Merge pull request #97 from v14d4n/feat/masque-configurable-sni

Make masque TLS SNI configurable via server_name

README.md

@@ -3,7 +3,7 @@
 [![license](https://img.shields.io/badge/license-GPLv3-blue.svg)](LICENSE)
 [![go](https://img.shields.io/badge/go-1.26-00ADD8.svg)](go.mod)
 [![codeberg](https://img.shields.io/badge/mirror-codeberg-2185D0.svg)](https://codeberg.org/shtorm-7/sing-box-extended)
-[![telegram](https://img.shields.io/badge/telegram-channel-26A5E4.svg)](https://t.me/sing_box_extended)
+[![telegram](https://img.shields.io/badge/telegram-chat-26A5E4.svg)](https://t.me/sing_box_extended)
 
 Sing-box with extended features.
 
@@ -17,6 +17,7 @@ Sing-box with extended features.
 - **OpenVPN** — OpenVPN client with tls-auth, tls-crypt and tls-crypt-v2 support
 - **TrustTunnel** — AdGuard's obfuscated VPN protocol, indistinguishable from HTTPS traffic
 - **Sudoku** — Traffic obfuscation protocol based on 4×4 Sudoku puzzles with low-entropy fingerprints
+- **Snell** — Lightweight encrypted proxy (v1–v5) with TLS / HTTP obfuscation
 - **SSH** — SSH client and server with certificate authentication and upstream fallback
 - **VPN** — Routed tunnel over any TCP sing-box protocol
 - **Bond** — Link aggregation for increasing throughput

examples/admin_panel-manager-node/node.json

@@ -66,7 +66,7 @@
         "action": "hijack-dns"
       }
     ],
-    "final": "connection-limiter"
+    "final": "traffic-limiter"
   },
   "services": [
     {

examples/masque/client.json

@@ -42,6 +42,7 @@
       "congestion_controller": "bbr",
       "cwnd": 0,
       "tls": { // TLS fields for HTTP2
+        "server_name": "", // SNI; empty = default "consumer-masque.cloudflareclient.com"
         "insecure": false,
         "cipher_suites": [],
         "curve_preferences": [],

option/masque.go

@@ -24,6 +24,7 @@ type MASQUEOutboundOptions struct {
 }
 
 type MASQUEOutboundTLSOptions struct {
+	ServerName            string                              `json:"server_name,omitempty"`
 	Insecure              bool                                `json:"insecure,omitempty"`
 	CipherSuites          badoption.Listable[string]          `json:"cipher_suites,omitempty"`
 	CurvePreferences      badoption.Listable[CurvePreference] `json:"curve_preferences,omitempty"`

protocol/masque/outbound.go

@@ -102,7 +102,11 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 			logger.ErrorContext(ctx, E.New("failed to generate cert: ", err))
 			return
 		}
-		tlsConfig, err := tls.NewMASQUEClient(ctx, logger, "consumer-masque.cloudflareclient.com", cert, privKey, peerPubKey, common.PtrValueOrDefault(options.TLS))
+		serverName := cloudflare.ConnectSNI
+		if options.TLS != nil && options.TLS.ServerName != "" {
+			serverName = options.TLS.ServerName
+		}
+		tlsConfig, err := tls.NewMASQUEClient(ctx, logger, serverName, cert, privKey, peerPubKey, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			logger.ErrorContext(ctx, E.New("failed to prepare TLS config: ", err))
 			return