Warn about SNI/IP mismatch at proxy startup#461
Warn about SNI/IP mismatch at proxy startup#461dolonet wants to merge 2 commits into9seconds:masterfrom
Conversation
The SNI-DNS validation that exists in 'mtg doctor' is now also run at proxy startup. If the secret hostname does not resolve to the server's public IP, a warning is logged so that operators notice the misconfiguration before DPI silently blocks the proxy. The check is best-effort: if the public IP cannot be detected or the hostname cannot be resolved, a brief warning is emitted and the proxy starts normally. Refs: 9seconds#444, 9seconds#458
internal/cli/run_proxy.go
Outdated
| } | ||
|
|
||
| for _, addr := range addresses { | ||
| if (ourIP4 != nil && addr.IP.String() == ourIP4.String()) || |
There was a problem hiding this comment.
I have a feeling that both addresses must match. If we have 1 matching IPv6 but IPv4 mismatch, it could lead to major problems, given that most of e2e connectivity is still made with IPv4
There was a problem hiding this comment.
Good point — fixed in 491a355.
The check now requires each detected IP family to be present in the DNS response: a matching AAAA no longer masks a mismatched A, and vice versa. If only one family is detected (e.g. IPv6 not configured), only that family is required. The warning also reports per-family match status (ipv4_match=false / ipv6_match=true) so operators can tell which record is wrong.
Side note: doctor.go:checkSecretHost has the same OR-logic and would have the same blind spot. Happy to align it in this PR for consistency, or split into a follow-up — whichever you prefer.
Previously the check returned OK if any resolved address matched either the public IPv4 or IPv6. A matching AAAA could mask a mismatched A record (and vice versa), which is a problem because most client connectivity is still IPv4: a partial match would silently pass the warning while DPI still blocks the proxy. Now each detected IP family must appear in the DNS response; the warning also reports per-family match status so operators can tell which record is wrong.
2 participants
Summary
The SNI-DNS validation that
mtg doctoralready performs is now alsorun once at
mtg runstartup. If the secret hostname does not resolveto the server's public IP, a warning is logged so that operators notice
the misconfiguration before DPI silently blocks the proxy.
The check is best-effort and never prevents the proxy from starting:
Motivation
Most operators only discover the SNI/IP mismatch after their proxy has
already been blocked.
mtg doctorcatches this, but many people skipit — especially in docker/systemd setups where you deploy and forget.
A startup warning surfaces the problem at exactly the right moment.
Discussed in #458 (comment by @9seconds: "Наверное да, хорошая идея").
Changes
internal/cli/run_proxy.go: newwarnSNIMismatch()function, calledafter the network is initialised. Reuses
getIP()fromutils.go(same logic as
doctor.go:checkSecretHost).Test plan
go build ./...— cleango vet ./internal/cli/...— cleanthe log; with a matching hostname no warning is emitted.
Refs: #444, #458