Skip to content

Commit b618ed7

Browse files
committed
1 parent 13523c7 commit b618ed7

6 files changed

Lines changed: 96 additions & 93 deletions

File tree

changelog/index.html

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1926,6 +1926,7 @@ <h2 id="unreleased">Unreleased<a class="headerlink" href="#unreleased" title="Pe
19261926
<li><strong>Document direct-mode limitations</strong> (<a href="https://github.com/teleproxy/teleproxy/issues/79">#79</a>). The <a href="/features/direct-mode/">Direct-to-DC Mode</a> page now spells out what <code>--direct</code> trades away by skipping Telegram's middle-end: media on non-Premium accounts may not load, sponsored channels aren't delivered, and Telegram voice/video calls aren't carried by any MTProto proxy regardless of mode. Answers the recurring symptom in <a href="https://github.com/teleproxy/teleproxy/issues/60">#60</a>.</li>
19271927
<li><strong><code>CONFIG_DOWNLOAD_PROXY</code> env var for the proxy-multi.conf download</strong> (<a href="https://github.com/teleproxy/teleproxy/issues/61">#61</a>). Hosts that can't reach <code>core.telegram.org</code> directly can now route the config refresh through an outbound HTTP or SOCKS proxy. Accepts any URL <code>curl -x</code> understands (<code>http://</code>, <code>https://</code>, <code>socks5://</code>, <code>socks5h://</code>, with optional <code>user:pass@</code>). Falls back to <code>SOCKS5_PROXY</code> when unset, so users who already proxy DC traffic don't need to set anything new. Applies to the initial fetch in <code>start.sh</code> and the 6-hour cron refresh.</li>
19281928
<li><strong>Split SNI domain from camouflage backend</strong> (<a href="https://github.com/teleproxy/teleproxy/issues/62">#62</a>). The fake-TLS feature used to require <code>EE_DOMAIN</code> to be both the SNI hostname and the backend connect target — operators worked around it by editing <code>/etc/hosts</code>. New <code>EE_BACKEND</code> env var separates the two: <code>EE_DOMAIN</code> keeps a clean public SNI name like <code>cloudflare.com</code>, while <code>EE_BACKEND</code> points at the actual backend (<code>127.0.0.1:8443</code>, <code>[::1]:8443</code>, or <code>unix:/run/nginx.sock</code>). Reality-style. Available as TOML too: <code>domain = [{ name = "cloudflare.com", backend = "127.0.0.1:8443" }]</code>. The legacy <code>EE_DOMAIN=host:port</code> and <code>domain = "..."</code> strings still work unchanged.</li>
1929+
<li><strong>Fix pre-handshake socket accumulation</strong> (<a href="https://github.com/teleproxy/teleproxy/issues/63">#63</a>). Scanners and probes that opened a TCP connection but never sent the obfs2 header used to sit on the proxy until OS-level TCP keepalive killed them roughly two hours later, inflating <code>total_connections</code> (Prometheus <code>teleproxy_active_connections</code>) far above the authenticated user count. The proxy already schedules a 10-second handshake alarm, but the handler used to no-op when fake-TLS wasn't configured. It now drops the unhandshaked socket. Most visible under random-padding (<code>dd</code>) mode, where there's no SNI gate to filter scanners early. New <code>make test-handshake-timeout</code> regression test asserts the counter returns to baseline within 15 seconds.</li>
19291930
</ul>
19301931
<h2 id="4122">4.12.2<a class="headerlink" href="#4122" title="Permanent link">&para;</a></h2>
19311932
<p>Build hygiene release. No runtime changes.</p>

fa/changelog/index.html

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1926,6 +1926,7 @@ <h2 id="unreleased">Unreleased<a class="headerlink" href="#unreleased" title="Pe
19261926
<li><strong>Document direct-mode limitations</strong> (<a href="https://github.com/teleproxy/teleproxy/issues/79">#79</a>). The <a href="/features/direct-mode/">Direct-to-DC Mode</a> page now spells out what <code>--direct</code> trades away by skipping Telegram's middle-end: media on non-Premium accounts may not load, sponsored channels aren't delivered, and Telegram voice/video calls aren't carried by any MTProto proxy regardless of mode. Answers the recurring symptom in <a href="https://github.com/teleproxy/teleproxy/issues/60">#60</a>.</li>
19271927
<li><strong><code>CONFIG_DOWNLOAD_PROXY</code> env var for the proxy-multi.conf download</strong> (<a href="https://github.com/teleproxy/teleproxy/issues/61">#61</a>). Hosts that can't reach <code>core.telegram.org</code> directly can now route the config refresh through an outbound HTTP or SOCKS proxy. Accepts any URL <code>curl -x</code> understands (<code>http://</code>, <code>https://</code>, <code>socks5://</code>, <code>socks5h://</code>, with optional <code>user:pass@</code>). Falls back to <code>SOCKS5_PROXY</code> when unset, so users who already proxy DC traffic don't need to set anything new. Applies to the initial fetch in <code>start.sh</code> and the 6-hour cron refresh.</li>
19281928
<li><strong>Split SNI domain from camouflage backend</strong> (<a href="https://github.com/teleproxy/teleproxy/issues/62">#62</a>). The fake-TLS feature used to require <code>EE_DOMAIN</code> to be both the SNI hostname and the backend connect target — operators worked around it by editing <code>/etc/hosts</code>. New <code>EE_BACKEND</code> env var separates the two: <code>EE_DOMAIN</code> keeps a clean public SNI name like <code>cloudflare.com</code>, while <code>EE_BACKEND</code> points at the actual backend (<code>127.0.0.1:8443</code>, <code>[::1]:8443</code>, or <code>unix:/run/nginx.sock</code>). Reality-style. Available as TOML too: <code>domain = [{ name = "cloudflare.com", backend = "127.0.0.1:8443" }]</code>. The legacy <code>EE_DOMAIN=host:port</code> and <code>domain = "..."</code> strings still work unchanged.</li>
1929+
<li><strong>Fix pre-handshake socket accumulation</strong> (<a href="https://github.com/teleproxy/teleproxy/issues/63">#63</a>). Scanners and probes that opened a TCP connection but never sent the obfs2 header used to sit on the proxy until OS-level TCP keepalive killed them roughly two hours later, inflating <code>total_connections</code> (Prometheus <code>teleproxy_active_connections</code>) far above the authenticated user count. The proxy already schedules a 10-second handshake alarm, but the handler used to no-op when fake-TLS wasn't configured. It now drops the unhandshaked socket. Most visible under random-padding (<code>dd</code>) mode, where there's no SNI gate to filter scanners early. New <code>make test-handshake-timeout</code> regression test asserts the counter returns to baseline within 15 seconds.</li>
19291930
</ul>
19301931
<h2 id="4122">4.12.2<a class="headerlink" href="#4122" title="Permanent link">&para;</a></h2>
19311932
<p>Build hygiene release. No runtime changes.</p>

search/search_index.json

Lines changed: 1 addition & 1 deletion
Large diffs are not rendered by default.

0 commit comments

Comments
 (0)