the index of the
+// secret that matched the HMAC validation.
+type ReadClientHelloResult struct {
+	Hello        *ClientHello
+	MatchedIndex int
+}
+
 func ReadClientHello(
 	conn net.Conn,
 	secret []byte,
 	hostname string,
 	tolerateTimeSkewness time.Duration,
 ) (*ClientHello, error) {
+	result, err := ReadClientHelloMulti(conn, [][]byte{secret}, hostname, tolerateTimeSkewness)
+	if err != nil {
+		return nil, err
+	}
+
+	return result.Hello, nil
+}
+
+// ReadClientHelloMulti is like ReadClientHello but accepts multiple secrets.
+// It tries each secret until one validates the HMAC. On success it returns
+// the ClientHello and the index of the matched secret.
+func ReadClientHelloMulti(
+	conn net.Conn,
+	secrets [][]byte,
+	hostname string,
+	tolerateTimeSkewness time.Duration,
+) (*ReadClientHelloResult, error) {
 	if err := conn.SetReadDeadline(time.Now().Add(ClientHelloReadTimeout)); err != nil {
 		return nil, fmt.Errorf("cannot set read deadline: %w", err)
 	}
 	defer conn.SetReadDeadline(resetDeadline) //nolint: errcheck
 
-	// This is how FakeTLS is organized:
-	//  1. We create sha256 HMAC with a given secret
-	//  2. We dump there a whole TLS frame except of the fact that random
-	//     is filled with all zeroes
-	//  3. Digest is computed. This digest should be XORed with
-	//     original client random
-	//  4. New digest should be all 0 except of last 4 bytes
-	//  5. Last 4 bytes are little endian uint32 of UNIX timestamp when
-	//     this message was created.
 	handshakeCopyBuf := &bytes.Buffer{}
 	reader := io.TeeReader(conn, handshakeCopyBuf)
 
 		return nil, fmt.Errorf("cannot find %s in %v", hostname, sniHostnames)
 	}
 
-	digest := hmac.New(sha256.New, secret)
-	// we write a copy of the handshake with client random all nullified.
-	digest.Write(handshakeCopyBuf.Next(RandomOffset))
-	handshakeCopyBuf.Next(RandomLen)
-	digest.Write(emptyRandom[:])
-	digest.Write(handshakeCopyBuf.Bytes())
+	// Save the handshake bytes so we can reuse them for each secret attempt.
+	handshakeBytes := handshakeCopyBuf.Bytes()
 
-	computed := digest.Sum(nil)
+	for idx, secret := range secrets {
+		digest := hmac.New(sha256.New, secret)
 
-	for i := range RandomLen {
-		computed[i] ^= hello.Random[i]
-	}
+		// Write the handshake with client random all nullified.
+		digest.Write(handshakeBytes[:RandomOffset])
+		digest.Write(emptyRandom[:])
+		digest.Write(handshakeBytes[RandomOffset+RandomLen:])
 
-	if subtle.ConstantTimeCompare(emptyRandom[:RandomLen-4], computed[:RandomLen-4]) != 1 {
-		return nil, ErrBadDigest
-	}
+		computed := digest.Sum(nil)
+
+		for i := range RandomLen {
+			computed[i] ^= hello.Random[i]
+		}
+
+		if subtle.ConstantTimeCompare(emptyRandom[:RandomLen-4], computed[:RandomLen-4]) != 1 {
+			continue
+		}
 
-	timestamp := int64(binary.LittleEndian.Uint32(computed[RandomLen-4:]))
-	createdAt := time.Unix(timestamp, 0)
+		timestamp := int64(binary.LittleEndian.Uint32(computed[RandomLen-4:]))
+		createdAt := time.Unix(timestamp, 0)
 
-	if tdiff := time.Since(createdAt).Abs(); tdiff > tolerateTimeSkewness {
-		return nil, fmt.Errorf("timestamp %q is too old %s", createdAt, tdiff)
+		if tdiff := time.Since(createdAt).Abs(); tdiff > tolerateTimeSkewness {
+			continue
+		}
+
+		return &ReadClientHelloResult{
+			Hello:        hello,
+			MatchedIndex: idx,
+		}, nil
 	}
 
-	return hello, nil
+	return nil, ErrBadDigest
 }
 
 func parseTLSHeader(r io.Reader) (io.Reader, error) {

mtglib/internal/tls/fake/client_side_test.go

 import (
 	"bytes"
 	"encoding/binary"
+	"encoding/json"
 	"errors"
 	"io"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
 	t.Parallel()
 	suite.Run(t, &ParseClientHelloSNITestSuite{})
 }
+
+// --- ReadClientHelloMulti tests ---
+
+type ReadClientHelloMultiTestSuite struct {
+	suite.Suite
+
+	secret mtglib.Secret
+}
+
+func (suite *ReadClientHelloMultiTestSuite) SetupSuite() {
+	parsed, err := mtglib.ParseSecret(
+		"ee367a189aee18fa31c190054efd4a8e9573746f726167652e676f6f676c65617069732e636f6d",
+	)
+	require.NoError(suite.T(), err)
+
+	suite.secret = parsed
+}
+
+func (suite *ReadClientHelloMultiTestSuite) loadSnapshot(name string) []byte {
+	data, err := os.ReadFile(filepath.Join("testdata", name))
+	require.NoError(suite.T(), err)
+
+	snapshot := &clientHelloSnapshot{}
+	require.NoError(suite.T(), json.Unmarshal(data, snapshot))
+
+	return snapshot.GetFull()
+}
+
+func (suite *ReadClientHelloMultiTestSuite) makeConn(data []byte) *parseClientHelloConnMock {
+	readBuf := &bytes.Buffer{}
+	readBuf.Write(data)
+
+	connMock := &parseClientHelloConnMock{
+		readBuf: readBuf,
+	}
+
+	connMock.
+		On("SetReadDeadline", mock.AnythingOfType("time.Time")).
+		Twice().
+		Return(nil)
+
+	return connMock
+}
+
+func (suite *ReadClientHelloMultiTestSuite) TestMatchesCorrectSecretAtIndex0() {
+	payload := suite.loadSnapshot("client-hello-ok-19dfe38384b9884b.json")
+	connMock := suite.makeConn(payload)
+	defer connMock.AssertExpectations(suite.T())
+
+	wrongSecret := mtglib.GenerateSecret("storage.googleapis.com")
+
+	result, err := fake.ReadClientHelloMulti(
+		connMock,
+		[][]byte{suite.secret.Key[:], wrongSecret.Key[:]},
+		suite.secret.Host,
+		TolerateTime,
+	)
+	suite.NoError(err)
+	suite.Equal(0, result.MatchedIndex)
+	suite.NotNil(result.Hello)
+}
+
+func (suite *ReadClientHelloMultiTestSuite) TestMatchesCorrectSecretAtIndex1() {
+	payload := suite.loadSnapshot("client-hello-ok-19dfe38384b9884b.json")
+	connMock := suite.makeConn(payload)
+	defer connMock.AssertExpectations(suite.T())
+
+	wrongSecret := mtglib.GenerateSecret("storage.googleapis.com")
+
+	result, err := fake.ReadClientHelloMulti(
+		connMock,
+		[][]byte{wrongSecret.Key[:], suite.secret.Key[:]},
+		suite.secret.Host,
+		TolerateTime,
+	)
+	suite.NoError(err)
+	suite.Equal(1, result.MatchedIndex)
+	suite.NotNil(result.Hello)
+}
+
+func (suite *ReadClientHelloMultiTestSuite) TestMatchesCorrectSecretAtIndex2() {
+	payload := suite.loadSnapshot("client-hello-ok-19dfe38384b9884b.json")
+	connMock := suite.makeConn(payload)
+	defer connMock.AssertExpectations(suite.T())
+
+	wrong1 := mtglib.GenerateSecret("storage.googleapis.com")
+	wrong2 := mtglib.GenerateSecret("storage.googleapis.com")
+
+	result, err := fake.ReadClientHelloMulti(
+		connMock,
+		[][]byte{wrong1.Key[:], wrong2.Key[:], suite.secret.Key[:]},
+		suite.secret.Host,
+		TolerateTime,
+	)
+	suite.NoError(err)
+	suite.Equal(2, result.MatchedIndex)
+	suite.NotNil(result.Hello)
+}
+
+func (suite *ReadClientHelloMultiTestSuite) TestNoMatchReturnsBadDigest() {
+	payload := suite.loadSnapshot("client-hello-ok-19dfe38384b9884b.json")
+	connMock := suite.makeConn(payload)
+	defer connMock.AssertExpectations(suite.T())
+
+	wrong1 := mtglib.GenerateSecret("storage.googleapis.com")
+	wrong2 := mtglib.GenerateSecret("storage.googleapis.com")
+
+	_, err := fake.ReadClientHelloMulti(
+		connMock,
+		[][]byte{wrong1.Key[:], wrong2.Key[:]},
+		suite.secret.Host,
+		TolerateTime,
+	)
+	suite.ErrorIs(err, fake.ErrBadDigest)
+}
+
+func (suite *ReadClientHelloMultiTestSuite) TestBadSnapshotReturnsBadDigest() {
+	payload := suite.loadSnapshot("client-hello-bad-fa2e46cdb33e2a1b.json")
+	connMock := suite.makeConn(payload)
+	defer connMock.AssertExpectations(suite.T())
+
+	_, err := fake.ReadClientHelloMulti(
+		connMock,
+		[][]byte{suite.secret.Key[:]},
+		suite.secret.Host,
+		TolerateTime,
+	)
+	suite.ErrorIs(err, fake.ErrBadDigest)
+}
+
+func TestReadClientHelloMulti(t *testing.T) {
+	t.Parallel()
+	suite.Run(t, &ReadClientHelloMultiTestSuite{})
+}

mtglib/proxy.go

 	"errors"
 	"fmt"
 	"net"
+	"sort"
 	"strconv"
 	"sync"
 	"time"
 	telegram                    *dc.Telegram
 	configUpdater               *dc.PublicConfigUpdater
 	doppelGanger                *doppel.Ganger
-	clientObfuscatror           obfuscation.Obfuscator
 
-	secret          Secret
+	stats       *ProxyStats
+	secrets     []Secret
+	secretNames []string
 	network         Network
 	antiReplayCache AntiReplayCache
 	blocklist       IPBlocklist
 // DomainFrontingAddress returns a host:port pair for a fronting domain.
 // If DomainFrontingIP is set, it is used instead of resolving the hostname.
 func (p *Proxy) DomainFrontingAddress() string {
-	host := p.secret.Host
+	// All secrets share the same host (enforced by validation),
+	// so we use the first one.
+	host := p.secrets[0].Host
 	if p.domainFrontingIP != "" {
 		host = p.domainFrontingIP
 	}
 		return
 	}
 
+	p.stats.OnConnect(ctx.secretName)
+	p.stats.UpdateLastSeen(ctx.secretName)
+
+	defer p.stats.OnDisconnect(ctx.secretName)
+
 	clientConn, err := p.doppelGanger.NewConn(ctx.clientConn)
 	if err != nil {
 		ctx.logger.InfoError("cannot wrap into doppelganger connection", err)
 		return
 	}
 
+	countedClientConn := newCountingConn(ctx.clientConn, p.stats, ctx.secretName)
+
 	relay.Relay(
 		ctx,
 		ctx.logger.Named("relay"),
 		ctx.telegramConn,
-		ctx.clientConn,
+		countedClientConn,
 	)
 }
 
 func (p *Proxy) doFakeTLSHandshake(ctx *streamContext) bool {
 	rewind := newConnRewind(ctx.clientConn)
 
-	clientHello, err := fake.ReadClientHello(
+	// Build a slice of secret keys to try during HMAC validation.
+	secretKeys := make([][]byte, len(p.secrets))
+	for i := range p.secrets {
+		secretKeys[i] = p.secrets[i].Key[:]
+	}
+
+	result, err := fake.ReadClientHelloMulti(
 		rewind,
-		p.secret.Key[:],
-		p.secret.Host,
+		secretKeys,
+		p.secrets[0].Host,
 		p.tolerateTimeSkewness,
 	)
 	if err != nil {
 		return false
 	}
 
-	if p.antiReplayCache.SeenBefore(clientHello.SessionID) {
+	if p.antiReplayCache.SeenBefore(result.Hello.SessionID) {
 		p.logger.Warning("replay attack has been detected!")
 		p.eventStream.Send(p.ctx, NewEventReplayAttack(ctx.streamID))
 		p.doDomainFronting(ctx, rewind)
 		return false
 	}
 
+	matchedSecret := p.secrets[result.MatchedIndex]
+	ctx.matchedSecretKey = matchedSecret.Key[:]
+	ctx.secretName = p.secretNames[result.MatchedIndex]
+	ctx.logger = ctx.logger.BindStr("secret_name", ctx.secretName)
+
 	gangerNoise := p.doppelGanger.NoiseParams()
 	noiseParams := fake.NoiseParams{Mean: gangerNoise.Mean, Jitter: gangerNoise.Jitter}
 
-	if err := fake.SendServerHello(ctx.clientConn, p.secret.Key[:], clientHello, noiseParams); err != nil {
+	if err := fake.SendServerHello(ctx.clientConn, matchedSecret.Key[:], result.Hello, noiseParams); err != nil {
 		p.logger.InfoError("cannot send welcome packet", err)
 		return false
 	}
 }
 
 func (p *Proxy) doObfuscatedHandshake(ctx *streamContext) error {
-	dc, conn, err := p.clientObfuscatror.ReadHandshake(ctx.clientConn)
+	// Use the secret key that was matched during the FakeTLS handshake.
+	obfs := obfuscation.Obfuscator{
+		Secret: ctx.matchedSecretKey,
+	}
+
+	dc, conn, err := obfs.ReadHandshake(ctx.clientConn)
 	if err != nil {
 		return fmt.Errorf("cannot process client handshake: %w", err)
 	}
 	logger := opts.getLogger("proxy")
 	updatersLogger := logger.Named("telegram-updaters")
 
+	secretsMap := opts.getSecrets()
+	secretNames := make([]string, 0, len(secretsMap))
+
+	for name := range secretsMap {
+		secretNames = append(secretNames, name)
+	}
+
+	sort.Strings(secretNames)
+
+	secretsList := make([]Secret, 0, len(secretsMap))
+
+	for _, name := range secretNames {
+		secretsList = append(secretsList, secretsMap[name])
+	}
+
+	stats := NewProxyStats()
+	for _, name := range secretNames {
+		stats.PreRegister(name)
+	}
+
+	if opts.APIBindTo != "" {
+		stats.StartServer(ctx, opts.APIBindTo, logger)
+	}
+
 	proxy := &Proxy{
 		ctx:                      ctx,
 		ctxCancel:                cancel,
-		secret:                   opts.Secret,
+		stats:                    stats,
+		secrets:                  secretsList,
+		secretNames:              secretNames,
 		network:                  opts.Network,
 		antiReplayCache:          opts.AntiReplayCache,
 		blocklist:                opts.IPBlocklist,
 			updatersLogger.Named("public-config"),
 			opts.Network.MakeHTTPClient(nil),
 		),
-		clientObfuscatror: obfuscation.Obfuscator{
-			Secret: opts.Secret.Key[:],
-		},
 		domainFrontingProxyProtocol: opts.DomainFrontingProxyProtocol,
 	}
 

mtglib/proxy_opts.go

 package mtglib
 
-import "time"
+import (
+	"fmt"
+	"time"
+)
 
 // ProxyOpts is a structure with settings to mtg proxy.
 //
 type ProxyOpts struct {
 	// Secret defines a secret which should be used by a proxy.
 	//
-	// This is a mandatory setting.
+	// Deprecated: Use Secrets instead for multi-secret support.
+	// Kept for backward compatibility.
 	Secret Secret
 
+	// Secrets defines a map of named secrets which should be used by a proxy.
+	// If set, Secret is ignored. During FakeTLS handshake, each secret is
+	// tried until one validates.
+	Secrets map[string]Secret
+
 	// Network defines a network instance which should be used for all network
 	// communications made by proxies.
 	//
 	// DoppelGangerDRS defines if TLS Dynamic Record Sizing is active.
 	DoppelGangerDRS bool
 
+	// APIBindTo is the address to bind the stats HTTP API server to.
+	// If empty, the stats API server is not started.
+	//
+	// This is an optional setting.
+	APIBindTo string
 }
 
 func (p ProxyOpts) valid() error {
 		return ErrEventStreamIsNotDefined
 	case p.Logger == nil:
 		return ErrLoggerIsNotDefined
-	case !p.Secret.Valid():
+	}
+
+	secrets := p.getSecrets()
+	if len(secrets) == 0 {
 		return ErrSecretInvalid
 	}
 
+	var host string
+
+	for _, s := range secrets {
+		if !s.Valid() {
+			return ErrSecretInvalid
+		}
+
+		if host == "" {
+			host = s.Host
+		} else if s.Host != host {
+			return fmt.Errorf("all secrets must use the same hostname, got %q and %q", host, s.Host)
+		}
+	}
+
+	return nil
+}
+
+// getSecrets returns the effective secrets map. If Secrets is populated, it is
+// returned directly. Otherwise the single Secret is wrapped in a map.
+func (p ProxyOpts) getSecrets() map[string]Secret {
+	if len(p.Secrets) > 0 {
+		return p.Secrets
+	}
+
+	if p.Secret.Valid() {
+		return map[string]Secret{"default": p.Secret}
+	}
+
 	return nil
 }
 

mtglib/proxy_stats.go

+package mtglib
+
+import (
+	"context"
+	"encoding/json"
+	"net"
+	"net/http"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+type secretStats struct {
+	connections atomic.Int64
+	bytesIn     atomic.Int64
+	bytesOut    atomic.Int64
+	lastSeen    atomic.Value // stores time.Time
+}
+
+// ProxyStats tracks per-secret connection stats with atomic counters.
+// Thread-safe for concurrent access from proxy goroutines.
+type ProxyStats struct {
+	mu        sync.RWMutex
+	users     map[string]*secretStats
+	startedAt time.Time
+}
+
+// NewProxyStats creates a new ProxyStats instance.
+func NewProxyStats() *ProxyStats {
+	return &ProxyStats{
+		users:     make(map[string]*secretStats),
+		startedAt: time.Now(),
+	}
+}
+
+func (s *ProxyStats) getOrCreate(name string) *secretStats {
+	s.mu.RLock()
+	st, ok := s.users[name]
+	s.mu.RUnlock()
+
+	if ok {
+		return st
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if st, ok = s.users[name]; ok {
+		return st
+	}
+
+	st = &secretStats{}
+	st.lastSeen.Store(time.Time{})
+	s.users[name] = st
+
+	return st
+}
+
+// PreRegister adds a secret name to the stats map so it appears in output
+// even if no connections have been made yet.
+func (s *ProxyStats) PreRegister(name string) {
+	s.getOrCreate(name)
+}
+
+// OnConnect increments the active connection count for the given secret.
+func (s *ProxyStats) OnConnect(name string) {
+	s.getOrCreate(name).connections.Add(1)
+}
+
+// OnDisconnect decrements the active connection count for the given secret.
+func (s *ProxyStats) OnDisconnect(name string) {
+	s.getOrCreate(name).connections.Add(-1)
+}
+
+// AddBytesIn adds to the bytes-in counter for the given secret.
+func (s *ProxyStats) AddBytesIn(name string, n int64) {
+	s.getOrCreate(name).bytesIn.Add(n)
+}
+
+// AddBytesOut adds to the bytes-out counter for the given secret.
+func (s *ProxyStats) AddBytesOut(name string, n int64) {
+	s.getOrCreate(name).bytesOut.Add(n)
+}
+
+// UpdateLastSeen sets the last-seen timestamp for the given secret to now.
+func (s *ProxyStats) UpdateLastSeen(name string) {
+	s.getOrCreate(name).lastSeen.Store(time.Now())
+}
+
+// StatsResponse is the JSON response for the stats endpoint.
+type StatsResponse struct {
+	StartedAt        time.Time                `json:"started_at"`
+	UptimeSeconds    int64                    `json:"uptime_seconds"`
+	TotalConnections int64                    `json:"total_connections"`
+	Users            map[string]UserStatsJSON `json:"users"`
+}
+
+// UserStatsJSON is the per-user portion of the stats JSON response.
+type UserStatsJSON struct {
+	Connections int64      `json:"connections"`
+	BytesIn     int64      `json:"bytes_in"`
+	BytesOut    int64      `json:"bytes_out"`
+	LastSeen    *time.Time `json:"last_seen"`
+}
+
+func (s *ProxyStats) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	var totalConns int64
+
+	users := make(map[string]UserStatsJSON, len(s.users))
+
+	for name, st := range s.users {
+		conns := st.connections.Load()
+		totalConns += conns
+
+		lastSeen := st.lastSeen.Load().(time.Time) //nolint: forcetypeassert
+		var lastSeenPtr *time.Time
+		if !lastSeen.IsZero() {
+			lastSeenPtr = &lastSeen
+		}
+
+		users[name] = UserStatsJSON{
+			Connections: conns,
+			BytesIn:     st.bytesIn.Load(),
+			BytesOut:    st.bytesOut.Load(),
+			LastSeen:    lastSeenPtr,
+		}
+	}
+
+	resp := StatsResponse{
+		StartedAt:        s.startedAt,
+		UptimeSeconds:    int64(time.Since(s.startedAt).Seconds()),
+		TotalConnections: totalConns,
+		Users:            users,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := json.NewEncoder(w).Encode(resp); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+}
+
+// StartServer starts an HTTP server for the stats API in a background goroutine.
+// The server is shut down when ctx is cancelled.
+func (s *ProxyStats) StartServer(ctx context.Context, bindTo string, logger Logger) {
+	mux := http.NewServeMux()
+	mux.Handle("/stats", s)
+
+	srv := &http.Server{
+		Addr:    bindTo,
+		Handler: mux,
+	}
+
+	ln, err := net.Listen("tcp", bindTo)
+	if err != nil {
+		logger.WarningError("cannot start stats API listener", err)
+		return
+	}
+
+	go func() {
+		if err := srv.Serve(ln); err != nil && err != http.ErrServerClosed {
+			logger.WarningError("stats API server error", err)
+		}
+	}()
+
+	go func() {
+		<-ctx.Done()
+
+		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second) //nolint: mnd
+		defer cancel()
+
+		srv.Shutdown(shutdownCtx) //nolint: errcheck
+	}()
+
+	logger.BindStr("bind", bindTo).Info("Stats API server started")
+}

mtglib/proxy_stats_test.go

+package mtglib
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewProxyStats(t *testing.T) {
+	t.Parallel()
+
+	stats := NewProxyStats()
+	assert.NotNil(t, stats)
+	assert.NotNil(t, stats.users)
+	assert.False(t, stats.startedAt.IsZero())
+}
+
+func TestPreRegister(t *testing.T) {
+	t.Parallel()
+
+	stats := NewProxyStats()
+	stats.PreRegister("alice")
+	stats.PreRegister("bob")
+
+	stats.mu.RLock()
+	defer stats.mu.RUnlock()
+
+	assert.Contains(t, stats.users, "alice")
+	assert.Contains(t, stats.users, "bob")
+	assert.Equal(t, int64(0), stats.users["alice"].connections.Load())
+}
+
+func TestOnConnectDisconnect(t *testing.T) {
+	t.Parallel()
+
+	stats := NewProxyStats()
+	stats.PreRegister("alice")
+
+	stats.OnConnect("alice")
+	assert.Equal(t, int64(1), stats.users["alice"].connections.Load())
+
+	stats.OnConnect("alice")
+	assert.Equal(t, int64(2), stats.users["alice"].connections.Load())
+
+	stats.OnDisconnect("alice")
+	assert.Equal(t, int64(1), stats.users["alice"].connections.Load())
+
+	stats.OnDisconnect("alice")
+	assert.Equal(t, int64(0), stats.users["alice"].connections.Load())
+}
+
+func TestAddBytes(t *testing.T) {
+	t.Parallel()
+
+	stats := NewProxyStats()
+	stats.PreRegister("alice")
+
+	stats.AddBytesIn("alice", 100)
+	stats.AddBytesIn("alice", 200)
+	stats.AddBytesOut("alice", 50)
+
+	st := stats.users["alice"]
+	assert.Equal(t, int64(300), st.bytesIn.Load())
+	assert.Equal(t, int64(50), st.bytesOut.Load())
+}
+
+func TestUpdateLastSeen(t *testing.T) {
+	t.Parallel()
+
+	stats := NewProxyStats()
+	stats.PreRegister("alice")
+
+	before := time.Now()
+	stats.UpdateLastSeen("alice")
+	after := time.Now()
+
+	lastSeen := stats.users["alice"].lastSeen.Load().(time.Time)
+	assert.False(t, lastSeen.Before(before))
+	assert.False(t, lastSeen.After(after))
+}
+
+func TestGetOrCreateLazy(t *testing.T) {
+	t.Parallel()
+
+	stats := NewProxyStats()
+
+	// getOrCreate should create a new entry on first access.
+	stats.OnConnect("new-user")
+	assert.Equal(t, int64(1), stats.users["new-user"].connections.Load())
+}
+
+func TestServeHTTPBasic(t *testing.T) {
+	t.Parallel()
+
+	stats := NewProxyStats()
+	stats.PreRegister("alice")
+	stats.PreRegister("bob")
+
+	stats.OnConnect("alice")
+	stats.OnConnect("alice")
+	stats.OnConnect("bob")
+	stats.AddBytesIn("alice", 1024)
+	stats.AddBytesOut("alice", 512)
+	stats.UpdateLastSeen("alice")
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/stats", nil)
+
+	stats.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+	assert.Equal(t, "application/json", rec.Header().Get("Content-Type"))
+
+	var resp StatsResponse
+	err := json.Unmarshal(rec.Body.Bytes(), &resp)
+	require.NoError(t, err)
+
+	assert.Equal(t, int64(3), resp.TotalConnections)
+	assert.False(t, resp.StartedAt.IsZero())
+	assert.GreaterOrEqual(t, resp.UptimeSeconds, int64(0))
+
+	alice, ok := resp.Users["alice"]
+	require.True(t, ok)
+	assert.Equal(t, int64(2), alice.Connections)
+	assert.Equal(t, int64(1024), alice.BytesIn)
+	assert.Equal(t, int64(512), alice.BytesOut)
+	assert.NotNil(t, alice.LastSeen)
+
+	bob, ok := resp.Users["bob"]
+	require.True(t, ok)
+	assert.Equal(t, int64(1), bob.Connections)
+	assert.Equal(t, int64(0), bob.BytesIn)
+	assert.Equal(t, int64(0), bob.BytesOut)
+	assert.Nil(t, bob.LastSeen)
+}
+
+func TestServeHTTPEmpty(t *testing.T) {
+	t.Parallel()
+
+	stats := NewProxyStats()
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/stats", nil)
+
+	stats.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+
+	var resp StatsResponse
+	err := json.Unmarshal(rec.Body.Bytes(), &resp)
+	require.NoError(t, err)
+
+	assert.Empty(t, resp.Users)
+	assert.Equal(t, int64(0), resp.TotalConnections)
+}
+
+func TestServeHTTPLastSeenZeroIsNull(t *testing.T) {
+	t.Parallel()
+
+	stats := NewProxyStats()
+	stats.PreRegister("alice")
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/stats", nil)
+
+	stats.ServeHTTP(rec, req)
+
+	var raw map[string]json.RawMessage
+	require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &raw))
+
+	var users map[string]json.RawMessage
+	require.NoError(t, json.Unmarshal(raw["users"], &users))
+
+	var aliceRaw map[string]json.RawMessage
+	require.NoError(t, json.Unmarshal(users["alice"], &aliceRaw))
+
+	assert.Equal(t, "null", string(aliceRaw["last_seen"]))
+}

mtglib/stream_context.go

 )
 
 type streamContext struct {
-	ctx          context.Context
-	ctxCancel    context.CancelFunc
-	clientConn   essentials.Conn
-	telegramConn essentials.Conn
-	streamID     string
-	dc           int
-	logger       Logger
+	ctx              context.Context
+	ctxCancel        context.CancelFunc
+	clientConn       essentials.Conn
+	telegramConn     essentials.Conn
+	streamID         string
+	dc               int
+	matchedSecretKey []byte
+	secretName       string
+	logger           Logger
 }
 
 func (s *streamContext) Deadline() (time.Time, bool) {