New Telegram MTProto Proxy Server
- Tutorial
A proxy server is an intermediary between the client and the server. To bypass the restrictions, the proxy server should be installed where there are no restrictions on access to the required information, and there should be no such restrictions between the client and the proxy server.
To run your own MTProto proxy server, you only need a machine with Docker installed and network access. There should be nothing on port 443 (nginx, apache). When you first start the proxy server, a secret key will be created, which will be remembered. Run as one command:
To view information about the private key and special links, look at the container log with the command:
It should be borne in mind that the proxy server will try to “guess” the parameters for the links, so the IP and port may be inaccurate and require correction.
You can set your own private key through the SECRET environment variable:
When using a corporate proxy server (user groups), you can use several keys (up to 16). For example, I select such user groups for corporate installations: boss, managers, users. For each of them I generate my own key. In case of compromise (leakage to the side) of the key, I change it for the group. What is the problem of key compromise? In traffic. The number of connections can completely fill the channel to your machine. You can also make a key rotation system.
To install multiple keys, you need to list them separated by commas:
Or you can set the desired number of keys for auto-generation via the SECRET_COUNT variable (not more than 16):
To generate your key, you can use, for example, one of the commands in Linux:
Each proxy process can handle tens of thousands of connections. For best performance, there is a limit of 60,000 connections per processor core. By default, two proxy server processes are launched (with the assumption that the system will allocate each to the kernel). You can increase the number of running processes through the WORKERS variable. Do not run them more than there are cores on the processor:
In the example, the key is specifically given
Of course, you can start in a more classic way by specifying port forwarding:
You can also specify some other port, for example:
Note that the proxy server does not know anything about the "real" port and the link will be incorrect, it will need to be corrected.
MTProto-proxy server presents some statistics on its work. Statistics provided only on localhost:
When you start the proxy server via docker with a parameter, it is
Some metrics are:
Telegram allows you to monetize the proxy server through a subscription to the Promoted channel. Promoted channel is a channel to which you will automatically be subscribed when connected to a proxy server. It will be pinned at the top of the chat list and cannot be deleted until you disconnect from this proxy server.
To configure the Promoted channel, the special bot @MTProxybot should receive the code and pass it in the TAG variable when the server is started:
This parameter is not remembered; it must be set each time a container is created and re-created.
Promoted channel will be displayed at the top with a corresponding mark for those clients that use this proxy server. If you subscribe to the channel, there will be no tagging.
Developers of the MTProto proxy will try to make a minimum of changes, but recommend updating the proxy server at least once a day:
An example of docker-compose.yml :
To use Promoted channels, do not forget to add the TAG variable.
Updated Proxy Server Support for Telegram Clients
- New MTProto proxy. Works with native Telegram MTProto protocol
- Open source server on github
- Docker image on DockerHub
- Mobile clients now have the ability to add multiple proxy servers of each type. The user can choose the most suitable
MTProto proxy
- MTProto-proxy works only with Telegram
- Client and server do not have an open communication phase.
- In the Telegram MTProto-proxy server implementation, the proxy server and its owner do not have direct access to the MTProxy protocol meta-information (logins, for example).
- For all sorts of filters and analyzers, the exchange of data with the MTProto-proxy server looks like an unstructured binary bi-directional data flow between the client and the server. This makes it difficult to recognize the protocol for the purpose of limiting.
Fast start
To run your own MTProto proxy server, you only need a machine with Docker installed and network access. There should be nothing on port 443 (nginx, apache). When you first start the proxy server, a secret key will be created, which will be remembered. Run as one command:
$ docker run -d --net=host --name=mtproto-proxy --restart=always \
-v proxy-config:/data telegrammessenger/proxyTo view information about the private key and special links, look at the container log with the command:
$ docker logs mtproto-proxy
[+] Using the explicitly passed secret: 'b7e70329dcf3721c4239b86ad32a90b8'.
[+] Saving it to /data/secret.
[*] Final configuration:
[*] Secret 1: b7e70329dcf3721c4239b86ad32a90b8
[*] tg:// link for secret 1 auto configuration: : tg://proxy?server=81.177.103.94&port=443&secret=b7e70329dcf3721c4239b86ad32a90b8
[*] t.me link for secret 1: tg://proxy?server=81.177.103.94&port=443&secret=b7e70329dcf3721c4239b86ad32a90b8
[*] Tag: no tag
[*] External IP: 81.177.103.94
[*] Make sure to fix the links incase you run the proxy on a different port.
It should be borne in mind that the proxy server will try to “guess” the parameters for the links, so the IP and port may be inaccurate and require correction.
The secret key
You can set your own private key through the SECRET environment variable:
$ docker run -d --net=host --name=mtproto-proxy --restart=always \
-v proxy-config:/data -e SECRET=b7e70329dcf3721c4239b86ad32a90b8 \
telegrammessenger/proxy
When using a corporate proxy server (user groups), you can use several keys (up to 16). For example, I select such user groups for corporate installations: boss, managers, users. For each of them I generate my own key. In case of compromise (leakage to the side) of the key, I change it for the group. What is the problem of key compromise? In traffic. The number of connections can completely fill the channel to your machine. You can also make a key rotation system.
To install multiple keys, you need to list them separated by commas:
$ docker run -d --net=host --name=mtproto-proxy --restart=always \
-v proxy-config:/data -e SECRET=b7e70329dcf3721c4239b86ad32a90b8,afccd434fb32248f29f033b189bd8541,878397a50627deb349d4c296bd9dc3c2 \
telegrammessenger/proxy
Or you can set the desired number of keys for auto-generation via the SECRET_COUNT variable (not more than 16):
$ docker run -d --net=host --name=mtproto-proxy --restart=always \
-v proxy-config:/data -e SECRET_COUNT=5 telegrammessenger/proxyTo generate your key, you can use, for example, one of the commands in Linux:
# работает даже на busybox:
$ tr -dc 'a-f0-9' < /dev/urandom | dd bs=1 count=322>/dev/null
$ hexdump -n 16 -e '4/4 "%08x" 1 "\n"' /dev/random # требуется программа hexdump
$ openssl rand -hex16# требуется opensslPerformance
Each proxy process can handle tens of thousands of connections. For best performance, there is a limit of 60,000 connections per processor core. By default, two proxy server processes are launched (with the assumption that the system will allocate each to the kernel). You can increase the number of running processes through the WORKERS variable. Do not run them more than there are cores on the processor:
$ docker run -d --net=host --name=mtproto-proxy --restart=always \
-v proxy-config:/data -e WORKERS=16 telegrammessenger/proxyNetwork use
In the example, the key is specifically given
--net=host. This allows you to avoid redundant address translation and allows you to use IPv6 right out of the box without configuration, if it is on the machine that is running the proxy-server. Of course, you can start in a more classic way by specifying port forwarding:
$ docker run -d -p443:443--name=mtproto-proxy --restart=always \
-v proxy-config:/data telegrammessenger/proxyYou can also specify some other port, for example:
$ docker run -d -p8443:443--name=mtproto-proxy --restart=always \
-v proxy-config:/data telegrammessenger/proxy:latestNote that the proxy server does not know anything about the "real" port and the link will be incorrect, it will need to be corrected.
Monitoring
MTProto-proxy server presents some statistics on its work. Statistics provided only on localhost:
http://localhost:2398/stats. When you start the proxy server via docker with a parameter, it is
--net=hostenough to get the statistics of the command:, curl http://localhost:2398/statsor proxying through, for example, nginx somewhere outside. When starting the proxy server via docker with port forwarding, the statistics can be obtained with the command:$ docker exec mtproto-proxy curl http://localhost:2398/statsSome metrics are:
- ready_targets - the number of Telegram servers with which the proxy server will attempt to connect
- active_targets - the number of connections to the Telegram servers (in theory, should coincide with the ready_targets)
- total_special_connections - the number of incoming client connections
- total_max_special_connections - the maximum possible number of simultaneous connections
Advertising
Telegram allows you to monetize the proxy server through a subscription to the Promoted channel. Promoted channel is a channel to which you will automatically be subscribed when connected to a proxy server. It will be pinned at the top of the chat list and cannot be deleted until you disconnect from this proxy server.
To configure the Promoted channel, the special bot @MTProxybot should receive the code and pass it in the TAG variable when the server is started:
$ docker run -d --net=host --name=mtproto-proxy --restart=always \
-v proxy-config:/data -e TAG=85174e9e0ffa43c0d3a7167e52175268 \
telegrammessenger/proxy:latest
This parameter is not remembered; it must be set each time a container is created and re-created.
Promoted channel will be displayed at the top with a corresponding mark for those clients that use this proxy server. If you subscribe to the channel, there will be no tagging.
Proxy Update
Developers of the MTProto proxy will try to make a minimum of changes, but recommend updating the proxy server at least once a day:
$ docker pull telegrammessenger/proxy # обновить образ
$ docker stop mtproto-proxy # остановить контейнер
$ docker rm mtproto-proxy # удалить контейнер
$ docker run .... # создать из обновленного образа и запустить контейнер заново
$ docker logs -f --tail=30 mtproto-proxy # посмотреть журнал контейнераDocker compose
An example of docker-compose.yml :
version: '3.0'
services:
mtproxy:
image: telegrammessenger/proxy:latest
hostname: mtproxy
container_name: mtproxy.local
volumes:
- proxy-config:/data
network_mode: "host"
logging:
driver: syslog
options:
tag: mtproxy
restart: always
volumes:
proxy-config:
external: trueTo use Promoted channels, do not forget to add the TAG variable.
Updating the proxy server with Docker Compose
$ docker-compose pull mtproxy # обновить образ
$ docker-compose up -d # пересобрать и перезапустить контейнер
$ docker-compose logs -f --tail=30 mtproxy # посмотреть журнал сервиса