ei - Gitea: Git with a cup of tea

ei synced commits to master at ei/mtg from mirror

8d143d7bde Merge pull request #480 from dolonet/feat/domain-fronting-host config: accept hostname for [domain-fronting] target
a7ede7c7ac Deprecate "ip" in favour of "host" for domain fronting Per review on #480: warn-and-ignore for the IP-shaped paths, mirroring the net.Dialer.DualStack precedent — a config that sets only "ip" will warn at startup and effectively disable domain-fronting until the user switches to "host". - mtglib.ProxyOpts: add DomainFrontingHost; mark DomainFrontingIP Deprecated and warn-and-drop in NewProxy. - internal/config: GetDomainFrontingHost returns only [domain-fronting].host; deprecated keys are no longer used to derive the dial target. runProxy logs a startup warning per deprecated key that is set. - internal/cli: add --domain-fronting-host; --domain-fronting-ip flag is parsed only so the runtime warning can fire. - internal/cli/doctor: redirect the existing 2.3.0 entry at "host" and add a 2.4.0 entry for [domain-fronting].ip. - example.config.toml: mark # ip = ... as deprecated.
dfc805b67b Clarify why TypeHost rejects ':' (IPv6 already returned above)
908b32afff Address round-two review: rename mtglib privates, reorder, more tests - mtglib/proxy.go: rename private field domainFrontingIP -> domainFrontingHost and update DomainFrontingAddress() doc comment to reflect that hostnames are now accepted. The exported mtglib.ProxyOpts.DomainFrontingIP is unchanged (public API), so the assignment in NewProxy now reads `domainFrontingHost: opts.DomainFrontingIP,` which makes the public-vs-internal naming explicitly visible at the boundary. - internal/config/{parse,config}.go: reorder so Host comes before IP in the [domain-fronting] struct. Cosmetic, but signals Host is the preferred forward path. - Add TestDomainFrontingHostAcceptsLiteralIP + domain_fronting_host_ip.toml fixture exercising the documented "host accepts hostname or literal IP" contract end-to-end.
1960ff236b Address self-review: rename helper, end-to-end TOML tests Follow-up to the previous commit on this branch: - Rename Config.GetDomainFrontingIP -> GetDomainFrontingHost. The helper now returns a hostname or an IP, so the old name was a lie. Drop the unused defaultValue net.IP parameter (every caller passed nil). Update internal/cli/run_proxy.go and internal/cli/doctor.go; rename the misleading `ip` local var in doctor.go to `override`. - Add TOML fixtures (domain_fronting_host.toml, domain_fronting_ip.toml) so the new field is exercised through the actual Parse()->JSON->Config path users hit, not just via direct .Set() calls. Plus a positive backward-compat test confirming an `ip`-only legacy config still validates and resolves correctly, and a no-fronting test confirming the unset case returns empty. - Clarify example.config.toml: `ip` is kept for backward compatibility, not because it has stricter validation semantics worth choosing over `host`. mtglib.ProxyOpts.DomainFrontingIP keeps its name (public API).
Compare 6 commits »

пре 1 дан

ei synced commits to master at ei/mtg from mirror

827bbd6900 Merge pull request #485 from dolonet/doctor/parallel-dc doctor: run DC connectivity probes in parallel
d6c99c7209 doctor: use WaitGroup.Go and recover panics in DC probes Address review feedback on #485: - switch to sync.WaitGroup.Go (Go 1.25+) for the per-DC goroutine - recover panics inside the goroutine and record them as that DC's error, so a single panicking probe no longer crashes the whole doctor run and the remaining DCs still report their results
a9011c0333 doctor: run DC connectivity probes in parallel Each DC dial uses a 10s timeout, and "checkNetwork" iterates 6 DCs sequentially, so worst case is ~60s when egress is broken. Probing in parallel collapses the worst case to a single timeout window while preserving the existing DC-ordered output. Refs #482
Compare 3 commits »

пре 2 дана

ei synced commits to master at ei/mtg from mirror

c8cc317b48 Merge pull request #487 from bam80/podman add support for unprivileged podman container
83c0c8acfb Merge pull request #491 from bam80/localhost compose: mtg: add hostname for host access from container
b0923a51d2 Merge pull request #488 from dolonet/doctor/skip-native-check-v2 doctor: add --skip-native-check flag
31c31c50c0 Merge pull request #481 from dolonet/docs/link-example-config
faaa75612f compose: mtg: add hostname for host access from container Might be needed for local chained proxy setup.
Compare 8 commits »

пре 2 дана

ei synced commits to master at ei/mtg from mirror

250f12c283 Merge pull request #477 from bam80/patch-1 README.md: fix ASCII graphic offset
2d891658bd Merge pull request #483 from dolonet/fix/socks-proxy-resolver Do not use custom DNS resolver to dial proxy upstreams
488ba2b60a Do not use custom DNS resolver to dial proxy upstreams Fixes #439. When `[network] dns = "tls://..."` (or "https://...") is set, the resulting *net.Resolver gets attached to the base network's NativeDialer and was previously also handed to golang.org/x/net/proxy.FromURL via NewProxyNetwork. As a result, the SOCKS5 client used the user's DoT/DoH resolver to look up the SOCKS server's own hostname (e.g. "xray" inside a docker compose stack). Public DNS-over-TLS resolvers don't know about docker-compose service names, k8s service DNS, /etc/hosts entries, or corporate split-horizon DNS, so the upstream lookup returned NXDOMAIN and the proxy chain broke with a misleading "lookup xray on 127.0.0.11:53: no such host" error. The custom DNS resolver exists to bypass DPI poisoning when resolving public censored names like Telegram DCs or the SNI/fronting host. Proxy server addresses are almost always internal and should be resolved via the system resolver instead. This change introduces proxyServerDialer, which copies the timeout and fallback-delay from the base dialer but leaves Resolver==nil, and uses it for the SOCKS upstream. The new internal test asserts the structural property directly: the returned dialer must not inherit the base's custom resolver.
d6ad17acce README.md: fix ASCII graphic offset
Compare 4 commits »

пре 3 дана

ei synced commits to master at ei/mtg from mirror

e5ce720a2d Merge pull request #461 from dolonet/feature/sni-mismatch-warning Warn about SNI/IP mismatch at proxy startup
491a355a61 Require all detected IP families to match in SNI-DNS check Previously the check returned OK if any resolved address matched either the public IPv4 or IPv6. A matching AAAA could mask a mismatched A record (and vice versa), which is a problem because most client connectivity is still IPv4: a partial match would silently pass the warning while DPI still blocks the proxy. Now each detected IP family must appear in the DNS response; the warning also reports per-family match status so operators can tell which record is wrong.
1f8f063ec3 Warn about SNI/IP mismatch at mtg run startup The SNI-DNS validation that exists in 'mtg doctor' is now also run at proxy startup. If the secret hostname does not resolve to the server's public IP, a warning is logged so that operators notice the misconfiguration before DPI silently blocks the proxy. The check is best-effort: if the public IP cannot be detected or the hostname cannot be resolved, a brief warning is emitted and the proxy starts normally. Refs: #444, #458
Compare 3 commits »

пре 2 недеља

ei synced commits to master at ei/mtg from mirror

9bf7222208 Merge pull request #467 from dolonet/docs/blocklist-lan-gotcha docs: warn about firehol_level1 RFC1918 gotcha in default blocklist
5953f9320c Merge pull request #462 from dolonet/contrib/docker-sni-router Add docker-compose example with HAProxy SNI router
170346bb74 Pass real client IPs through with PROXY protocol v2 Without this, mtg and Caddy see HAProxy's container IP for every connection, which breaks meaningful logging, abuse handling, and any IP-based blocklist logic. HAProxy sends a PROXY protocol v2 header on its TCP backends; mtg enables proxy-protocol-listener, and Caddy wraps :8443 with a proxy_protocol listener before tls. The :80 path (ACME HTTP-01 passthrough) is unchanged — client IP there is not useful and HAProxy's http mode already adds X-Forwarded-For if anyone wants it. Requested in https://github.com/9seconds/mtg/pull/462 review.
68a4685ec6 Fix description of blocklist rejection behavior The previous wording ("silently routed to the fronting domain") is inaccurate. In mtglib/proxy.go the blocklist path calls conn.Close() immediately with no further handshake or fronting; domain fronting only happens on FakeTLS failures for non-blocked IPs. Reword to "TCP connection is closed with no response" so users searching the docs get the same symptom they actually see.
602f85d24d Document firehol_level1 RFC1918 gotcha in blocklist defaults The default [defense.blocklist] uses firehol_level1.netset, which includes bogon networks and therefore all RFC1918 ranges. Clients connecting from a LAN address (e.g. a phone on the home Wi-Fi when mtg runs at home) are silently rejected with "ip was blacklisted" and routed to the fronting domain. This is a recurring source of confusion (see issue #466 for the latest example). Add a warning next to the urls list in example.config.toml and a Troubleshooting section in README.md covering the symptom, the cause, and three resolution paths (disable blocklist, swap for a narrower list, or use hairpin NAT). Docs only, no code changes.
Compare 7 commits »

пре 3 недеља

ei synced commits to master at ei/mtg from mirror

d7249756e2 Merge pull request #459 from dolonet/fix/openbsd-keepalive Fix TCP keepalive setup on OpenBSD
2fa0e5ed94 Fix TCP keepalive setup on OpenBSD Fixes #457. OpenBSD has no user-settable per-socket TCP keepalive options: TCP_KEEPIDLE, TCP_KEEPINTVL and TCP_KEEPCNT do not exist on OpenBSD, keepalive timing is controlled system-wide via the sysctls net.inet.tcp.keepidle and net.inet.tcp.keepintvl. Go reflects this in src/net/tcpsockopt_openbsd.go: setKeepAliveIdle / Interval / Count return ENOPROTOOPT for any non-negative value, and only short-circuit to nil for negative values that explicitly mean "leave alone". mtg builds a net.KeepAliveConfig with zero-valued Idle / Interval / Count whenever the user does not override them in the config (which is the default and the documented expectation). It then hands that config to (*TCPConn).SetKeepAliveConfig in two places: - network/sockopts.go: applied to every connection accepted by internal/utils.Listener.Accept and to every server-side dial that goes through the v1 default network. - network/v2/sockopts.go: applied to every connection produced by the v2 network's DialContext. On OpenBSD both calls fail with "set tcp ...: protocol not available". The user-visible effect is that: - `mtg doctor` reports the error for every Telegram DC. - `mtg run` accepts incoming TCP connections at the kernel level but Listener.Accept then closes each one before the proxy server ever sees it, so the client appears to hang on a half-open socket and nothing is logged. - There is no configuration workaround. Setting [network] keep-alive.disabled = true only zeroes Enable; Go still calls setKeepAliveIdle / Interval / Count, which still fail. This change extracts the keepalive setup behind an applyKeepAlive helper that has a per-platform implementation, following the same build-tag pattern already used for sockopts_lowat, sockopts_congestion, sockopts_reuseaddr and sockopts_usertimeout. On every supported platform except OpenBSD it still calls SetKeepAliveConfig and the behaviour is unchanged. On OpenBSD it calls SetKeepAlive(cfg.Enable) instead, which only flips SO_KEEPALIVE on or off and never touches the missing per-socket options. OpenBSD users get the system-wide sysctl-controlled keepalive timing, which is the only thing the kernel exposes anyway. Verified by cross-building (`GOOS=openbsd GOARCH=amd64 go build ./...` and `GOARCH=arm64`) and by running `go test ./network/...` on linux.
Compare 2 commits »

пре 3 недеља

ei synced new reference v2.2.8 to ei/mtg from mirror

пре 4 недеља

ei synced commits to master at ei/mtg from mirror

fb94d4a78b Update dependencies
b5799500e4 Merge pull request #454 from 9seconds/tcp-notsent-lowat Add TCP_NOTSENT_LOWAT setting
437dacfaab Refactor socksopts per functionality, not per build flag
0de8b28de8 Add TCP_NOTSENT_LOWAT setting
2f62e8055d Merge pull request #453 from 9seconds/tcp-user-timeout Add TCP_USER_TIMEOUT support
Compare 10 commits »

пре 4 недеља

ei synced commits to master at ei/mtg from mirror

45f958e527 Merge pull request #441 from appolimp/tcp-keepalive-idle-timeout Improve TCP keepalive and idle timeout for mobile clients
5f81ae3743 Improve TCP keepalive and idle timeout for mobile clients TCP keepalive was configured (SetKeepAlivePeriod) but never actually enabled (SO_KEEPALIVE) on accepted client connections. Go 1.26's SetKeepAlivePeriod only sets TCP_KEEPIDLE — it does not call setsockopt(SO_KEEPALIVE, 1). Without SO_KEEPALIVE the kernel never sends probe packets, so dead connections from sleeping mobile clients linger until the idle timeout fires. Replace SetKeepAlive + SetKeepAlivePeriod with net.KeepAliveConfig (available since Go 1.24) for explicit per-socket control: Idle: 30s (time before first probe) Interval: 10s (between probes) Count: 3 (failed probes to declare dead) This detects dead connections in ~60s instead of relying on system defaults (tcp_keepalive_intvl=75s, probes=9 → up to 11 minutes). Increase the default idle timeout from 1 minute to 5 minutes. MTProto clients send ping_delay_disconnect every ~60s, which resets the idle timer. The previous 1-minute default created a race: if a ping arrived even 1–2 seconds late the relay was killed. A 5-minute window also survives typical mobile sleep periods (phone idle 2–5 min) where the NAT mapping is still alive and the connection can resume without reconnection. Ref: #132
Compare 2 commits »

пре 1 месец

ei synced new reference v2.2.7 to ei/mtg from mirror

пре 1 месец

ei synced commits to v2 at ei/mtg from mirror

1a81efcb6e Merge remote-tracking branch 'origin/stable' into v2
2544c521ed Merge remote-tracking branch 'origin/master' into stable
3a68ea5f2d Update goreleaser
dbced77566 Merge pull request #433 from 9seconds/refactor-tls-fragmentation Refactor TLS fragmenting
f4f969e702 Refactor TLS fragmenting
Compare 17 commits »

пре 1 месец

ei synced commits to stable at ei/mtg from mirror

2544c521ed Merge remote-tracking branch 'origin/master' into stable
3a68ea5f2d Update goreleaser
dbced77566 Merge pull request #433 from 9seconds/refactor-tls-fragmentation Refactor TLS fragmenting
f4f969e702 Refactor TLS fragmenting
e8368f7645 Merge pull request #431 from appolimp/tls-record-reassembly-pr Support fragmented TLS handshake records
Compare 16 commits »

пре 1 месец

ei synced commits to master at ei/mtg from mirror

3a68ea5f2d Update goreleaser
dbced77566 Merge pull request #433 from 9seconds/refactor-tls-fragmentation Refactor TLS fragmenting
f4f969e702 Refactor TLS fragmenting
Compare 3 commits »

пре 1 месец

ei креира спремиште ei/mtg

пре 1 месец

ei креира спремиште ei/nginx-upload-progress-module

пре 2 месеци

ei креира спремиште ei/rc-model

пре 6 месеци

ei pushed to master at ei/finfollow

8158dd9e4a moved securities map from class constant to .env

пре 1 година

ei pushed to master at ei/finfollow

061ebfa2ca joined quantity columns into one and show math. rest if quantities differ

пре 1 година

ei pushed to master at ei/finfollow

dbee95941c added column percentage of securities (by sum) in the portfolio

пре 1 година