Allow `any` in `tls_allowed_domains`.

fbe8cb59 · Sergey Prokhorov · 237f9f1d · fbe8cb59 · fbe8cb59 · fbe8cb59
Unverified Commit fbe8cb59 authored Aug 13, 2019 by Sergey Prokhorov
Showing with 21 additions and 9 deletions

Makefile Makefile +4 -3

README.md README.md +1 -1

mtp_handler.erl src/mtp_handler.erl +8 -3

mtproto_proxy.app.src src/mtproto_proxy.app.src +3 -1

mtproto_proxy_app.erl src/mtproto_proxy_app.erl +5 -1

No files found.
--- a/Makefile
+++ b/Makefile
@@ -13,10 +13,11 @@ all: config/prod-sys.config config/prod-vm.args
 .PHONY: test
 test:
 	$(REBAR3) xref
-	$(REBAR3) eunit
+	$(REBAR3) eunit -c
-	$(REBAR3) ct
+	$(REBAR3) ct -c
-	$(REBAR3) proper -n 50
+	$(REBAR3) proper -c -n 50
 	$(REBAR3) dialyzer
+	$(REBAR3) cover -v
 config/prod-sys.config: config/sys.config.example
 	[ -f $@ ] && diff $^ $@ || true

--- a/README.md
+++ b/README.md
@@ -258,7 +258,7 @@ You should disable all protocols other than `mtp_secure` by providing `allowed_p
 Another censorship circumvention technique. MTPRoto proxy protocol pretends to be
 HTTPS web traffic (technically speaking, TLSv1.3 + HTTP/2).
 It's possible to only allow connections with this protocol by changing `allowed_protocols` to
-be list with only `mtp_fake_tls`:
+be list with only `mtp_fake_tls`. You may also want to check `tls_allowed_domains` option.
 ```erlang
  {mtproto_proxy,

--- a/src/mtp_handler.erl
+++ b/src/mtp_handler.erl
@@ -359,9 +359,14 @@ maybe_check_replay(Packet) ->
 check_tls_access(_Listener, _Ip, #{sni_domain := Domain}) ->
    %% TODO validate timestamp!
    %% TODO some more scalable solution
-    AllowedDomains = application:get_env(?APP, tls_allowed_domains, []),
+    case application:get_env(?APP, tls_allowed_domains, any) of
-    lists:member(Domain, AllowedDomains)
+        any ->
-        orelse error({protocol_error, tls_sni_domain_not_allowed, Domain});
+            %% No limits
+            true;
+        AllowedDomains ->
+            lists:member(Domain, AllowedDomains)
+                orelse error({protocol_error, tls_sni_domain_not_allowed, Domain})
+    end;
 check_tls_access(_, Ip, Meta) ->
    error({protocol_error, tls_no_sni, {Ip, Meta}}).

--- a/src/mtproto_proxy.app.src
+++ b/src/mtproto_proxy.app.src
@@ -60,7 +60,9 @@
        %% Which domains to allow in TLS SNI
        %% XXX: this option is experimental and will be removed later!
-        {tls_allowed_domains, [<<"en.wikipedia.org">>]},
+        %% Can be set to `any' to allow any domains.
+        %% {tls_allowed_domains, any},
+        {tls_allowed_domains, [<<"en.wikipedia.org">>, <<"s3.amazonaws.com">>]},
        {init_dc_connections, 2},
        {clients_per_dc_connection, 300},

--- a/src/mtproto_proxy_app.erl
+++ b/src/mtproto_proxy_app.erl
@@ -173,7 +173,11 @@ build_urls(Host, Port, Secret, Protocols) ->
    lists:map(
      fun(mtp_fake_tls) ->
              %% Print just for 1st domain as example
-              {ok, [Domain | _]} = application:get_env(?APP, tls_allowed_domains),
+              Domain = case application:get_env(?APP, tls_allowed_domains) of
+                           {ok, [Domain0 | _]} -> Domain0;
+                           _ ->
+                               <<"en.wikipedia.org">>
+                       end,
              ProtoSecret = mtp_fake_tls:format_secret(Secret, Domain),
              MkUrl(ProtoSecret);
         (mtp_secure) ->