Accept hostname for [domain-fronting] target

The existing `[domain-fronting].ip` only accepts a literal IP. That
forces SNI-router setups to pin a static container address (and a
static docker subnet) so mtg can dial the fronting backend directly
instead of resolving the secret's hostname via DNS, which would loop
back into mtg through the SNI router.

Add a sibling `[domain-fronting].host` that accepts either a hostname
or an IP. Hostnames are resolved at dial time by the native dialer
(Happy Eyeballs / dual-stack), so a docker-DNS or any A+AAAA record
naturally picks the right backend address family per client. Setting
both `host` and `ip` is rejected at validation.

The mtglib API stays backward compatible: ProxyOpts.DomainFrontingIP
is still a plain string and the dial path already calls JoinHostPort +
DialContext, both of which accept hostnames. Only the doc comment was
clarified.

example.config.toml

@@ -112,11 +112,19 @@ allow-fallback-on-unknown-dc = false
 # required.
 [domain-fronting]
 # By default, mtg resolves the fronting hostname (from the secret) via DNS
-# to establish a TCP connection. If DNS resolution of that hostname is blocked,
-# you can specify an IP address to connect to directly. The hostname is still
-# used for SNI in the TLS handshake.
+# to establish a TCP connection. If that resolution is blocked, or loops
+# back to this server (e.g. mtg sits behind an SNI router whose DNS points
+# at itself), override the destination here.
 #
-# default value is not set (DNS resolution is used).
+# Use `host` for a hostname (resolved at dial time, so a dual-stack DNS
+# record can reach the right backend address family for IPv4 or IPv6
+# clients) or for a literal IP. Use `ip` if you specifically need a
+# literal IP and want strict IP validation. Setting both is an error.
+#
+# The hostname from the secret is still used for SNI in the TLS handshake.
+#
+# default value is not set (the secret's hostname is used).
+# host = "fronting-backend"
 # ip = "10.10.10.11"
 
 # FakeTLS uses domain fronting protection. So it needs to know a port to

internal/config/config.go

@@ -39,6 +39,7 @@ type Config struct {
 	PublicIPv6                  TypeIP          `json:"publicIpv6"`
 	DomainFronting              struct {
 		IP            TypeIP   `json:"ip"`
+		Host          TypeHost `json:"host"`
 		Port          TypePort `json:"port"`
 		ProxyProtocol TypeBool `json:"proxyProtocol"`
 	} `json:"domainFronting"`
@@ -118,6 +119,9 @@ func (c *Config) GetDomainFrontingPort(defaultValue uint) uint {
 }
 
 func (c *Config) GetDomainFrontingIP(defaultValue net.IP) string {
+	if host := c.DomainFronting.Host.Get(""); host != "" {
+		return host
+	}
 	if ip := c.DomainFronting.IP.Get(nil); ip != nil {
 		return ip.String()
 	}
@@ -140,6 +144,10 @@ func (c *Config) Validate() error {
 		return fmt.Errorf("incorrect bind-to parameter %s", c.BindTo.String())
 	}
 
+	if c.DomainFronting.Host.Get("") != "" && c.DomainFronting.IP.Get(nil) != nil {
+		return fmt.Errorf("[domain-fronting] host and ip are mutually exclusive; pick one")
+	}
+
 	return nil
 }
 

internal/config/config_test.go

@@ -74,6 +74,17 @@ func (suite *ConfigTestSuite) TestString() {
 	suite.NotEmpty(conf.String())
 }
 
+func (suite *ConfigTestSuite) TestDomainFrontingHostOrIP() {
+	conf, err := config.Parse(suite.ReadConfig("minimal.toml"))
+	suite.NoError(err)
+
+	suite.NoError(conf.DomainFronting.Host.Set("fronting-backend"))
+	suite.NoError(conf.DomainFronting.IP.Set("10.0.0.10"))
+	suite.Error(conf.Validate())
+
+	suite.Equal("fronting-backend", conf.GetDomainFrontingIP(nil))
+}
+
 func TestConfig(t *testing.T) {
 	t.Parallel()
 	suite.Run(t, &ConfigTestSuite{})

internal/config/parse.go

@@ -25,6 +25,7 @@ type tomlConfig struct {
 	PublicIPv6                  string `toml:"public-ipv6" json:"publicIpv6,omitempty"`
 	DomainFronting              struct {
 		IP            string `toml:"ip" json:"ip,omitempty"`
+		Host          string `toml:"host" json:"host,omitempty"`
 		Port          uint   `toml:"port" json:"port,omitempty"`
 		ProxyProtocol bool   `toml:"proxy-protocol" json:"proxyProtocol,omitempty"`
 	} `toml:"domain-fronting" json:"domainFronting,omitempty"`

internal/config/type_host.go

@@ -0,0 +1,58 @@
+package config
+
+import (
+	"fmt"
+	"net"
+	"strings"
+)
+
+// TypeHost is a non-empty string that is either a literal IP address
+// (IPv4 or IPv6) or a hostname suitable for DNS resolution. It does not
+// include a port — the port belongs in a separate field.
+type TypeHost struct {
+	Value string
+}
+
+func (t *TypeHost) Set(value string) error {
+	if value == "" {
+		return fmt.Errorf("host cannot be empty")
+	}
+
+	if net.ParseIP(value) != nil {
+		t.Value = value
+
+		return nil
+	}
+
+	if strings.ContainsAny(value, " \t\n/?#") {
+		return fmt.Errorf("incorrect host %q", value)
+	}
+
+	if strings.Contains(value, ":") {
+		return fmt.Errorf("host must not contain a port: %q", value)
+	}
+
+	t.Value = value
+
+	return nil
+}
+
+func (t TypeHost) Get(defaultValue string) string {
+	if t.Value == "" {
+		return defaultValue
+	}
+
+	return t.Value
+}
+
+func (t *TypeHost) UnmarshalText(data []byte) error {
+	return t.Set(string(data))
+}
+
+func (t TypeHost) MarshalText() ([]byte, error) {
+	return []byte(t.Value), nil
+}
+
+func (t TypeHost) String() string {
+	return t.Value
+}

internal/config/type_host_test.go

@@ -0,0 +1,77 @@
+package config_test
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/9seconds/mtg/v2/internal/config"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+)
+
+type typeHostTestStruct struct {
+	Value config.TypeHost `json:"value"`
+}
+
+type TypeHostTestSuite struct {
+	suite.Suite
+}
+
+func (suite *TypeHostTestSuite) TestUnmarshalFail() {
+	testData := []string{
+		"",
+		"web:8443",
+		"http://example.com",
+		"example.com/path",
+		"two words",
+	}
+
+	for _, v := range testData {
+		data, err := json.Marshal(map[string]string{
+			"value": v,
+		})
+		suite.NoError(err)
+
+		suite.T().Run(v, func(t *testing.T) {
+			assert.Error(t, json.Unmarshal(data, &typeHostTestStruct{}))
+		})
+	}
+}
+
+func (suite *TypeHostTestSuite) TestUnmarshalOk() {
+	testData := []string{
+		"example.com",
+		"web",
+		"sub.example.com",
+		"127.0.0.1",
+		"2001:db8::1",
+	}
+
+	for _, v := range testData {
+		value := v
+
+		data, err := json.Marshal(map[string]string{
+			"value": value,
+		})
+		suite.NoError(err)
+
+		suite.T().Run(value, func(t *testing.T) {
+			testStruct := &typeHostTestStruct{}
+			assert.NoError(t, json.Unmarshal(data, testStruct))
+			assert.Equal(t, value, testStruct.Value.Get(""))
+		})
+	}
+}
+
+func (suite *TypeHostTestSuite) TestGet() {
+	value := config.TypeHost{}
+	suite.Equal("default", value.Get("default"))
+
+	suite.NoError(value.Set("example.com"))
+	suite.Equal("example.com", value.Get("default"))
+}
+
+func TestTypeHost(t *testing.T) {
+	t.Parallel()
+	suite.Run(t, &TypeHostTestSuite{})
+}

mtglib/proxy_opts.go

@@ -105,11 +105,14 @@ type ProxyOpts struct {
 	// This is an optional setting.
 	DomainFrontingPort uint
 
-	// DomainFrontingIP is an IP address to use when connecting to the fronting
-	// domain instead of resolving the hostname from the secret via DNS.
-	//
-	// This is useful when DNS resolution of the fronting host is blocked.
-	// The hostname from the secret is still used for SNI in the TLS handshake.
+	// DomainFrontingIP is the address to use when connecting to the fronting
+	// domain instead of resolving the hostname from the secret via DNS. It
+	// can be a literal IP or a hostname; hostnames are resolved at dial time
+	// via the native dialer (which honours dual-stack and Happy Eyeballs).
+	//
+	// This is useful when DNS resolution of the secret's hostname is blocked
+	// or loops back to this server. The hostname from the secret is still
+	// used for SNI in the TLS handshake.
 	//
 	// This is an optional setting.
 	DomainFrontingIP string