Merge remote-tracking branch 'origin/master' into stable

README.md

@@ -130,6 +130,11 @@ or
 echo dd$(head -c 512 /dev/urandom | md5sum | cut -f 1 -d ' ')
 ```
 
+If you want to enforce the usage of secure mode, please pass `-s` or
+`--secure-only` flags. In that case, clients which do not use dd-secrets
+are going to be disconnected from the proxy.
+
+
 ## Environment variables
 
 It is possible to configure this tool using environment variables. You
@@ -156,6 +161,7 @@ supported environment variables:
 | `MTG_STATSD_TAGS`        | `--statsd-tags`        |                                   | Which tags should we send to statsd with our metrics. Please specify them as `key=value` pairs.                                                                                                                                                                            |
 | `MTG_BUFFER_WRITE`       | `-w`, `--write-buffer` | `65536`                           | The size of TCP write buffer in bytes. Write buffer is the buffer for messages which are going from client to Telegram.                                                                                                                                                    |
 | `MTG_BUFFER_READ`        | `-r`, `--read-buffer`  | `131072`                          | The size of TCP read buffer in bytes. Read buffer is the buffer for messages from Telegram to client.                                                                                                                                                                      |
+| `MTG_SECURE_ONLY`        | `-s`, `--secure-only`  | `false`                           | Support only clients with secure mode (i.e only clients with dd-secrets).                                                                                                                                                                                                  |
 
 Usually you want to modify only read/write buffer sizes. If you feel
 that proxy is slow, try to increase both sizes giving more priority to

config/config.go

@@ -16,6 +16,7 @@ type Config struct {
 	Debug      bool
 	Verbose    bool
 	SecureMode bool
+	SecureOnly bool
 
 	ReadBufferSize  int
 	WriteBufferSize int
@@ -116,8 +117,9 @@ func NewConfig(debug, verbose bool, // nolint: gocyclo
 	bindPort, publicIPv4Port, publicIPv6Port, statsPort, statsdPort uint16,
 	statsdIP, statsdNetwork, statsdPrefix, statsdTagsFormat string,
 	statsdTags map[string]string,
+	secureOnly bool,
 	secret, adtag []byte) (*Config, error) {
-	secureMode := false
+	secureMode := secureOnly
 	if bytes.HasPrefix(secret, []byte{0xdd}) && len(secret) == 17 {
 		secureMode = true
 		secret = bytes.TrimPrefix(secret, []byte{0xdd})
@@ -157,6 +159,7 @@ func NewConfig(debug, verbose bool, // nolint: gocyclo
 	conf := &Config{
 		Debug:           debug,
 		Verbose:         verbose,
+		SecureOnly:      secureOnly,
 		BindIP:          bindIP,
 		BindPort:        bindPort,
 		PublicIPv4:      publicIPv4,

main.go

@@ -122,6 +122,11 @@ var (
 		Envar("MTG_BUFFER_READ").
 		Default("131072").
 		Uint32()
+	secureOnly = app.Flag("secure-only",
+		"Support clients with dd-secrets only.").
+		Short('s').
+		Envar("MTG_SECURE_ONLY").
+		Bool()
 
 	secret = app.Arg("secret", "Secret of this proxy.").Required().HexBytes()
 	adtag  = app.Arg("adtag", "ADTag of the proxy.").HexBytes()
@@ -146,7 +151,7 @@ func main() { // nolint: gocyclo
 		*bindIP, *publicIPv4, *publicIPv6, *statsIP,
 		*bindPort, *publicIPv4Port, *publicIPv6Port, *statsPort, *statsdPort,
 		*statsdIP, *statsdNetwork, *statsdPrefix, *statsdTagsFormat,
-		*statsdTags,
+		*statsdTags, *secureOnly,
 		*secret, *adtag,
 	)
 	if err != nil {

proxy/proxy.go

@@ -65,6 +65,11 @@ func (p *Proxy) accept(conn net.Conn) {
 	}
 	defer clientConn.(io.Closer).Close() // nolint: errcheck
 
+	if p.conf.SecureOnly && opts.ConnectionType != mtproto.ConnectionTypeSecure {
+		log.Errorw("Proxy supports only secure connections", "connection_type", opts.ConnectionType)
+		return
+	}
+
 	stats.ClientConnected(opts.ConnectionType, clientConn.RemoteAddr())
 	defer stats.ClientDisconnected(opts.ConnectionType, clientConn.RemoteAddr())