v0.3.1: IP-literal destinations -> plain TCP passthrough (always)

User reported log spam on Windows with many 'relay failed: خطای SSL'
errors for IP-literal targets like 172.105.237.214:443. Root cause:
xray/VLESS, torrent, SSH, and other app-level clients use raw IPs in
CONNECT/SOCKS5 targets. Our previous logic would MITM these, see
'POST /' inside the xhttp wrapping, forward to Apps Script, which
would then fail SSL-verifying the app's self-signed backend.

New heuristic: if the CONNECT target is an IP literal, skip MITM
entirely and do plain TCP passthrough. Reasoning: browsers never
use raw IPs in CONNECT -- they always have a domain. Any client
using an IP literal is using a custom protocol that we have no
business MITMing.

Effect: xray/VLESS tunnels now work through mhrv-rs SOCKS5 (the
app's own TLS wrap passes through untouched). Browser HTTPS still
MITM'd + relayed as before (domain CONNECTs).

Also downgraded 'relay failed' logs from error to warn so they don't
spam the ERROR channel on misrouted traffic.

Cargo.lock

@@ -365,7 +365,7 @@ checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
 [[package]]
 name = "mhrv-rs"
-version = "0.3.0"
+version = "0.3.1"
 dependencies = [
  "base64",
  "bytes",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mhrv-rs"
-version = "0.3.0"
+version = "0.3.1"
 edition = "2021"
 description = "Rust port of MasterHttpRelayVPN -- DPI bypass via Google Apps Script relay with domain fronting"
 license = "MIT"

src/domain_fronter.rs

@@ -318,12 +318,15 @@ impl DomainFronter {
             Ok(Ok(bytes)) => bytes,
             Ok(Err(e)) => {
                 self.relay_failures.fetch_add(1, Ordering::Relaxed);
-                tracing::error!("Relay failed: {}", e);
+                // Most upstream errors (self-signed certs, unreachable hosts,
+                // non-HTTP endpoints) are normal for misrouted traffic. Log
+                // at warn so they don't spam error channels.
+                tracing::warn!("relay failed: {}", e);
                 return error_response(502, &format!("Relay error: {}", e));
             }
             Err(_) => {
                 self.relay_failures.fetch_add(1, Ordering::Relaxed);
-                tracing::error!("Relay timeout");
+                tracing::warn!("relay timeout");
                 return error_response(504, "Relay timeout");
             }
         };

src/proxy_server.rs

@@ -308,7 +308,17 @@ async fn dispatch_tunnel(
         return do_sni_rewrite_tunnel_from_tcp(sock, &host, port, mitm, rewrite_ctx).await;
     }
 
-    // 2. Peek at the first byte to detect TLS vs plain. Time-bounded — if the
+    // 2. IP-literal destinations are almost always app-level custom protocols
+    //    (xray/VLESS, torrent, SSH, VPN, raw TCP). Browsers never use raw IPs
+    //    in CONNECT. MITMing these would break the app's own TLS/auth, and
+    //    trying to relay opaque bytes through Apps Script always fails.
+    //    Always plain TCP passthrough for IP literals.
+    if is_ip_literal(&host) {
+        plain_tcp_passthrough(sock, &host, port).await;
+        return Ok(());
+    }
+
+    // 3. Peek at the first byte to detect TLS vs plain. Time-bounded — if the
     //    client doesn't send anything within 300ms, assume server-first
     //    protocol (SMTP, POP3, FTP banner) and jump straight to plain TCP.
     let mut peek_buf = [0u8; 8];
@@ -345,6 +355,13 @@ async fn dispatch_tunnel(
     Ok(())
 }
 
+// ---------- IP literal detection ----------
+
+fn is_ip_literal(host: &str) -> bool {
+    let h = host.trim_start_matches('[').trim_end_matches(']');
+    h.parse::<std::net::IpAddr>().is_ok()
+}
+
 // ---------- Plain TCP passthrough ----------
 
 async fn plain_tcp_passthrough(mut sock: TcpStream, host: &str, port: u16) {