proxy_server: restrict SNI-rewrite dispatch to HTTPS CONNECT/SOCKS targets#50
Merged
therealaleph merged 1 commit intoApr 23, 2026
Conversation
freeinternet865
force-pushed
the
fix/limit-sni-rewrite-to-https
branch
from
1130267 to
dd057b7
Compare
…rgets dispatch_tunnel() is only used by the HTTP CONNECT and SOCKS5 listeners. It previously forced hosts matched by matches_sni_rewrite() or the hosts override map into do_sni_rewrite_tunnel_from_tcp() regardless of port. That tunnel is TLS-specific: it accepts inbound TLS from the client and opens a second TLS connection to the Google edge. For non-HTTPS targets such as :80, selecting that path makes the proxy wait for a ClientHello that will never arrive. Introduce should_use_sni_rewrite() and require port 443 before forcing the rewrite tunnel from dispatch_tunnel(). Non-HTTPS targets now remain on the normal dispatch path. The tests now cover both suffix-based and hosts-map matches on ports 443 and 80.
freeinternet865
force-pushed
the
fix/limit-sni-rewrite-to-https
branch
from
dd057b7 to
bbf270a
Compare
freeinternet865
changed the title
therealaleph
added a commit
that referenced
this pull request
Apr 23, 2026
…only (#60) Contains the three safety fixes from PRs #48/#49/#50 and the Persian README RTL polishing from #58, all squashed into main. Merge details already in their individual PR comments; summary: #48: reject truncated Content-Length relay responses (previously silently accepted whatever bytes arrived before EOF) #49: reject truncated or malformed (missing CRLF) chunked-encoding relay responses (same class of silent-acceptance bug) #50: restrict the SNI-rewrite tunnel dispatch to port 443. Plain HTTP (:80) targets that happened to match google.com / hosts override were being steered into the TLS tunnel and blocking waiting for a ClientHello that would never arrive. #58: trailing-whitespace line-breaks on Persian bullet lists in README so the RTL rendering doesn't collapse consecutive items into a single paragraph. Test suite grew from 54 to 58 passing (three new negative tests for the relay-reader correctness fixes + one SNI-rewrite port filter). Telegram CI notify default switched to file-plus-link: - script gains a `--with-changelog` flag; default OFF - workflow only passes it when `vars.TELEGRAM_INCLUDE_CHANGELOG=true` - every routine release now posts just the APK + short caption (title + SHA-256 + repo URL + release URL) with no long body To include bullets for a given release again: gh variable set TELEGRAM_INCLUDE_CHANGELOG --body true The existing `vars.TELEGRAM_NOTIFY_ENABLED` job-level gate remains — changelog toggle is orthogonal to enable/disable. Also closes PR #55 without merging; ads/analytics domains were being lumped under a YouTube-specific toggle, and the PR committed per- machine \`.cargo/config.toml\` + zig-cc cross-compile helpers that would have broken CI on actual Windows / macOS runners.
therealaleph
pushed a commit
that referenced
this pull request
Apr 25, 2026
…rgets (#50) dispatch_tunnel() is only used by the HTTP CONNECT and SOCKS5 listeners. It previously forced hosts matched by matches_sni_rewrite() or the hosts override map into do_sni_rewrite_tunnel_from_tcp() regardless of port. That tunnel is TLS-specific: it accepts inbound TLS from the client and opens a second TLS connection to the Google edge. For non-HTTPS targets such as :80, selecting that path makes the proxy wait for a ClientHello that will never arrive. Introduce should_use_sni_rewrite() and require port 443 before forcing the rewrite tunnel from dispatch_tunnel(). Non-HTTPS targets now remain on the normal dispatch path. The tests now cover both suffix-based and hosts-map matches on ports 443 and 80. Co-authored-by: freeinternet865 <free@internet865.com>
therealaleph
added a commit
that referenced
this pull request
Apr 25, 2026
…only (#60) Contains the three safety fixes from PRs #48/#49/#50 and the Persian README RTL polishing from #58, all squashed into main. Merge details already in their individual PR comments; summary: #48: reject truncated Content-Length relay responses (previously silently accepted whatever bytes arrived before EOF) #49: reject truncated or malformed (missing CRLF) chunked-encoding relay responses (same class of silent-acceptance bug) #50: restrict the SNI-rewrite tunnel dispatch to port 443. Plain HTTP (:80) targets that happened to match google.com / hosts override were being steered into the TLS tunnel and blocking waiting for a ClientHello that would never arrive. #58: trailing-whitespace line-breaks on Persian bullet lists in README so the RTL rendering doesn't collapse consecutive items into a single paragraph. Test suite grew from 54 to 58 passing (three new negative tests for the relay-reader correctness fixes + one SNI-rewrite port filter). Telegram CI notify default switched to file-plus-link: - script gains a `--with-changelog` flag; default OFF - workflow only passes it when `vars.TELEGRAM_INCLUDE_CHANGELOG=true` - every routine release now posts just the APK + short caption (title + SHA-256 + repo URL + release URL) with no long body To include bullets for a given release again: gh variable set TELEGRAM_INCLUDE_CHANGELOG --body true The existing `vars.TELEGRAM_NOTIFY_ENABLED` job-level gate remains — changelog toggle is orthogonal to enable/disable. Also closes PR #55 without merging; ads/analytics domains were being lumped under a YouTube-specific toggle, and the PR committed per- machine \`.cargo/config.toml\` + zig-cc cross-compile helpers that would have broken CI on actual Windows / macOS runners.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dispatch_tunnel() is only used by the HTTP CONNECT and SOCKS5 listeners.
It previously forced hosts matched by matches_sni_rewrite() or the hosts
override map into do_sni_rewrite_tunnel_from_tcp() regardless of port.
That tunnel is TLS-specific: it accepts inbound TLS from the client and
opens a second TLS connection to the Google edge. For non-HTTPS targets
such as :80, selecting that path makes the proxy wait for a ClientHello
that will never arrive.
Introduce should_use_sni_rewrite() and require port 443 before forcing the
rewrite tunnel from dispatch_tunnel(). Non-HTTPS targets now remain on the
normal dispatch path.
The tests now cover both suffix-based and hosts-map matches on ports 443
and 80.
Edited and written by GPT.