feat: user-configurable passthrough_hosts (fix #39, #127)

New config field `passthrough_hosts: Vec<String>` that lists hostnames
which should bypass Apps Script relay entirely and pass through as
plain TCP (via upstream_socks5 if set). Applies across all modes —
apps_script, google_only, and full — because it expresses user intent
("never relay this host") that should win over the default routing.

Matching rules:
- Exact: "example.com" matches only example.com
- Suffix: ".example.com" matches example.com AND any subdomain
- Case-insensitive; trailing dots normalized
- Empty / whitespace-only entries are ignored

Dispatch order is now:
  0. passthrough_hosts  ← new, highest priority
  1. Mode::Full         → batch tunnel
  2. SNI-rewrite        → direct Google edge
  3. Mode::GoogleOnly   → plain-tcp
  4. Mode::AppsScript   → peek + MITM/relay/plain-tcp

Wired through:
- src/config.rs: new Config field with serde default
- src/proxy_server.rs: RewriteCtx.passthrough_hosts + matches_passthrough()
  helper + dispatch check as step 0 + 5 new unit tests
- src/bin/ui.rs: FormState + ConfigWire round-trip so the desktop UI
  preserves user entries across save/load

Android ConfigStore.kt wiring and a UI editor will land in a follow-up.

80 tests pass (75 → 80 with the new passthrough match tests).

Author: therealaleph

src/bin/ui.rs

@@ -213,6 +213,7 @@ struct FormState {
     google_ip_validation: bool,
     normalize_x_graphql: bool,
     youtube_via_relay: bool,
+    passthrough_hosts: Vec<String>,
 }
 
 #[derive(Clone, Debug)]
@@ -291,6 +292,7 @@ fn load_form() -> (FormState, Option<String>) {
             scan_batch_size:c.scan_batch_size,
             normalize_x_graphql: c.normalize_x_graphql,
             youtube_via_relay: c.youtube_via_relay,
+            passthrough_hosts: c.passthrough_hosts.clone(),
         }
     } else {
         FormState {
@@ -317,6 +319,7 @@ fn load_form() -> (FormState, Option<String>) {
             scan_batch_size:500,
             normalize_x_graphql: false,
             youtube_via_relay: false,
+            passthrough_hosts: Vec::new(),
         }
     };
     (form, load_err)
@@ -456,6 +459,9 @@ impl FormState {
             // config-only flag for now. Passed through from the loaded
             // config if set, otherwise defaults to false.
             youtube_via_relay: self.youtube_via_relay,
+            // Similarly config-only for now; round-trips through the
+            // file so the UI doesn't drop the user's entries on save.
+            passthrough_hosts: self.passthrough_hosts.clone(),
         })
     }
 }
@@ -496,6 +502,8 @@ struct ConfigWire<'a> {
     normalize_x_graphql: bool,
     #[serde(skip_serializing_if = "is_false")]
     youtube_via_relay: bool,
+    #[serde(skip_serializing_if = "Vec::is_empty")]
+    passthrough_hosts: &'a Vec<String>,
     // IP-scan knobs. These used to be missing from the wire struct, so
     // every Save-config silently dropped them — the user would toggle
     // "fetch from API" on, save, reopen, and find it off again. Add
@@ -548,6 +556,7 @@ impl<'a> From<&'a Config> for ConfigWire<'a> {
                 .map(|v| v.iter().map(String::as_str).collect()),
             normalize_x_graphql: c.normalize_x_graphql,
             youtube_via_relay: c.youtube_via_relay,
+            passthrough_hosts: &c.passthrough_hosts,
             fetch_ips_from_api: c.fetch_ips_from_api,
             max_ips_to_scan: c.max_ips_to_scan,
             scan_batch_size: c.scan_batch_size,

src/config.rs

@@ -146,6 +146,23 @@ pub struct Config {
     /// your Apps Script quota. Off by default.
     #[serde(default)]
     pub youtube_via_relay: bool,
+
+    /// User-configurable passthrough list. Any host whose name matches
+    /// one of these entries bypasses the Apps Script relay entirely and
+    /// is plain-TCP-passthroughed (optionally through `upstream_socks5`).
+    ///
+    /// Accepts exact hostnames ("example.com") and leading-dot suffixes
+    /// (".internal.example" matches "a.b.internal.example"). Matches are
+    /// case-insensitive.
+    ///
+    /// Dispatched BEFORE SNI-rewrite and Apps Script, so a passthrough
+    /// entry wins over the default Google-edge routing. Useful for
+    /// sites where you already have reachability without the relay
+    /// (saving Apps Script quota) or for hosts that break under MITM.
+    ///
+    /// Issues #39, #127.
+    #[serde(default)]
+    pub passthrough_hosts: Vec<String>,
 }
 
 fn default_fetch_ips_from_api() -> bool { false }

src/proxy_server.rs

@@ -140,6 +140,35 @@ pub struct RewriteCtx {
     /// goes through the Apps Script relay instead. See config.rs for
     /// the trade-off. Issue #102.
     pub youtube_via_relay: bool,
+    /// User-configured hostnames that should skip the relay entirely
+    /// and pass through as plain TCP (optionally via upstream_socks5).
+    /// See config.rs `passthrough_hosts` for matching rules. Issues #39, #127.
+    pub passthrough_hosts: Vec<String>,
+}
+
+/// True if `host` matches any entry in the user's passthrough list.
+/// Match is case-insensitive. Entries match either exactly, or as a
+/// suffix if they start with "." (e.g. ".internal.example" matches
+/// "a.b.internal.example" and the bare "internal.example"). Bare
+/// entries like "example.com" only match the exact hostname — users
+/// who want subdomains included should use ".example.com".
+pub fn matches_passthrough(host: &str, list: &[String]) -> bool {
+    if list.is_empty() {
+        return false;
+    }
+    let h = host.to_ascii_lowercase();
+    let h = h.trim_end_matches('.');
+    list.iter().any(|entry| {
+        let e = entry.trim().trim_end_matches('.').to_ascii_lowercase();
+        if e.is_empty() {
+            return false;
+        }
+        if let Some(suffix) = e.strip_prefix('.') {
+            h == suffix || h.ends_with(&format!(".{}", suffix))
+        } else {
+            h == e
+        }
+    })
 }
 
 impl ProxyServer {
@@ -183,6 +212,7 @@ impl ProxyServer {
             upstream_socks5: config.upstream_socks5.clone(),
             mode,
             youtube_via_relay: config.youtube_via_relay,
+            passthrough_hosts: config.passthrough_hosts.clone(),
         });
 
         let socks5_port = config.socks5_port.unwrap_or(config.listen_port + 1);
@@ -557,6 +587,24 @@ async fn dispatch_tunnel(
     rewrite_ctx: Arc<RewriteCtx>,
     tunnel_mux: Option<Arc<TunnelMux>>,
 ) -> std::io::Result<()> {
+    // 0. User-configured passthrough list wins over every other path.
+    //    If the host matches `passthrough_hosts`, we raw-TCP it (through
+    //    upstream_socks5 if set) and never touch Apps Script, SNI-rewrite,
+    //    or MITM. Point: saves Apps Script quota on hosts the user already
+    //    has reachability to, and avoids MITM-breaking cert pinning on
+    //    hosts the user knows are cert-pinned. Issues #39, #127.
+    if matches_passthrough(&host, &rewrite_ctx.passthrough_hosts) {
+        let via = rewrite_ctx.upstream_socks5.as_deref();
+        tracing::info!(
+            "dispatch {}:{} -> raw-tcp ({}) (passthrough_hosts match)",
+            host,
+            port,
+            via.unwrap_or("direct")
+        );
+        plain_tcp_passthrough(sock, &host, port, via).await;
+        return Ok(());
+    }
+
     // 1. Full tunnel mode: ALL traffic goes through the batch multiplexer
     //    (Apps Script → tunnel node → real TCP). No MITM, no cert.
     if rewrite_ctx.mode == Mode::Full {
@@ -1677,4 +1725,47 @@ mod tests {
 
         assert!(should_use_sni_rewrite(&hosts, "rr4.googlevideo.com", 443, true));
     }
+
+    #[test]
+    fn passthrough_hosts_exact_match() {
+        let list = vec!["example.com".to_string(), "banking.local".to_string()];
+        assert!(matches_passthrough("example.com", &list));
+        assert!(matches_passthrough("banking.local", &list));
+        assert!(matches_passthrough("EXAMPLE.COM", &list)); // case-insensitive
+        assert!(!matches_passthrough("notexample.com", &list));
+        assert!(!matches_passthrough("sub.example.com", &list)); // exact only, not suffix
+    }
+
+    #[test]
+    fn passthrough_hosts_dot_prefix_is_suffix_match() {
+        let list = vec![".internal.example".to_string()];
+        assert!(matches_passthrough("internal.example", &list)); // bare parent matches
+        assert!(matches_passthrough("a.internal.example", &list));
+        assert!(matches_passthrough("a.b.c.internal.example", &list));
+        assert!(!matches_passthrough("internal.exampleX", &list));
+        assert!(!matches_passthrough("fakeinternal.example", &list));
+    }
+
+    #[test]
+    fn passthrough_hosts_empty_list_never_matches() {
+        let list: Vec<String> = vec![];
+        assert!(!matches_passthrough("anything.com", &list));
+        assert!(!matches_passthrough("", &list));
+    }
+
+    #[test]
+    fn passthrough_hosts_ignores_empty_and_whitespace_entries() {
+        let list = vec!["".to_string(), "   ".to_string(), "real.com".to_string()];
+        assert!(!matches_passthrough("", &list));
+        assert!(matches_passthrough("real.com", &list));
+    }
+
+    #[test]
+    fn passthrough_hosts_trailing_dot_normalized() {
+        // FQDNs sometimes have a trailing dot; both entry-side and host-side
+        // trailing dots should be treated as equivalent to the un-dotted form.
+        let list = vec!["example.com.".to_string()];
+        assert!(matches_passthrough("example.com", &list));
+        assert!(matches_passthrough("example.com.", &list));
+    }
 }