Validate domain fronting availability

internal/cli/doctor.go

 	"net"
 	"os"
 	"slices"
+	"strconv"
 	"strings"
 	"text/template"
 	"time"
 	tplEDNSSNIMatch = template.Must(
 		template.New("").Parse("  ❌ Hostname {{ .hostname }} {{ if .resolved }}is resolved to {{ .resolved }} addresses, not {{ if .ip4 }}{{ .ip4 }}{{ else }}{{ .ip6 }}{{ end }}{{ else }}cannot be resolved to any host{{ end }}\n"),
 	)
+
+	tplOFrontingDomain = template.Must(
+		template.New("").Parse("  ✅ {{ .address }} is reachable\n"),
+	)
+	tplEFrontingDomain = template.Must(
+		template.New("").Parse("  ❌ {{ .address }}: {{ .error }}\n"),
+	)
 )
 
 type Doctor struct {
 		everythingOK = d.checkNetwork(value) && everythingOK
 	}
 
+	fmt.Println("Validate fronting domain connectivity")
+	everythingOK = d.checkFrontingDomain(base) && everythingOK
+
 	fmt.Println("Validate SNI-DNS match")
 	everythingOK = d.checkSecretHost(resolver, base) && everythingOK
 
 	return err
 }
 
+func (d *Doctor) checkFrontingDomain(ntw mtglib.Network) bool {
+	host := d.conf.Secret.Host
+	if ip := d.conf.GetDomainFrontingIP(nil); ip != "" {
+		host = ip
+	}
+
+	port := d.conf.GetDomainFrontingPort(mtglib.DefaultDomainFrontingPort)
+	address := net.JoinHostPort(host, strconv.Itoa(int(port)))
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	dialer := ntw.NativeDialer()
+
+	conn, err := dialer.DialContext(ctx, "tcp", address)
+	if err != nil {
+		tplEFrontingDomain.Execute(os.Stdout, map[string]any{ //nolint: errcheck
+			"address": address,
+			"error":   err,
+		})
+		return false
+	}
+
+	conn.Close() //nolint: errcheck
+
+	tplOFrontingDomain.Execute(os.Stdout, map[string]any{ //nolint: errcheck
+		"address": address,
+	})
+
+	return true
+}
+
 func (d *Doctor) checkSecretHost(resolver *net.Resolver, ntw mtglib.Network) bool {
 	addresses, err := resolver.LookupIPAddr(context.Background(), d.conf.Secret.Host)
 	if err != nil {