Skip to content

Commit

Permalink
Allow any in tls_allowed_domains.
Browse files Browse the repository at this point in the history
  • Loading branch information
seriyps committed Aug 12, 2019
1 parent 237f9f1 commit fbe8cb5
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 9 deletions.
7 changes: 4 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,11 @@ all: config/prod-sys.config config/prod-vm.args
.PHONY: test
test:
$(REBAR3) xref
$(REBAR3) eunit
$(REBAR3) ct
$(REBAR3) proper -n 50
$(REBAR3) eunit -c
$(REBAR3) ct -c
$(REBAR3) proper -c -n 50
$(REBAR3) dialyzer
$(REBAR3) cover -v

config/prod-sys.config: config/sys.config.example
[ -f $@ ] && diff $^ $@ || true
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -258,7 +258,7 @@ You should disable all protocols other than `mtp_secure` by providing `allowed_p
Another censorship circumvention technique. MTPRoto proxy protocol pretends to be
HTTPS web traffic (technically speaking, TLSv1.3 + HTTP/2).
It's possible to only allow connections with this protocol by changing `allowed_protocols` to
be list with only `mtp_fake_tls`:
be list with only `mtp_fake_tls`. You may also want to check `tls_allowed_domains` option.

```erlang
{mtproto_proxy,
Expand Down
11 changes: 8 additions & 3 deletions src/mtp_handler.erl
Original file line number Diff line number Diff line change
Expand Up @@ -359,9 +359,14 @@ maybe_check_replay(Packet) ->
check_tls_access(_Listener, _Ip, #{sni_domain := Domain}) ->
%% TODO validate timestamp!
%% TODO some more scalable solution
AllowedDomains = application:get_env(?APP, tls_allowed_domains, []),
lists:member(Domain, AllowedDomains)
orelse error({protocol_error, tls_sni_domain_not_allowed, Domain});
case application:get_env(?APP, tls_allowed_domains, any) of
any ->
%% No limits
true;
AllowedDomains ->
lists:member(Domain, AllowedDomains)
orelse error({protocol_error, tls_sni_domain_not_allowed, Domain})
end;
check_tls_access(_, Ip, Meta) ->
error({protocol_error, tls_no_sni, {Ip, Meta}}).

Expand Down
4 changes: 3 additions & 1 deletion src/mtproto_proxy.app.src
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,9 @@

%% Which domains to allow in TLS SNI
%% XXX: this option is experimental and will be removed later!
{tls_allowed_domains, [<<"en.wikipedia.org">>]},
%% Can be set to `any' to allow any domains.
%% {tls_allowed_domains, any},
{tls_allowed_domains, [<<"en.wikipedia.org">>, <<"s3.amazonaws.com">>]},

{init_dc_connections, 2},
{clients_per_dc_connection, 300},
Expand Down
6 changes: 5 additions & 1 deletion src/mtproto_proxy_app.erl
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,11 @@ build_urls(Host, Port, Secret, Protocols) ->
lists:map(
fun(mtp_fake_tls) ->
%% Print just for 1st domain as example
{ok, [Domain | _]} = application:get_env(?APP, tls_allowed_domains),
Domain = case application:get_env(?APP, tls_allowed_domains) of
{ok, [Domain0 | _]} -> Domain0;
_ ->
<<"en.wikipedia.org">>
end,
ProtoSecret = mtp_fake_tls:format_secret(Secret, Domain),
MkUrl(ProtoSecret);
(mtp_secure) ->
Expand Down

0 comments on commit fbe8cb5

Please sign in to comment.