Type

Feature request

Problem

In many real-world deployments (including Chinese network environments), FakeIP/proxy-based routing is commonly used together with Telegram automation and web_fetch/browser features. In this mode, blocking private/internal IPs too aggressively breaks normal workflows:

1. web_fetch/URL fetching can fail with:
   • Blocked: resolves to private/internal/special-use IP address
     which prevents accessing some valid external resources.
2. Telegram media retrieval may fail with Failed to fetch media when api.telegram.org responses are routed through proxy/FakeIP and get treated as private addresses by SSRF checks.

Why this matters

• In many China proxy setups, using local real DNS directly is not always feasible and may expose usage patterns.
• FakeIP is a practical workaround for GFW-related network constraints.
• Users need a configurable policy instead of hardcoded strict behavior.

Request

Please provide configuration options to control private-address/SSRF handling:

• web_fetch.privateAddressPolicy: strict | allowlist | off (default: strict)
• web_fetch.privateAddressAllowlist: ["api.telegram.org", ...]
• web_fetch.allowProxyPrivateBypass: true/false
• Clear logs/telemetry for URLs blocked by this policy

Acceptance

• Telegram media fetch from api.telegram.org works when explicitly allowlisted in proxy/FakeIP environments.
• Security posture remains strict by default, with controlled opt-in relaxation.
• Behavior is configurable, avoiding manual downgrade/rollback as workaround.

This is a feature request to support production environments where FakeIP is widely used.