Upgrade engine to v3.3.30 — TLS fetcher redesign, SNI validator, atomic quotas

- Adaptive TLS profile cascade for better DPI evasion
- SNI validation drops invalid probes cheaply
- Per-user quotas migrated to lock-free atomics
- Add PROXY_PROTOCOL_TRUSTED_CIDRS setting for trusted source networks
- DPI shape/timing hardening, masking prefetch

Author: SamNet-dev

.github/workflows/build-engine.yml

@@ -6,11 +6,11 @@ on:
       telemt_commit:
         description: 'Telemt commit hash to build from'
         required: true
-        default: '342b011'
+        default: '22097f8'
       version_tag:
-        description: 'Version tag (e.g. 3.3.28-342b011)'
+        description: 'Version tag (e.g. 3.3.30-22097f8)'
         required: true
-        default: '3.3.28-342b011'
+        default: '3.3.30-22097f8'
 
 env:
   REGISTRY: ghcr.io

README.md

@@ -535,25 +535,21 @@ mtproxymax telegram remove              # Remove bot completely
 - **`--no-restart` flag** — `secret add/remove/add-batch/remove-batch --no-restart` for scripting and automation
 - **TUI options** — Interactive menu options [6] and [7] for batch operations
 
-### v1.0.0 — Engine v3.3.28
+### v1.0.0 — Engine v3.3.30
 
-**Engine Upgrade (v3.3.3 → v3.3.28):**
+**Engine Upgrade (v3.3.28 → v3.3.30):**
 
-- **ME Anti-Stuck + Orphan Watchdog** — Root cause fix for random connection drops: writer cleanup races resolved, orphaned writers detected and force-closed
-- **Quarantine Fixes** — Quarantined endpoints no longer bypass the circuit breaker, preventing flapping reconnection loops
-- **Authoritative Teardown** — New deterministic writer teardown sequence with force-close safety policy
-- **ME Draining on Dual-Stack** — Proper draining behavior on IPv4+IPv6 servers
-- **TLS Fetcher Upstream Selection** — Smarter upstream selection for TLS fetching
-- **Teardown Monitoring** — New API and Prometheus metrics for writer teardown visibility
-- **Instadrain + Hard-Remove** — Writers stuck draining are force-removed instead of hanging
+- **TLS Fetcher Redesign** — Adaptive profile cascade (Chrome → Firefox → TLS 1.2 → legacy) with per-target caching, automatic fallback on handshake failures — significantly harder to fingerprint/block via DPI
+- **TLS SNI Validator** — Enforces SNI from configured domain, drops invalid probes cheaply
+- **Atomic Per-User Quotas** — Removed locking from hot path for better throughput under load
+- **PROXY Protocol Trusted CIDRs** — Restrict PROXY header trust to specific source networks
+- **DPI Evasion Hardening** — Shape/timing hardening, masking prefetch, tiny-frame debt protection
+- **Shadowsocks Upstream** — New upstream transport option alongside SOCKS5
+- **ME Anti-Stuck + Orphan Watchdog** — Root cause fix for random connection drops
 - **Adaptive Buffers** — Dynamic buffer sizing: less RAM at low load, more throughput at high load
 - **Flow Performance** — 3x faster D2C flush + immediate ACK flushing for lower latency
-- **Hot-Reload Fixes** — Reliable config reload without restart
 - **Event-Driven ME** — Pool switches from busy-polling to event-driven, reducing CPU on idle servers
-- **CPU/RAM Hot-Path Optimization** — Removed hot-path obstacles for lower resource usage under load
-- **Source-IP ME Routing** — Routing decisions factor in source IP for multi-homed servers
 - **ME/DC Reroute** — Dynamic rerouting when preferred datacenter path degrades
-- **Per-Upstream Runtime Selftest** — Built-in diagnostics for upstream connectivity
 
 ### v1.0.0 — Per-User Limits + Telegram Bot
 

mtproxymax.sh

@@ -24,8 +24,8 @@ CONNECTION_LOG="${INSTALL_DIR}/connection.log"
 INSTANCES_FILE="${INSTALL_DIR}/instances.conf"
 CONTAINER_NAME="mtproxymax"
 DOCKER_IMAGE_BASE="mtproxymax-telemt"
-TELEMT_MIN_VERSION="3.3.28"
-TELEMT_COMMIT="342b011"  # Pinned: v3.3.28 — ME anti-stuck, quarantine fixes, orphan watchdog, dual-stack draining
+TELEMT_MIN_VERSION="3.3.30"
+TELEMT_COMMIT="22097f8"  # Pinned: v3.3.30 — TLS fetcher redesign, SNI validator, atomic quotas, PROXY trusted CIDRs
 GITHUB_REPO="SamNet-dev/MTProxyMax"
 REGISTRY_IMAGE="ghcr.io/samnet-dev/mtproxymax-telemt"
 
@@ -107,6 +107,7 @@ PROXY_MEMORY=""
 CUSTOM_IP=""
 FAKE_CERT_LEN=2048
 PROXY_PROTOCOL="false"
+PROXY_PROTOCOL_TRUSTED_CIDRS=""
 AD_TAG=""
 GEOBLOCK_MODE="blacklist"
 BLOCKLIST_COUNTRIES=""
@@ -571,6 +572,7 @@ PROXY_MEMORY='${PROXY_MEMORY}'
 CUSTOM_IP='${CUSTOM_IP}'
 FAKE_CERT_LEN='${FAKE_CERT_LEN}'
 PROXY_PROTOCOL='${PROXY_PROTOCOL}'
+PROXY_PROTOCOL_TRUSTED_CIDRS='${PROXY_PROTOCOL_TRUSTED_CIDRS}'
 
 # Ad-Tag (from @MTProxyBot)
 AD_TAG='${AD_TAG}'
@@ -623,7 +625,7 @@ load_settings() {
         # Whitelist of allowed keys
         case "$key" in
             PROXY_PORT|PROXY_METRICS_PORT|PROXY_DOMAIN|PROXY_CONCURRENCY|\
-            PROXY_CPUS|PROXY_MEMORY|CUSTOM_IP|FAKE_CERT_LEN|PROXY_PROTOCOL|AD_TAG|GEOBLOCK_MODE|BLOCKLIST_COUNTRIES|\
+            PROXY_CPUS|PROXY_MEMORY|CUSTOM_IP|FAKE_CERT_LEN|PROXY_PROTOCOL|PROXY_PROTOCOL_TRUSTED_CIDRS|AD_TAG|GEOBLOCK_MODE|BLOCKLIST_COUNTRIES|\
             MASKING_ENABLED|MASKING_HOST|MASKING_PORT|\
             TELEGRAM_ENABLED|TELEGRAM_BOT_TOKEN|TELEGRAM_CHAT_ID|\
             TELEGRAM_INTERVAL|TELEGRAM_ALERTS_ENABLED|TELEGRAM_SERVER_LABEL|\
@@ -1064,6 +1066,7 @@ port = ${port}
 listen_addr_ipv4 = "0.0.0.0"
 listen_addr_ipv6 = "::"
 proxy_protocol = ${PROXY_PROTOCOL:-false}
+$([ "$PROXY_PROTOCOL" = "true" ] && [ -n "$PROXY_PROTOCOL_TRUSTED_CIDRS" ] && echo "proxy_protocol_trusted_cidrs = [$(echo "$PROXY_PROTOCOL_TRUSTED_CIDRS" | sed 's/[[:space:]]*,[[:space:]]*/", "/g;s/^/"/;s/$/"/' )]")
 metrics_port = ${metrics_port}
 metrics_whitelist = ["127.0.0.1", "::1"]
 
@@ -3553,7 +3556,7 @@ load_tg_settings() {
             local key="${BASH_REMATCH[1]}" val="${BASH_REMATCH[2]}"
             case "$key" in
                 PROXY_PORT|PROXY_DOMAIN|PROXY_METRICS_PORT|PROXY_CONCURRENCY|\
-                PROXY_CPUS|PROXY_MEMORY|CUSTOM_IP|PROXY_PROTOCOL|MASKING_ENABLED|MASKING_HOST|MASKING_PORT|\
+                PROXY_CPUS|PROXY_MEMORY|CUSTOM_IP|PROXY_PROTOCOL|PROXY_PROTOCOL_TRUSTED_CIDRS|MASKING_ENABLED|MASKING_HOST|MASKING_PORT|\
                 AD_TAG|GEOBLOCK_MODE|BLOCKLIST_COUNTRIES|AUTO_UPDATE_ENABLED|\
                 TELEGRAM_ENABLED|TELEGRAM_BOT_TOKEN|TELEGRAM_CHAT_ID|\
                 TELEGRAM_INTERVAL|TELEGRAM_SERVER_LABEL|TELEGRAM_ALERTS_ENABLED)
@@ -6116,7 +6119,7 @@ show_settings_menu() {
         echo -e "  ${BOLD}Masking:${NC}     ${MASKING_ENABLED}"
         echo -e "  ${BOLD}Ad-tag:${NC}      ${AD_TAG:-${DIM}not set${NC}}"
         echo -e "  ${BOLD}Auto-update:${NC} ${AUTO_UPDATE_ENABLED}"
-        echo -e "  ${BOLD}PROXY proto:${NC} ${PROXY_PROTOCOL}"
+        echo -e "  ${BOLD}PROXY proto:${NC} ${PROXY_PROTOCOL}$([ "$PROXY_PROTOCOL" = "true" ] && [ -n "$PROXY_PROTOCOL_TRUSTED_CIDRS" ] && echo " (trusted: ${PROXY_PROTOCOL_TRUSTED_CIDRS})")"
         echo -e "  ${BOLD}Engine:${NC}      telemt v$(get_telemt_version)"
         echo ""
         echo -e "  ${DIM}[1]${NC} Change port"
@@ -6273,6 +6276,13 @@ show_settings_menu() {
                 ;;
             8)
                 [ "$PROXY_PROTOCOL" = "true" ] && PROXY_PROTOCOL="false" || PROXY_PROTOCOL="true"
+                if [ "$PROXY_PROTOCOL" = "true" ]; then
+                    echo -en "  ${BOLD}Trusted CIDRs (comma-separated, e.g. 10.0.0.0/8,172.16.0.0/12, empty=reject all):${NC} "
+                    local cidrs; read -r cidrs
+                    PROXY_PROTOCOL_TRUSTED_CIDRS="$cidrs"
+                else
+                    PROXY_PROTOCOL_TRUSTED_CIDRS=""
+                fi
                 save_settings
                 log_success "PROXY protocol: ${PROXY_PROTOCOL}"
                 if is_proxy_running; then