4a1bf1ec6a
print warning about default settings on stderr
2019-08-19 04:59:05 +05:00
854aaa1f24
add flush on print
2019-08-19 04:57:48 +05:00
5b0ad45cb9
cosmetic fix
2019-08-19 04:56:37 +05:00
26e00a7409
give some advices about non-secure settings on startup
2019-08-19 04:55:09 +05:00
ac6d20a897
redesing exception handling logic in handle_bad_client
2019-08-19 04:13:50 +05:00
06ed40c815
handle unknown ip situation, for example for unix-sockets
2019-08-19 03:44:08 +05:00
1938c7d3bb
change comment
2019-08-19 03:33:04 +05:00
01fd1a34c2
be more clear about proxy protocol usage
2019-08-19 03:31:10 +05:00
1a0977b10e
handle the connection resets
2019-08-19 00:25:54 +05:00
9dc8521c18
copy the way how the mask server closes the tcp connection to the client
2019-08-18 21:59:33 +05:00
4169e6acab
move the import to the top of the file
2019-08-17 15:20:05 +05:00
121a8974de
add unix socket support ( #127 )
...
Config option LISTEN_UNIX_SOCK = "/path/to/socket.file" allows to listen
on specified unix socket in additional to (or instead of) configured ip
addresses. Listening on a socket can be useful for connection from local
reverse proxy w/o wasting tcp ports and network subsystem resources just
for inter-process communication.
Default value is empty - socket not used.
2019-08-17 15:11:49 +05:00
fdf5efe3d2
change max tls record size to make it look like complying https://tools.ietf.org/html/rfc8446\#section-5.2 instead of the section 5.1
2019-08-17 14:42:49 +05:00
015d0a2012
be more tolerate to time skewing. This should cover 90% of cases
2019-08-17 13:21:57 +05:00
dcad0bd51b
if the client time is skewed, just print a message for a while. Additional analysis needed
2019-08-17 04:48:17 +05:00
da9e51ed03
better error texts
2019-08-17 02:07:17 +05:00
59306e6e67
take cert length from the masked host
2019-08-16 20:25:23 +05:00
7502d1dc31
add one more message about the client time skew
2019-08-16 18:11:50 +05:00
9df42cda79
time based protection against replay attack
2019-08-16 18:01:20 +05:00
a65f7a8e17
add one more nonce in the reserved nonces list
2019-08-16 16:45:22 +05:00
8a4bc77125
make default client handshake timeout random
2019-08-16 16:23:14 +05:00
294cb65738
rename the function from pseudo tls to the fake tls to make the terminology consistent
2019-08-16 16:15:09 +05:00
559c577df1
early break if the protocol is not tls
2019-08-16 15:17:07 +05:00
ccc8c3fb14
read initial tls header byte by byte
2019-08-16 15:07:27 +05:00
e061cd81c4
optimize reading a handshake by detecting tls early
2019-08-15 18:26:56 +05:00
7527d402d6
mimic as tls 1.3 instead of tls 1.2 to bypass uncrypted certificates problem
2019-08-15 16:23:44 +05:00
f51a4bfe34
Add proxy protocol v1/v2 support ( #119 )
...
* add proxy protocol v1/v2 support
With fake-tls enabled, it was still quite hard to use mtprotoproxy
as backend behing some reverse https/tls proxy (nginx, haproxy, etc)
because it still need client address & port info.
With nginx already configured to use stream proxy with proxy protocol,
it was impossibe to connect due additional proxy header transmission
before real hadshake.
Adding general support of proxy protocol fixed both issues.
New config option PROXY_PROTOCOL = True enables transparent support,
unproxied incoming connections will still be accepted.
Since reverse proxy needs to be trusted, option disabled by default.
References:
* https://www.haproxy.com/blog/haproxy/proxy-protocol/
* http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
* slightly optimize proxy v1 error path
* rework proxy handler
* deny direct connection with enabled PROXY_PROTOCOl per specs
* simplify proxy header checking
* use textual form of proxy v1 header
* drop useless find() call
* fix client address logging
2019-08-14 23:03:01 +05:00
d9fa5b222a
remove unused variable
2019-08-14 04:07:36 +05:00
91ec36653e
add slots to classes, thanks to MrMrRobat
2019-08-14 03:59:44 +05:00
e43ae99911
Fix default port in the main script.
...
Different port in main and config files. It's changed to 3256.
2019-08-13 16:42:14 +05:00
ab52521a25
change the tls links to hex encoding until base64 is fixed
2019-08-13 16:26:38 +05:00
53184470e9
fixed cached readings in fake tls
2019-08-13 15:23:47 +05:00
48330f1e8a
shrunk max tls record size according to https://tools.ietf.org/html/rfc8446\#section-5.1
2019-08-13 03:31:49 +05:00
4e2cb87685
change the comment
2019-08-13 02:52:41 +05:00
a030ae2978
redirect bad clients to some host
2019-08-13 02:06:17 +05:00
3d8961316e
use urlsafe version of base64 encoder
2019-08-11 21:28:55 +05:00
d7c163c0dc
add tls only mode
2019-08-11 21:22:10 +05:00
80062c95bc
print proxy addresses and logins on reload
2019-07-26 14:51:41 +05:00
c1fdc4c0a3
move setting instant rst into a function
2019-07-25 02:09:10 +05:00
f5d41e9aa7
close tcp connection with rst when tls failed
2019-07-25 02:05:04 +05:00
4e754a75bd
add an experimental note for the new proto
2019-07-24 03:16:03 +05:00
1a934f992d
add fake-tls mode
2019-07-24 03:03:36 +05:00
c543bc1c3d
launch script explicitely using python
2019-07-23 18:01:44 +05:00
96ba65aba0
add one more reserved string in the nonce beginnings
2019-07-23 10:26:58 +05:00
985e3eb546
add user data quotas
2019-07-22 21:34:09 +05:00
129f5cc981
use global var to enable direct connect
2019-07-22 18:55:27 +05:00
6fb022284e
check if ipv6 is available every time before using
2019-07-22 18:24:03 +05:00
4691917c34
optimize docker containers for reloading
2019-07-22 17:21:43 +05:00
7d11ff07bd
cancel all tasks on exit
2019-07-19 15:58:54 +05:00
1c875e3d31
do not listen if listen addr is zero
2019-07-19 15:46:34 +05:00
Alexander Bersenev