"Secure only" mode

7 лет назад · ac33abbbb1
--- a/README.md
+++ b/README.md
@@ -130,6 +130,11 @@ or
 
				
				 echo dd$(head -c 512 /dev/urandom | md5sum | cut -f 1 -d ' ')
			
 
				
				 ```
			
 
				
				 
			
 
				
				+If you want to enforce the usage of secure mode, please pass `-s` or
			
 
				
				+`--secure-only` flags. In that case, clients which do not use dd-secrets
			
 
				
				+are going to be disconnected from the proxy.
			
 
				
				+
			
 
				
				+
			
 
				
				 ## Environment variables
			
 
				
				 
			
 
				
				 It is possible to configure this tool using environment variables. You
			
@@ -156,6 +161,7 @@ supported environment variables:
 
				
				 | `MTG_STATSD_TAGS`        | `--statsd-tags`        |                                   | Which tags should we send to statsd with our metrics. Please specify them as `key=value` pairs.                                                                                                                                                                            |
			
 
				
				 | `MTG_BUFFER_WRITE`       | `-w`, `--write-buffer` | `65536`                           | The size of TCP write buffer in bytes. Write buffer is the buffer for messages which are going from client to Telegram.                                                                                                                                                    |
			
 
				
				 | `MTG_BUFFER_READ`        | `-r`, `--read-buffer`  | `131072`                          | The size of TCP read buffer in bytes. Read buffer is the buffer for messages from Telegram to client.                                                                                                                                                                      |
			
 
				
				+| `MTG_SECURE_ONLY`        | `-s`, `--secure-only`  | `false`                           | Support only clients with secure mode (i.e only clients with dd-secrets).                                                                                                                                                                                                  |
			
 
				
				 
			
 
				
				 Usually you want to modify only read/write buffer sizes. If you feel
			
 
				
				 that proxy is slow, try to increase both sizes giving more priority to
			
--- a/config/config.go
+++ b/config/config.go
@@ -16,6 +16,7 @@ type Config struct {
 
				
				 	Debug      bool
			
 
				
				 	Verbose    bool
			
 
				
				 	SecureMode bool
			
 
				
				+	SecureOnly bool
			
 
				
				 
			
 
				
				 	ReadBufferSize  int
			
 
				
				 	WriteBufferSize int
			
@@ -116,8 +117,9 @@ func NewConfig(debug, verbose bool, // nolint: gocyclo
 
				
				 	bindPort, publicIPv4Port, publicIPv6Port, statsPort, statsdPort uint16,
			
 
				
				 	statsdIP, statsdNetwork, statsdPrefix, statsdTagsFormat string,
			
 
				
				 	statsdTags map[string]string,
			
 
				
				+	secureOnly bool,
			
 
				
				 	secret, adtag []byte) (*Config, error) {
			
 
				
				-	secureMode := false
			
 
				
				+	secureMode := secureOnly
			
 
				
				 	if bytes.HasPrefix(secret, []byte{0xdd}) && len(secret) == 17 {
			
 
				
				 		secureMode = true
			
 
				
				 		secret = bytes.TrimPrefix(secret, []byte{0xdd})
			
@@ -157,6 +159,7 @@ func NewConfig(debug, verbose bool, // nolint: gocyclo
 
				
				 	conf := &Config{
			
 
				
				 		Debug:           debug,
			
 
				
				 		Verbose:         verbose,
			
 
				
				+		SecureOnly:      secureOnly,
			
 
				
				 		BindIP:          bindIP,
			
 
				
				 		BindPort:        bindPort,
			
 
				
				 		PublicIPv4:      publicIPv4,
			
--- a/main.go
+++ b/main.go
@@ -122,6 +122,11 @@ var (
 
				
				 		Envar("MTG_BUFFER_READ").
			
 
				
				 		Default("131072").
			
 
				
				 		Uint32()
			
 
				
				+	secureOnly = app.Flag("secure-only",
			
 
				
				+		"Support clients with dd-secrets only.").
			
 
				
				+		Short('s').
			
 
				
				+		Envar("MTG_SECURE_ONLY").
			
 
				
				+		Bool()
			
 
				
				 
			
 
				
				 	secret = app.Arg("secret", "Secret of this proxy.").Required().HexBytes()
			
 
				
				 	adtag  = app.Arg("adtag", "ADTag of the proxy.").HexBytes()
			
@@ -146,7 +151,7 @@ func main() { // nolint: gocyclo
 
				
				 		*bindIP, *publicIPv4, *publicIPv6, *statsIP,
			
 
				
				 		*bindPort, *publicIPv4Port, *publicIPv6Port, *statsPort, *statsdPort,
			
 
				
				 		*statsdIP, *statsdNetwork, *statsdPrefix, *statsdTagsFormat,
			
 
				
				-		*statsdTags,
			
 
				
				+		*statsdTags, *secureOnly,
			
 
				
				 		*secret, *adtag,
			
 
				
				 	)
			
 
				
				 	if err != nil {
			
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -65,6 +65,11 @@ func (p *Proxy) accept(conn net.Conn) {
 
				
				 	}
			
 
				
				 	defer clientConn.(io.Closer).Close() // nolint: errcheck
			
 
				
				 
			
 
				
				+	if p.conf.SecureOnly && opts.ConnectionType != mtproto.ConnectionTypeSecure {
			
 
				
				+		log.Errorw("Proxy supports only secure connections", "connection_type", opts.ConnectionType)
			
 
				
				+		return
			
 
				
				+	}
			
 
				
				+
			
 
				
				 	stats.ClientConnected(opts.ConnectionType, clientConn.RemoteAddr())
			
 
				
				 	defer stats.ClientDisconnected(opts.ConnectionType, clientConn.RemoteAddr())