Merge remote-tracking branch 'origin/stable' into v2

Author: 9seconds

Dockerfile

@@ -5,6 +5,19 @@ FROM golang:1.26-alpine AS build
 
 ENV CGO_ENABLED=0
 
+# this is done for backward compatibility: before that we mounted a config
+# into /config.toml. Some application allow mounting directories only,
+# so it makes problems. So, instead we are going to do 2 steps:
+#  1. Create /config/config.toml as a symlink to /config.toml
+#  2. Force /mtg to use /config/config.toml
+#
+# it helps in both ways: users with directories could use /config directory
+# and overlap a symlink by their bind mount. Old users could continue using
+# /config.toml as a real config.
+RUN set -x \
+  && mkdir -p /config \
+  && ln -sv /config.toml /config/config.toml
+
 RUN --mount=type=cache,target=/var/cache/apk \
     set -x \
     && apk --update add \
@@ -35,8 +48,9 @@ RUN set -x \
 FROM scratch
 
 ENTRYPOINT ["/mtg"]
-CMD ["run", "/config.toml"]
+CMD ["run", "/config/config.toml"]
 
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=build /app/mtg /mtg
 COPY --from=build /app/example.config.toml /config.toml
+COPY --from=build /config /config

README.md

@@ -301,6 +301,38 @@ For example, you've bought a VPS from [Digital
 Ocean](https://www.digitalocean.com/). Then it might be a good idea to
 generate a secret for _digitalocean.com_ then.
 
+### Check configuration
+
+There is a special command for secret verification:
+
+```
+$ mtg doctor /path/to/my/config.toml
+Deprecated options
+  ✅ All good
+Time skewness
+  ✅ Time drift is -607.048µs, but tolerate-time-skewness is 5s
+Validate native network connectivity
+  ✅ DC 1
+  ✅ DC 2
+  ✅ DC 3
+  ✅ DC 4
+  ✅ DC 5
+  ✅ DC 203
+Validate network connectivity with proxy socks5://127.0.0.1:1080
+  ✅ DC 1
+  ✅ DC 2
+  ✅ DC 3
+  ✅ DC 4
+  ✅ DC 5
+  ✅ DC 203
+Validate fronting domain connectivity
+  ✅ xx.xx.xx.xx:yyy is reachable
+Validate SNI-DNS match
+  ✅ IP address xx.xx.xx.xx matches secret hostname <REDACTED>
+```
+
+It aims to find out possible inconsistencies and problems with your
+configuration. It makes sense to run it before executing any relevant commands.
 
 ### Simple run mode
 

essentials/addresses.go

@@ -0,0 +1,30 @@
+package essentials
+
+// TelegramCoreAddresses are publicly known addresses of Telegram core network.
+var TelegramCoreAddresses = map[int][]string{
+	1: {
+		"149.154.175.50:443",
+		"[2001:b28:f23d:f001::a]:443",
+	},
+	2: {
+		"149.154.167.51:443",
+		"95.161.76.100:443",
+		"[2001:67c:04e8:f002::a]:443",
+	},
+	3: {
+		"149.154.175.100:443",
+		"[2001:b28:f23d:f003::a]:443",
+	},
+	4: {
+		"149.154.167.91:443",
+		"[2001:67c:04e8:f004::a]:443",
+	},
+	5: {
+		"149.154.171.5:443",
+		"[2001:b28:f23f:f005::a]:443",
+	},
+	203: {
+		"91.105.192.100:443",
+		"[2a0a:f280:0203:000a:5000:0000:0000:0100]:443",
+	},
+}

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/d4l3k/messagediff v1.2.1 // indirect
 	github.com/jarcoal/httpmock v1.0.8
 	github.com/mccutchen/go-httpbin v1.1.1
-	github.com/panjf2000/ants/v2 v2.11.6
+	github.com/panjf2000/ants/v2 v2.12.0
 	github.com/prometheus/client_golang v1.23.2
 	github.com/prometheus/common v0.67.5 // indirect
 	github.com/prometheus/procfs v0.20.1 // indirect
@@ -27,6 +27,7 @@ require (
 )
 
 require (
+	github.com/beevik/ntp v1.5.0
 	github.com/ncruces/go-dns v1.3.2
 	github.com/pelletier/go-toml/v2 v2.2.4
 	github.com/pires/go-proxyproto v0.11.0

go.sum

@@ -12,6 +12,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/babolivier/go-doh-client v0.0.0-20201028162107-a76cff4cb8b6 h1:4NNbNM2Iq/k57qEu7WfL67UrbPq1uFWxW4qODCohi+0=
 github.com/babolivier/go-doh-client v0.0.0-20201028162107-a76cff4cb8b6/go.mod h1:J29hk+f9lJrblVIfiJOtTFk+OblBawmib4uz/VdKzlg=
+github.com/beevik/ntp v1.5.0 h1:y+uj/JjNwlY2JahivxYvtmv4ehfi3h74fAuABB9ZSM4=
+github.com/beevik/ntp v1.5.0/go.mod h1:mJEhBrwT76w9D+IfOEGvuzyuudiW9E52U2BaTrMOYow=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -53,8 +55,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/ncruces/go-dns v1.3.2 h1:kBLuUZBgkQ4qF4WDXZRQ4rG0Gk6sLVJQ5tESkWrxUa0=
 github.com/ncruces/go-dns v1.3.2/go.mod h1:tuzixNY8PY/M7yUzcvRbUaeLs3ifIdydpi5H2bfRU+s=
-github.com/panjf2000/ants/v2 v2.11.6 h1:JKsoIUukIoCO0sP0gcOqdyoXmpyKXuU6fC57rODtpug=
-github.com/panjf2000/ants/v2 v2.11.6/go.mod h1:8u92CYMUc6gyvTIw8Ru7Mt7+/ESnJahz5EVtqfrilek=
+github.com/panjf2000/ants/v2 v2.12.0 h1:u9JhESo83i/GkZnhfTNuFMMWcNt7mnV1bGJ6FT4wXH8=
+github.com/panjf2000/ants/v2 v2.12.0/go.mod h1:tSQuaNQ6r6NRhPt+IZVUevvDyFMTs+eS4ztZc52uJTY=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=

internal/cli/access.go

@@ -1,22 +1,16 @@
 package cli
 
 import (
-	"context"
 	"encoding/json"
 	"fmt"
-	"io"
 	"net"
-	"net/http"
 	"net/url"
 	"os"
 	"strconv"
-	"strings"
 	"sync"
 
-	"github.com/9seconds/mtg/v2/essentials"
 	"github.com/9seconds/mtg/v2/internal/config"
 	"github.com/9seconds/mtg/v2/internal/utils"
-	"github.com/9seconds/mtg/v2/mtglib"
 )
 
 type accessResponse struct {
@@ -65,7 +59,7 @@ func (a *Access) Run(cli *CLI, version string) error {
 	wg.Go(func() {
 		ip := a.PublicIPv4
 		if ip == nil {
-			ip = a.getIP(ntw, "tcp4")
+			ip = getIP(ntw, "tcp4")
 		}
 
 		if ip != nil {
@@ -77,7 +71,7 @@ func (a *Access) Run(cli *CLI, version string) error {
 	wg.Go(func() {
 		ip := a.PublicIPv6
 		if ip == nil {
-			ip = a.getIP(ntw, "tcp6")
+			ip = getIP(ntw, "tcp6")
 		}
 
 		if ip != nil {
@@ -100,45 +94,6 @@ func (a *Access) Run(cli *CLI, version string) error {
 	return nil
 }
 
-func (a *Access) getIP(ntw mtglib.Network, protocol string) net.IP {
-	dialer := ntw.NativeDialer()
-	client := ntw.MakeHTTPClient(func(ctx context.Context, network, address string) (essentials.Conn, error) {
-		conn, err := dialer.DialContext(ctx, protocol, address)
-		if err != nil {
-			return nil, err
-		}
-		return essentials.WrapNetConn(conn), err
-	})
-
-	req, err := http.NewRequest(http.MethodGet, "https://ifconfig.co", nil) //nolint: noctx
-	if err != nil {
-		panic(err)
-	}
-
-	req.Header.Add("Accept", "text/plain")
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return nil
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil
-	}
-
-	defer func() {
-		io.Copy(io.Discard, resp.Body) //nolint: errcheck
-		resp.Body.Close()              //nolint: errcheck
-	}()
-
-	data, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil
-	}
-
-	return net.ParseIP(strings.TrimSpace(string(data)))
-}
-
 func (a *Access) makeURLs(conf *config.Config, ip net.IP) *accessResponseURLs {
 	if ip == nil {
 		return nil

internal/cli/cli.go

@@ -4,6 +4,7 @@ import "github.com/alecthomas/kong"
 
 type CLI struct {
 	GenerateSecret GenerateSecret   `kong:"cmd,help='Generate new proxy secret'"`
+	Doctor         Doctor           `kong:"cmd,help='Check that proxy can run correctly'"`
 	Access         Access           `kong:"cmd,help='Print access information.'"`
 	Run            Run              `kong:"cmd,help='Run proxy.'"`
 	SimpleRun      SimpleRun        `kong:"cmd,help='Run proxy without config file.'"`