Previously the check returned OK if any resolved address matched either the public IPv4 or IPv6. A matching AAAA could mask a mismatched A record (and vice versa), which is a problem because most client connectivity is still IPv4: a partial match would silently pass the warning while DPI still blocks the proxy. Now each detected IP family must appear in the DNS response; the warning also reports per-family match status so operators can tell which record is wrong.

3 周前 · 491a355a61
--- a/internal/cli/run_proxy.go
+++ b/internal/cli/run_proxy.go
@@ -236,13 +236,23 @@ func warnSNIMismatch(conf *config.Config, ntw mtglib.Network, log mtglib.Logger)
 
				
				 		return
			
 
				
				 	}
			
 
				
				 
			
 
				
				+	v4Match := ourIP4 == nil
			
 
				
				+	v6Match := ourIP6 == nil
			
 
				
				+
			
 
				
				 	for _, addr := range addresses {
			
 
				
				-		if (ourIP4 != nil && addr.IP.String() == ourIP4.String()) ||
			
 
				
				-			(ourIP6 != nil && addr.IP.String() == ourIP6.String()) {
			
 
				
				-			return
			
 
				
				+		if ourIP4 != nil && addr.IP.String() == ourIP4.String() {
			
 
				
				+			v4Match = true
			
 
				
				+		}
			
 
				
				+
			
 
				
				+		if ourIP6 != nil && addr.IP.String() == ourIP6.String() {
			
 
				
				+			v6Match = true
			
 
				
				 		}
			
 
				
				 	}
			
 
				
				 
			
 
				
				+	if v4Match && v6Match {
			
 
				
				+		return
			
 
				
				+	}
			
 
				
				+
			
 
				
				 	resolved := make([]string, 0, len(addresses))
			
 
				
				 	for _, addr := range addresses {
			
 
				
				 		resolved = append(resolved, addr.IP.String())
			
@@ -261,11 +271,20 @@ func warnSNIMismatch(conf *config.Config, ntw mtglib.Network, log mtglib.Logger)
 
				
				 		our += ourIP6.String()
			
 
				
				 	}
			
 
				
				 
			
 
				
				-	log.BindStr("hostname", host).
			
 
				
				+	entry := log.BindStr("hostname", host).
			
 
				
				 		BindStr("resolved", strings.Join(resolved, ", ")).
			
 
				
				-		BindStr("public_ip", our).
			
 
				
				-		Warning("SNI-DNS mismatch: secret hostname does not resolve to this server's public IP. " +
			
 
				
				-			"DPI may detect and block the proxy. See 'mtg doctor' for details")
			
 
				
				+		BindStr("public_ip", our)
			
 
				
				+
			
 
				
				+	if ourIP4 != nil {
			
 
				
				+		entry = entry.BindStr("ipv4_match", fmt.Sprintf("%t", v4Match))
			
 
				
				+	}
			
 
				
				+
			
 
				
				+	if ourIP6 != nil {
			
 
				
				+		entry = entry.BindStr("ipv6_match", fmt.Sprintf("%t", v6Match))
			
 
				
				+	}
			
 
				
				+
			
 
				
				+	entry.Warning("SNI-DNS mismatch: secret hostname does not resolve to this server's public IP. " +
			
 
				
				+		"DPI may detect and block the proxy. See 'mtg doctor' for details")
			
 
				
				 }
			
 
				
				 
			
 
				
				 func runProxy(conf *config.Config, version string) error { //nolint: funlen, cyclop