Warn about SNI/IP mismatch at proxy startup#461
Conversation
The SNI-DNS validation that exists in 'mtg doctor' is now also run at proxy startup. If the secret hostname does not resolve to the server's public IP, a warning is logged so that operators notice the misconfiguration before DPI silently blocks the proxy. The check is best-effort: if the public IP cannot be detected or the hostname cannot be resolved, a brief warning is emitted and the proxy starts normally. Refs: 9seconds#444, 9seconds#458
| } | ||
|
|
||
| for _, addr := range addresses { | ||
| if (ourIP4 != nil && addr.IP.String() == ourIP4.String()) || |
There was a problem hiding this comment.
I have a feeling that both addresses must match. If we have 1 matching IPv6 but IPv4 mismatch, it could lead to major problems, given that most of e2e connectivity is still made with IPv4
There was a problem hiding this comment.
Good point — fixed in 491a355.
The check now requires each detected IP family to be present in the DNS response: a matching AAAA no longer masks a mismatched A, and vice versa. If only one family is detected (e.g. IPv6 not configured), only that family is required. The warning also reports per-family match status (ipv4_match=false / ipv6_match=true) so operators can tell which record is wrong.
Side note: doctor.go:checkSecretHost has the same OR-logic and would have the same blind spot. Happy to align it in this PR for consistency, or split into a follow-up — whichever you prefer.
There was a problem hiding this comment.
Yeah, the whole logic there must be revised. Especially connectivity part
Previously the check returned OK if any resolved address matched either the public IPv4 or IPv6. A matching AAAA could mask a mismatched A record (and vice versa), which is a problem because most client connectivity is still IPv4: a partial match would silently pass the warning while DPI still blocks the proxy. Now each detected IP family must appear in the DNS response; the warning also reports per-family match status so operators can tell which record is wrong.
2 participants
Summary
The SNI-DNS validation that
mtg doctoralready performs is now alsorun once at
mtg runstartup. If the secret hostname does not resolveto the server's public IP, a warning is logged so that operators notice
the misconfiguration before DPI silently blocks the proxy.
The check is best-effort and never prevents the proxy from starting:
Motivation
Most operators only discover the SNI/IP mismatch after their proxy has
already been blocked.
mtg doctorcatches this, but many people skipit — especially in docker/systemd setups where you deploy and forget.
A startup warning surfaces the problem at exactly the right moment.
Discussed in #458 (comment by @9seconds: "Наверное да, хорошая идея").
Changes
internal/cli/run_proxy.go: newwarnSNIMismatch()function, calledafter the network is initialised. Reuses
getIP()fromutils.go(same logic as
doctor.go:checkSecretHost).Test plan
go build ./...— cleango vet ./internal/cli/...— cleanthe log; with a matching hostname no warning is emitted.
Refs: #444, #458