From fbe8cb593f4ca40abc9bca81757b992f65ddf897 Mon Sep 17 00:00:00 2001 From: Sergey Prokhorov Date: Tue, 13 Aug 2019 00:45:29 +0200 Subject: [PATCH] Allow `any` in `tls_allowed_domains`. --- Makefile | 7 ++++--- README.md | 2 +- src/mtp_handler.erl | 11 ++++++++--- src/mtproto_proxy.app.src | 4 +++- src/mtproto_proxy_app.erl | 6 +++++- 5 files changed, 21 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 9a3afe9..37f1a3d 100644 --- a/Makefile +++ b/Makefile @@ -13,10 +13,11 @@ all: config/prod-sys.config config/prod-vm.args .PHONY: test test: $(REBAR3) xref - $(REBAR3) eunit - $(REBAR3) ct - $(REBAR3) proper -n 50 + $(REBAR3) eunit -c + $(REBAR3) ct -c + $(REBAR3) proper -c -n 50 $(REBAR3) dialyzer + $(REBAR3) cover -v config/prod-sys.config: config/sys.config.example [ -f $@ ] && diff $^ $@ || true diff --git a/README.md b/README.md index 618e392..092c576 100644 --- a/README.md +++ b/README.md @@ -258,7 +258,7 @@ You should disable all protocols other than `mtp_secure` by providing `allowed_p Another censorship circumvention technique. MTPRoto proxy protocol pretends to be HTTPS web traffic (technically speaking, TLSv1.3 + HTTP/2). It's possible to only allow connections with this protocol by changing `allowed_protocols` to -be list with only `mtp_fake_tls`: +be list with only `mtp_fake_tls`. You may also want to check `tls_allowed_domains` option. ```erlang {mtproto_proxy, diff --git a/src/mtp_handler.erl b/src/mtp_handler.erl index d58aeb3..5e5ce71 100644 --- a/src/mtp_handler.erl +++ b/src/mtp_handler.erl @@ -359,9 +359,14 @@ maybe_check_replay(Packet) -> check_tls_access(_Listener, _Ip, #{sni_domain := Domain}) -> %% TODO validate timestamp! %% TODO some more scalable solution - AllowedDomains = application:get_env(?APP, tls_allowed_domains, []), - lists:member(Domain, AllowedDomains) - orelse error({protocol_error, tls_sni_domain_not_allowed, Domain}); + case application:get_env(?APP, tls_allowed_domains, any) of + any -> + %% No limits + true; + AllowedDomains -> + lists:member(Domain, AllowedDomains) + orelse error({protocol_error, tls_sni_domain_not_allowed, Domain}) + end; check_tls_access(_, Ip, Meta) -> error({protocol_error, tls_no_sni, {Ip, Meta}}). diff --git a/src/mtproto_proxy.app.src b/src/mtproto_proxy.app.src index 1240ead..185ecc1 100644 --- a/src/mtproto_proxy.app.src +++ b/src/mtproto_proxy.app.src @@ -60,7 +60,9 @@ %% Which domains to allow in TLS SNI %% XXX: this option is experimental and will be removed later! - {tls_allowed_domains, [<<"en.wikipedia.org">>]}, + %% Can be set to `any' to allow any domains. + %% {tls_allowed_domains, any}, + {tls_allowed_domains, [<<"en.wikipedia.org">>, <<"s3.amazonaws.com">>]}, {init_dc_connections, 2}, {clients_per_dc_connection, 300}, diff --git a/src/mtproto_proxy_app.erl b/src/mtproto_proxy_app.erl index 8140ae8..c56dbd9 100644 --- a/src/mtproto_proxy_app.erl +++ b/src/mtproto_proxy_app.erl @@ -173,7 +173,11 @@ build_urls(Host, Port, Secret, Protocols) -> lists:map( fun(mtp_fake_tls) -> %% Print just for 1st domain as example - {ok, [Domain | _]} = application:get_env(?APP, tls_allowed_domains), + Domain = case application:get_env(?APP, tls_allowed_domains) of + {ok, [Domain0 | _]} -> Domain0; + _ -> + <<"en.wikipedia.org">> + end, ProtoSecret = mtp_fake_tls:format_secret(Secret, Domain), MkUrl(ProtoSecret); (mtp_secure) ->