Allow any in tls_allowed_domains.

seriyps · Aug 12, 2019 · fbe8cb5 · fbe8cb5
1 parent 237f9f1
commit fbe8cb5
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 9 deletions.
diff --git a/Makefile b/Makefile
@@ -13,10 +13,11 @@ all: config/prod-sys.config config/prod-vm.args
 .PHONY: test
 test:
 	$(REBAR3) xref
-	$(REBAR3) eunit
-	$(REBAR3) ct
-	$(REBAR3) proper -n 50
+	$(REBAR3) eunit -c
+	$(REBAR3) ct -c
+	$(REBAR3) proper -c -n 50
 	$(REBAR3) dialyzer
+	$(REBAR3) cover -v
 
 config/prod-sys.config: config/sys.config.example
 	[ -f $@ ] && diff $^ $@ || true

diff --git a/README.md b/README.md
@@ -258,7 +258,7 @@ You should disable all protocols other than `mtp_secure` by providing `allowed_p
 Another censorship circumvention technique. MTPRoto proxy protocol pretends to be
 HTTPS web traffic (technically speaking, TLSv1.3 + HTTP/2).
 It's possible to only allow connections with this protocol by changing `allowed_protocols` to
-be list with only `mtp_fake_tls`:
+be list with only `mtp_fake_tls`. You may also want to check `tls_allowed_domains` option.
 
 ```erlang
   {mtproto_proxy,

diff --git a/src/mtp_handler.erl b/src/mtp_handler.erl
@@ -359,9 +359,14 @@ maybe_check_replay(Packet) ->
 check_tls_access(_Listener, _Ip, #{sni_domain := Domain}) ->
     %% TODO validate timestamp!
     %% TODO some more scalable solution
-    AllowedDomains = application:get_env(?APP, tls_allowed_domains, []),
-    lists:member(Domain, AllowedDomains)
-        orelse error({protocol_error, tls_sni_domain_not_allowed, Domain});
+    case application:get_env(?APP, tls_allowed_domains, any) of
+        any ->
+            %% No limits
+            true;
+        AllowedDomains ->
+            lists:member(Domain, AllowedDomains)
+                orelse error({protocol_error, tls_sni_domain_not_allowed, Domain})
+    end;
 check_tls_access(_, Ip, Meta) ->
     error({protocol_error, tls_no_sni, {Ip, Meta}}).
 

diff --git a/src/mtproto_proxy.app.src b/src/mtproto_proxy.app.src
@@ -60,7 +60,9 @@
 
         %% Which domains to allow in TLS SNI
         %% XXX: this option is experimental and will be removed later!
-        {tls_allowed_domains, [<<"en.wikipedia.org">>]},
+        %% Can be set to `any' to allow any domains.
+        %% {tls_allowed_domains, any},
+        {tls_allowed_domains, [<<"en.wikipedia.org">>, <<"s3.amazonaws.com">>]},
 
         {init_dc_connections, 2},
         {clients_per_dc_connection, 300},

diff --git a/src/mtproto_proxy_app.erl b/src/mtproto_proxy_app.erl
@@ -173,7 +173,11 @@ build_urls(Host, Port, Secret, Protocols) ->
     lists:map(
       fun(mtp_fake_tls) ->
               %% Print just for 1st domain as example
-              {ok, [Domain | _]} = application:get_env(?APP, tls_allowed_domains),
+              Domain = case application:get_env(?APP, tls_allowed_domains) of
+                           {ok, [Domain0 | _]} -> Domain0;
+                           _ ->
+                               <<"en.wikipedia.org">>
+                       end,
               ProtoSecret = mtp_fake_tls:format_secret(Secret, Domain),
               MkUrl(ProtoSecret);
          (mtp_secure) ->