From 7bfad732e23438b55888270eb007f8b68e2eb72d Mon Sep 17 00:00:00 2001
From: v14d4n <65820175+v14d4n@users.noreply.github.com>
Date: Mon, 22 Jun 2026 14:12:40 +0400
Subject: [PATCH] feat(masque): make TLS SNI configurable via server_name

MASQUE outbound previously hardcoded the TLS SNI to consumer-masque.cloudflareclient.com. Add a server_name field to the MASQUE outbound TLS options. When empty it falls back to the existing default (cloudflare.ConnectSNI), so existing configs are unaffected.
---
 examples/masque/client.json | 1 +
 option/masque.go            | 1 +
 protocol/masque/outbound.go | 6 +++++-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/examples/masque/client.json b/examples/masque/client.json
index e858af6f..032482a4 100644
--- a/examples/masque/client.json
+++ b/examples/masque/client.json
@@ -40,6 +40,7 @@
       "udp_initial_packet_size": 0,
       "reconnect_delay": "5s",
       "tls": { // TLS fields for HTTP2
+        "server_name": "", // SNI; empty = default "consumer-masque.cloudflareclient.com"
         "insecure": false,
         "cipher_suites": [],
         "curve_preferences": [],
diff --git a/option/masque.go b/option/masque.go
index 7ccef2a8..2e8913fc 100644
--- a/option/masque.go
+++ b/option/masque.go
@@ -22,6 +22,7 @@ type MASQUEOutboundOptions struct {
 }
 
 type MASQUEOutboundTLSOptions struct {
+	ServerName            string                              `json:"server_name,omitempty"`
 	Insecure              bool                                `json:"insecure,omitempty"`
 	CipherSuites          badoption.Listable[string]          `json:"cipher_suites,omitempty"`
 	CurvePreferences      badoption.Listable[CurvePreference] `json:"curve_preferences,omitempty"`
diff --git a/protocol/masque/outbound.go b/protocol/masque/outbound.go
index 80a60c5a..1a9c850b 100644
--- a/protocol/masque/outbound.go
+++ b/protocol/masque/outbound.go
@@ -100,7 +100,11 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 			logger.ErrorContext(ctx, E.New("failed to generate cert: ", err))
 			return
 		}
-		tlsConfig, err := tls.NewMASQUEClient(ctx, logger, "consumer-masque.cloudflareclient.com", cert, privKey, peerPubKey, common.PtrValueOrDefault(options.TLS))
+		serverName := cloudflare.ConnectSNI
+		if options.TLS != nil && options.TLS.ServerName != "" {
+			serverName = options.TLS.ServerName
+		}
+		tlsConfig, err := tls.NewMASQUEClient(ctx, logger, serverName, cert, privKey, peerPubKey, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			logger.ErrorContext(ctx, E.New("failed to prepare TLS config: ", err))
 			return