Add cert probe caching and configurable probe count

dolonet · dolonet · commit f2ea1862c79f · 2026-03-26T16:52:41.000+03:00
Cache probe results to JSON file to avoid 15 TLS connections on every
restart. Add noise_cache_path, noise_cache_ttl, and noise_probe_count
config options under [defense.doppelganger].
diff --git a/internal/cli/run_proxy.go b/internal/cli/run_proxy.go
@@ -269,6 +269,10 @@ func runProxy(conf *config.Config, version string) error { //nolint: funlen
 		DoppelGangerDRS:         conf.Defense.Doppelganger.DRS.Get(false),
 		DoppelGangerIdlePadding: conf.Defense.Doppelganger.IdlePadding.Get(false),
 
+		NoiseProbeCount: conf.Defense.Doppelganger.NoiseProbeCount.Get(0),
+		NoiseCacheTTL:   conf.Defense.Doppelganger.NoiseCacheTTL.Get(0),
+		NoiseCachePath:  conf.Defense.Doppelganger.NoiseCachePath,
+
 		APIBindTo: conf.APIBindTo.Get(""),
 	}
 
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -51,11 +51,14 @@ type Config struct {
 		Blocklist    ListConfig `json:"blocklist"`
 		Allowlist    ListConfig `json:"allowlist"`
 		Doppelganger struct {
-			URLs        []TypeHttpsURL  `json:"urls"`
-			Repeats     TypeConcurrency `json:"repeats_per_raid"`
-			UpdateEach  TypeDuration    `json:"raid_each"`
-			DRS         TypeBool        `json:"drs"`
-			IdlePadding TypeBool        `json:"idle_padding"`
+			URLs            []TypeHttpsURL  `json:"urls"`
+			Repeats         TypeConcurrency `json:"repeats_per_raid"`
+			UpdateEach      TypeDuration    `json:"raid_each"`
+			DRS             TypeBool        `json:"drs"`
+			IdlePadding     TypeBool        `json:"idle_padding"`
+			NoiseProbeCount TypeConcurrency `json:"noise_probe_count"`
+			NoiseCacheTTL   TypeDuration    `json:"noise_cache_ttl"`
+			NoiseCachePath  string          `json:"noise_cache_path"`
 		} `json:"doppelganger"`
 	} `json:"defense"`
 	Network struct {
diff --git a/mtglib/internal/tls/fake/cert_probe.go b/mtglib/internal/tls/fake/cert_probe.go
@@ -3,8 +3,10 @@ package fake
 import (
 	"crypto/tls"
 	"encoding/binary"
+	"encoding/json"
 	"fmt"
 	"net"
+	"os"
 	"sync"
 	"time"
 )
@@ -13,15 +15,76 @@ const (
 	probeDialTimeout      = 10 * time.Second
 	probeHandshakeTimeout = 10 * time.Second
 	defaultProbeCount     = 15
+	defaultCacheTTL       = 24 * time.Hour
 
 	tlsTypeChangeCipherSpec = 0x14
 	tlsTypeApplicationData  = 0x17
 )
 
 // CertProbeResult holds the measured encrypted handshake size.
 type CertProbeResult struct {
-	Mean   int
-	Jitter int
+	Mean   int `json:"mean"`
+	Jitter int `json:"jitter"`
+}
+
+// CertProbeCache is the on-disk format for cached probe results.
+type CertProbeCache struct {
+	Hostname string    `json:"hostname"`
+	Port     int       `json:"port"`
+	Mean     int       `json:"mean"`
+	Jitter   int       `json:"jitter"`
+	ProbedAt time.Time `json:"probed_at"`
+}
+
+// LoadCachedProbe reads a cached probe result from path. Returns the result
+// and true if the cache exists, matches hostname:port, and is younger than ttl.
+// Otherwise returns zero value and false.
+func LoadCachedProbe(path, hostname string, port int, ttl time.Duration) (CertProbeResult, bool) {
+	if ttl <= 0 {
+		ttl = defaultCacheTTL
+	}
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return CertProbeResult{}, false
+	}
+
+	var cache CertProbeCache
+	if err := json.Unmarshal(data, &cache); err != nil {
+		return CertProbeResult{}, false
+	}
+
+	if cache.Hostname != hostname || cache.Port != port {
+		return CertProbeResult{}, false
+	}
+
+	if time.Since(cache.ProbedAt) > ttl {
+		return CertProbeResult{}, false
+	}
+
+	if cache.Mean <= 0 {
+		return CertProbeResult{}, false
+	}
+
+	return CertProbeResult{Mean: cache.Mean, Jitter: cache.Jitter}, true
+}
+
+// SaveCachedProbe writes a probe result to path as JSON.
+func SaveCachedProbe(path, hostname string, port int, result CertProbeResult) error {
+	cache := CertProbeCache{
+		Hostname: hostname,
+		Port:     port,
+		Mean:     result.Mean,
+		Jitter:   result.Jitter,
+		ProbedAt: time.Now(),
+	}
+
+	data, err := json.MarshalIndent(cache, "", "  ")
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(path, data, 0o644) //nolint: gosec
 }
 
 // ProbeCertSize connects to hostname:port via TLS multiple times and measures
diff --git a/mtglib/proxy.go b/mtglib/proxy.go
@@ -392,13 +392,38 @@ func NewProxy(opts ProxyOpts) (*Proxy, error) {
 	probePort := opts.getDomainFrontingPort()
 	noiseParams := fake.NoiseParams{}
 
-	probeResult, err := fake.ProbeCertSize(probeHost, probePort, 15)
-	if err != nil {
-		logger.WarningError("cert probe failed, using default noise size", err)
-	} else {
-		noiseParams = fake.NoiseParams(probeResult)
-		logger.Info(fmt.Sprintf("cert probe: host=%s mean=%d jitter=%d",
-			probeHost, probeResult.Mean, probeResult.Jitter))
+	probeCount := int(opts.NoiseProbeCount)
+	if probeCount <= 0 {
+		probeCount = 15
+	}
+
+	cacheTTL := opts.NoiseCacheTTL
+
+	// Try loading from cache first.
+	if opts.NoiseCachePath != "" {
+		if cached, ok := fake.LoadCachedProbe(opts.NoiseCachePath, probeHost, probePort, cacheTTL); ok {
+			noiseParams = fake.NoiseParams(cached)
+			logger.Info(fmt.Sprintf("cert probe: loaded from cache, host=%s mean=%d jitter=%d",
+				probeHost, cached.Mean, cached.Jitter))
+		}
+	}
+
+	// If no cached result, probe live.
+	if noiseParams.Mean == 0 {
+		probeResult, err := fake.ProbeCertSize(probeHost, probePort, probeCount)
+		if err != nil {
+			logger.WarningError("cert probe failed, using default noise size", err)
+		} else {
+			noiseParams = fake.NoiseParams(probeResult)
+			logger.Info(fmt.Sprintf("cert probe: host=%s mean=%d jitter=%d",
+				probeHost, probeResult.Mean, probeResult.Jitter))
+
+			if opts.NoiseCachePath != "" {
+				if saveErr := fake.SaveCachedProbe(opts.NoiseCachePath, probeHost, probePort, probeResult); saveErr != nil {
+					logger.WarningError("failed to save cert probe cache", saveErr)
+				}
+			}
+		}
 	}
 
 	proxy := &Proxy{
diff --git a/mtglib/proxy_opts.go b/mtglib/proxy_opts.go
@@ -173,6 +173,18 @@ type ProxyOpts struct {
 	// during idle periods to mimic HTTP/2 PING keepalive traffic.
 	DoppelGangerIdlePadding bool
 
+	// NoiseProbeCount is the number of TLS connections to make when probing
+	// the fronting domain's cert chain size. Default is 15.
+	NoiseProbeCount uint
+
+	// NoiseCacheTTL is how long a cached cert probe result is considered valid.
+	// Default is 24 hours.
+	NoiseCacheTTL time.Duration
+
+	// NoiseCachePath is the file path for caching cert probe results between
+	// restarts. If empty, no caching is performed.
+	NoiseCachePath string
+
 	// APIBindTo is the address to bind the stats HTTP API server to.
 	// If empty, the stats API server is not started.
 	//

Original file line number	Diff line number	Diff line change
`@@ -269,6 +269,10 @@ func runProxy(conf *config.Config, version string) error { //nolint: funlen`
`269`	`269`	`DoppelGangerDRS: conf.Defense.Doppelganger.DRS.Get(false),`
`270`	`270`	`DoppelGangerIdlePadding: conf.Defense.Doppelganger.IdlePadding.Get(false),`
`271`	`271`
	`272`	`+ NoiseProbeCount: conf.Defense.Doppelganger.NoiseProbeCount.Get(0),`
	`273`	`+ NoiseCacheTTL: conf.Defense.Doppelganger.NoiseCacheTTL.Get(0),`
	`274`	`+ NoiseCachePath: conf.Defense.Doppelganger.NoiseCachePath,`
	`275`	`+`
`272`	`276`	`APIBindTo: conf.APIBindTo.Get(""),`
`273`	`277`	`}`
`274`	`278`