Add new secure-only mode

config/config.go

 	Debug      bool
 	Verbose    bool
 	SecureMode bool
+	SecureOnly bool
 
 	ReadBufferSize  int
 	WriteBufferSize int
 	bindPort, publicIPv4Port, publicIPv6Port, statsPort, statsdPort uint16,
 	statsdIP, statsdNetwork, statsdPrefix, statsdTagsFormat string,
 	statsdTags map[string]string,
+	secureOnly bool,
 	secret, adtag []byte) (*Config, error) {
-	secureMode := false
+	secureMode := secureOnly
 	if bytes.HasPrefix(secret, []byte{0xdd}) && len(secret) == 17 {
 		secureMode = true
 		secret = bytes.TrimPrefix(secret, []byte{0xdd})
 	conf := &Config{
 		Debug:           debug,
 		Verbose:         verbose,
+		SecureOnly:      secureOnly,
 		BindIP:          bindIP,
 		BindPort:        bindPort,
 		PublicIPv4:      publicIPv4,

main.go

 		Envar("MTG_BUFFER_READ").
 		Default("131072").
 		Uint32()
+	secureOnly = app.Flag("secure-only",
+		"Support clients with dd-secrets only.").
+		Short('s').
+		Envar("MTG_SECURE_ONLY").
+		Bool()
 
 	secret = app.Arg("secret", "Secret of this proxy.").Required().HexBytes()
 	adtag  = app.Arg("adtag", "ADTag of the proxy.").HexBytes()
 		*bindIP, *publicIPv4, *publicIPv6, *statsIP,
 		*bindPort, *publicIPv4Port, *publicIPv6Port, *statsPort, *statsdPort,
 		*statsdIP, *statsdNetwork, *statsdPrefix, *statsdTagsFormat,
-		*statsdTags,
+		*statsdTags, *secureOnly,
 		*secret, *adtag,
 	)
 	if err != nil {

proxy/proxy.go

 	}
 	defer clientConn.(io.Closer).Close() // nolint: errcheck
 
+	if p.conf.SecureOnly && opts.ConnectionType != mtproto.ConnectionTypeSecure {
+		log.Errorw("Proxy supports only secure connections", "connection_type", opts.ConnectionType)
+		return
+	}
+
 	stats.ClientConnected(opts.ConnectionType, clientConn.RemoteAddr())
 	defer stats.ClientDisconnected(opts.ConnectionType, clientConn.RemoteAddr())