v1.0.5 — Clone, Bulk-Extend, Doctor, Stats & More

New Commands

• secret clone <src> <new> — Duplicate a secret with all its limits (new key generated)
• secret bulk-extend <days> — Extend all secrets' expiry dates at once, re-enables expired ones
• secret extend <label> <days> — Extend a single secret's expiry
• secret rename <old> <new> — Rename a secret's label
• secret export — Export all secrets + limits to CSV (stdout or file)
• secret import <file> — Import secrets from CSV, skips duplicates
• secret disable-expired — Scan and disable all expired secrets
• secret stats — Compact per-user overview: connections, IPs, traffic, quota %, expiry
• secret sort [traffic|conns|date|name] — Reorder the secrets list
• connections — Live active connections per user with traffic breakdown
• doctor — Comprehensive diagnostics: Docker, engine, port, metrics, domain TLS, secrets, disk, config, Telegram bot

Improvements

• Auto-rotate secrets on domain change — CLI and TUI now prompt to rotate all secrets when the domain changes, preventing stale proxy links
• QR code on secret add — Inline QR code shown after creating a secret (if qrencode installed)
• Startup warnings — mtproxymax start warns about expired and near-expiry secrets
• Connection limit warning — Setting conns below 5 warns that Telegram uses ~3 TCP connections per device
• Memory unit clarification — Prompts now show e.g. 256m, 1g to prevent confusion

Engine

• Upgraded to telemt v3.3.39 — TLS fronting fix (improved fake-TLS compatibility), memory hard-bounds, bounded retries, conntrack control, ME2DC fast init, new relay methods

Bug Fixes

• Fix Docker install on Fedora 41+ — Use Fedora repo URL + support dnf5 --addrepo (#61)
• Fix Telegram bot — grep: invalid option on chat ID auto-detect, Markdown escaping breaking test messages (#58)
• Fix list backups crash — ls exit code with no backups killed script under set -e (#57)
• Fix masking toggle — dd prefix when masking is off, secure mode enabled for non-TLS connections (#58)
• Fix hot-reload — cp instead of mv to preserve Docker bind-mount inode (#31)
• Show Docker error on start failure — No longer swallows docker run error output (#60)

TUI

All new features available in TUI menus:

• Secrets menu: rename [9], clone [c], extend [x], bulk-extend [e], disable-expired [d], stats [s], sort [t], export/import [i]
• Logs & Traffic: active connections [5]
• Info & Help: doctor [d]

---

Upgrade: mtproxymax update

v1.0.4 — Replication, Engine v3.3.32, SNI Policy & Metrics

What's New

🗂️ Master-Slave Replication (#39)

Automatic config synchronization from a master server to one or more slaves via rsync+SSH on a configurable interval (default: 60s).

• Synced files: secrets.conf, upstreams.conf, instances.conf, config.toml
• Never synced: settings.conf, replication.conf (slave role always preserved)
• Wizard: mtproxymax replication setup — interactive master/slave/standalone setup
• Failover: mtproxymax replication promote — promote slave to master
• Configurable SSH user (REPLICATION_SSH_USER), rsync --delete toggle, dependency checks
• TUI: [r] Replication in main menu with full management interface
• 112 unit tests included

🛡️ Unknown SNI Policy (#40)

Configurable mask (permissive, default) or drop (strict) for TLS connections with non-matching SNI.

• CLI: mtproxymax sni-policy [mask|drop]
• TUI: Security & Routing > Unknown SNI Policy
• Hot-reloads instantly — no container restart needed

📊 Engine Metrics Dashboard

• mtproxymax metrics — connections, upstream routing, per-user stats, ME pool status
• mtproxymax metrics live [seconds] — auto-refresh dashboard

🔄 Reset Traffic Counters

• mtproxymax secret reset-traffic <label|all> — manually reset per-user cumulative traffic

⚙️ Engine Upgrade (v3.3.30 → v3.3.32)

• Bounded hybrid routing loop — hard timeout on ME no-writer recovery
• ArcSwap snapshots — lock-free concurrent reads, less contention
• Parallel health checks — reduced latency during writer recovery
• Refined quarantine — draining writers no longer needlessly quarantine healthy endpoints
• New backpressure model — tiered base/high watermark
• TLS fetcher redesign — adaptive profile cascade, per-target caching
• Atomic per-user quotas — removed locking from hot path

---

Bug Fixes

• Fix proxy auto-restarting after intentional stop (#49) — Docker restart policy and bot auto-recovery now respect a manual stop
• Fix 'echo: write error: Broken pipe' on Alpine (#37) — replaced process-substitution FIFOs with here-strings
• Fix menu requiring double input on Alpine (#38) — drain leftover escape-sequence bytes from multi-byte key presses
• Fix 'Enter choice' prompt disappearing on Alpine (#48) — removed -s flag from input drain reads
• Fix SNI rejection after engine upgrade (#40) — unknown_sni_action default changed to drop in v3.3.31+, now explicitly configurable
• Fix traffic stats lost on restart (#44) — flush traffic before hot-reload; save existing cumulative even when Prometheus unreachable
• Fix update lock leak (#43) — flock FD now released via trap RETURN; fixed false "already running" in same TUI session
• Auto-clean old Docker images (#45) — old engine images pruned on every update
• Re-exec after script update (#46) — TUI automatically restarts with the new version after update
• Fix hot-reload — cp config in-place instead of mv to preserve Docker bind-mount inode

---

Upgrade

mtproxymax update

v1.0.3 — Notes, Quota Enforcement, Multi-Port & More

What's New in v1.0.3

Secret Notes

• Attach descriptions to any secret: mtproxymax secret note user1 "John's phone"
• Notes displayed in secret list and TUI option [8]

Quota Enforcement & Alerts

• Telegram warning at 80% quota usage, auto-disable at 100%
• Works even without Telegram bot enabled (enforcement is policy, not notification)
• mtproxymax secret reenable <label> to restore with optional traffic counter reset

Expiry Warnings

• Secret list shows (3d left), (expired) indicators
• Telegram alerts 3 days before a secret expires

JSON Status Output

• mtproxymax status --json — structured output for Grafana, Zabbix, or custom monitoring
• Includes all secrets with per-user traffic, connections, quota, expiry, and notes

Connection Log

• Per-user activity log with timestamps and traffic deltas
• Auto-rotates at 10,000 lines
• CLI: mtproxymax connlog / connlog clear
• TUI: Logs & Traffic > [2]

Backup & Restore

• mtproxymax backup — creates timestamped tar.gz with all config, secrets, stats
• mtproxymax restore <file> — validates and restores with confirmation
• mtproxymax backups — list available backups
• Also available in TUI: About & Update > [2]/[3]/[4]

Multi-Port Instances

• Run the proxy on multiple ports with shared secrets
• mtproxymax instance add <port> / instance remove <port> / instance list
• Secondary instances integrated into start/stop/restart, geo-blocking, and config hot-reload

Other Improvements

• Hot-reload for secrets — add/remove/rotate without dropping connections
• Whitelist geo-blocking mode (#29)
• Quota enforcement runs independently of Telegram alert settings

---

Upgrade

mtproxymax update

v1.0.2 — Persistent Traffic & TUI Performance

What's New in v1.0.2

Persistent Traffic Counters (#13)

• Traffic stats (TRAFFIC IN / TRAFFIC OUT) now survive container restarts
• Cumulative traffic saved to disk every 60 seconds, even without Telegram bot enabled
• Final traffic snapshot flushed before every stop/restart — no data loss on clean shutdown
• All displays (CLI, TUI, live monitor, Telegram bot) show correct cumulative totals

TUI Performance

• Batch stats loading — single metrics fetch + single file read replaces per-user subprocess spawning (~256 forks → ~5 for 32 users)
• Replaced echo | awk field extraction with bash read -r builtins throughout
• printf '%(%Y-%m-%d)T' builtin for date formatting (zero forks)

Reliability

• Atomic file writes with flock — prevents race conditions between daemon and CLI
• Fixed in/out direction mapping — consistent from_client=in, to_client=out across all functions
• Lock released on all early return paths (no lock leaks)
• Integer validation on all values read from traffic files

---

What's New Since v1.0.0

v1.0.1 — Batch Secret Management (#12)

• secret add-batch <l1> <l2> ... — add multiple secrets with a single restart
• secret remove-batch <l1> <l2> ... — remove multiple secrets with a single restart
• --no-restart flag for secret add/remove/add-batch/remove-batch
• TUI interactive menu options [6] and [7] for batch operations

v1.0.0 — Engine v3.3.14

• Event-Driven ME — reduced CPU on idle/low-traffic servers
• CPU/RAM hot-path optimization
• ME writer selection, DC-to-client tuning, ME/DC reroute
• Adaptive floor planner, PROXY real IP in logs

---

Upgrade

curl -fsSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/mtproxymax.sh -o /usr/local/bin/mtproxymax && chmod +x /usr/local/bin/mtproxymax