diff --git a/README.md b/README.md index c9cd9dd40..dd7e63683 100644 --- a/README.md +++ b/README.md @@ -130,6 +130,11 @@ or echo dd$(head -c 512 /dev/urandom | md5sum | cut -f 1 -d ' ') ``` +If you want to enforce the usage of secure mode, please pass `-s` or +`--secure-only` flags. In that case, clients which do not use dd-secrets +are going to be disconnected from the proxy. + + ## Environment variables It is possible to configure this tool using environment variables. You @@ -156,6 +161,7 @@ supported environment variables: | `MTG_STATSD_TAGS` | `--statsd-tags` | | Which tags should we send to statsd with our metrics. Please specify them as `key=value` pairs. | | `MTG_BUFFER_WRITE` | `-w`, `--write-buffer` | `65536` | The size of TCP write buffer in bytes. Write buffer is the buffer for messages which are going from client to Telegram. | | `MTG_BUFFER_READ` | `-r`, `--read-buffer` | `131072` | The size of TCP read buffer in bytes. Read buffer is the buffer for messages from Telegram to client. | +| `MTG_SECURE_ONLY` | `-s`, `--secure-only` | `false` | Support only clients with secure mode (i.e only clients with dd-secrets). | Usually you want to modify only read/write buffer sizes. If you feel that proxy is slow, try to increase both sizes giving more priority to diff --git a/config/config.go b/config/config.go index 6d0e641fd..a52f76a95 100644 --- a/config/config.go +++ b/config/config.go @@ -16,6 +16,7 @@ type Config struct { Debug bool Verbose bool SecureMode bool + SecureOnly bool ReadBufferSize int WriteBufferSize int @@ -116,8 +117,9 @@ func NewConfig(debug, verbose bool, // nolint: gocyclo bindPort, publicIPv4Port, publicIPv6Port, statsPort, statsdPort uint16, statsdIP, statsdNetwork, statsdPrefix, statsdTagsFormat string, statsdTags map[string]string, + secureOnly bool, secret, adtag []byte) (*Config, error) { - secureMode := false + secureMode := secureOnly if bytes.HasPrefix(secret, []byte{0xdd}) && len(secret) == 17 { secureMode = true secret = bytes.TrimPrefix(secret, []byte{0xdd}) @@ -157,6 +159,7 @@ func NewConfig(debug, verbose bool, // nolint: gocyclo conf := &Config{ Debug: debug, Verbose: verbose, + SecureOnly: secureOnly, BindIP: bindIP, BindPort: bindPort, PublicIPv4: publicIPv4, diff --git a/main.go b/main.go index 6b4d301a4..03857c84c 100644 --- a/main.go +++ b/main.go @@ -122,6 +122,11 @@ var ( Envar("MTG_BUFFER_READ"). Default("131072"). Uint32() + secureOnly = app.Flag("secure-only", + "Support clients with dd-secrets only."). + Short('s'). + Envar("MTG_SECURE_ONLY"). + Bool() secret = app.Arg("secret", "Secret of this proxy.").Required().HexBytes() adtag = app.Arg("adtag", "ADTag of the proxy.").HexBytes() @@ -146,7 +151,7 @@ func main() { // nolint: gocyclo *bindIP, *publicIPv4, *publicIPv6, *statsIP, *bindPort, *publicIPv4Port, *publicIPv6Port, *statsPort, *statsdPort, *statsdIP, *statsdNetwork, *statsdPrefix, *statsdTagsFormat, - *statsdTags, + *statsdTags, *secureOnly, *secret, *adtag, ) if err != nil { diff --git a/proxy/proxy.go b/proxy/proxy.go index 183df3463..96054e43e 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -65,6 +65,11 @@ func (p *Proxy) accept(conn net.Conn) { } defer clientConn.(io.Closer).Close() // nolint: errcheck + if p.conf.SecureOnly && opts.ConnectionType != mtproto.ConnectionTypeSecure { + log.Errorw("Proxy supports only secure connections", "connection_type", opts.ConnectionType) + return + } + stats.ClientConnected(opts.ConnectionType, clientConn.RemoteAddr()) defer stats.ClientDisconnected(opts.ConnectionType, clientConn.RemoteAddr())