ei
/
mtg
огледало од https://github.com/9seconds/mtg
Прати 1
Волим 0
Креирај огранак 0
Код Дискусије 0 Издања 48 Вики Activity
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
928 Комити
4 Гране
Дрво: 317d7380cb
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from '317d7380cb'
${ noResults }
mtg/example.config.toml

example.config.toml 10KB
Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271 
  1. # This is an example of the configuration file for mtg. You actually can

  2. # run mtg with it. It starts a proxy on all interfaces with a secret

  3. # ee367a189aee18fa31c190054efd4a8e9573746f726167652e676f6f676c65617069732e636f6d

  4. #

  5. # It has all possible options with default values. So, a real world

  6. # configuration file should contain only those options you are going to

  7. # use. You do not need to enumerate all of them. In other words, each

  8. # option here has a default value. If you comment a key-value pair, it

  9. # should not make any effect.

  10. #

  11. # stats is the only exception.

  12. 

  13. # Debug starts application in debug mode. It starts to be quite verbose

  14. # in output. Actually, the idea is that you run it in debug mode only if

  15. # you have any issue.

  16. debug = true

  17. 

  18. # A secret. Please remember that mtg supports only FakeTLS mode, legacy

  19. # simple and secured mode are prohibited. For you it means that secret

  20. # should either be base64-encoded or starts with ee.

  21. secret = "ee367a189aee18fa31c190054efd4a8e9573746f726167652e676f6f676c65617069732e636f6d"

  22. 

  23. # Host:port pair to run proxy on.

  24. bind-to = "0.0.0.0:3128"

  25. 

  26. # This defines what types of traffic mtg listens to. If you are not sure,

  27. # then definitely keep it disable. Enable it only and only if incoming traffic

  28. # is coming from some sort of load-balancer like HAProxy or ELB.

  29. # https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt

  30. #

  31. # mtg uses a library that supports v1 and v2 versions of ProxyProtocol.

  32. # default value is false.

  33. # proxy-protocol-listener = false

  34. 

  35. # Defines how many concurrent connections are allowed to this proxy.

  36. # All other incoming connections are going to be dropped.

  37. concurrency = 8192

  38. 

  39. # Sometimes you want to enforce mtg to use some types of

  40. # IP connectivity to Telegram. We have 4 modes:

  41. #   - prefer-ipv6:

  42. #     We can use both ipv4 and ipv6 but ipv6 has a preference

  43. #   - prefer-ipv4:

  44. #     We can use both ipv4 and ipv6 but ipv4 has a preference

  45. #   - only-ipv6:

  46. #     Only ipv6 connectivity is used

  47. #   - only-ipv4:

  48. #     Only ipv4 connectivity is used

  49. prefer-ip = "prefer-ipv6"

  50. 

  51. # If this setting is set, then mtg will try to get proxy updates from Telegram

  52. # Usually this is completely fine to have it disabled, because mtg has a list

  53. # of some core proxies hardcoded.

  54. auto-update = false

  55. 

  56. # FakeTLS uses domain fronting protection. So it needs to know a port to

  57. # access.

  58. #

  59. # Deprecated: use [domain-fronting] configuration block. If relevant option

  60. # is defined there, this one would be ignored.

  61. # domain-fronting-port = 443

  62. 

  63. # By default, mtg resolves the fronting hostname (from the secret) via DNS

  64. # to establish a TCP connection. If DNS resolution of that hostname is blocked,

  65. # you can specify an IP address to connect to directly. The hostname is still

  66. # used for SNI in the TLS handshake.

  67. #

  68. # default value is not set (DNS resolution is used).

  69. #

  70. # Deprecated: use [domain-fronting] configuration block. If relevant option

  71. # is defined there, this one would be ignored.

  72. # domain-fronting-ip = "10.0.0.10"

  73. 

  74. # This makes a communication between both fronting website and mtg to use

  75. # proxy protocol.

  76. #

  77. # Deprecated: use [domain-fronting] configuration block. If relevant option

  78. # is defined there, this one would be ignored.

  79. # domain-fronting-proxy-protocol = false

  80. 

  81. # FakeTLS can compare timestamps to prevent probes. Each message has

  82. # encrypted timestamp. So, mtg can compare this timestamp and decide if

  83. # we need to proceed with connection or not.

  84. #

  85. # Sometimes time can be skewed so we accept all messages within a

  86. # time range of this parameter.

  87. tolerate-time-skewness = "5s"

  88. 

  89. # Telegram has a concept of DC. You can think about DC as a number of a cluster

  90. # with a certain purpose. Some clusters serve media, some - messages, some rule

  91. # channels and so on. But sometimes unknown DC number is requested by client.

  92. # It could be a bug or some global reconfiguration of the Telegram.

  93. #

  94. # By default, proxy rejects such requests. But it is also possible to fallback

  95. # this request to any DC. Telegram works in a way that any DC is able to serve

  96. # any request but sacrificing a latency.

  97. #

  98. # If this setting is disabled (default), mtg will reject a connection.

  99. # Otherwise, chose a new DC.

  100. allow-fallback-on-unknown-dc = false

  101. 

  102. # This section is relevant to communication with fronting domain. Usually

  103. # you do not need to setup anything here but there are plenty of cases, especially

  104. # if you put mtg behind load balancer, when some specific configuration is

  105. # required.

  106. [domain-fronting]

  107. # By default, mtg resolves the fronting hostname (from the secret) via DNS

  108. # to establish a TCP connection. If DNS resolution of that hostname is blocked,

  109. # you can specify an IP address to connect to directly. The hostname is still

  110. # used for SNI in the TLS handshake.

  111. #

  112. # default value is not set (DNS resolution is used).

  113. # ip = "10.10.10.11"

  114. 

  115. # FakeTLS uses domain fronting protection. So it needs to know a port to

  116. # access. Default value is 443

  117. # port = 443

  118. 

  119. # This makes a communication between both fronting website and mtg to use

  120. # proxy protocol.

  121. # proxy-protocol = false

  122. 

  123. # network defines different network-related settings

  124. [network]

  125. # please be aware that mtg needs to do some external requests. For

  126. # example, if you do not pass public ips, it will request your public ip

  127. # address from some external service.

  128. #

  129. # As for 2.0, if you set a public-ip on your own, mtg won't issue any

  130. # network requests except of those required for Telegram.

  131. #

  132. # so, in order of doing them, it needs to do DNS lookup. mtg ignores DNS

  133. # resolver of the operating system and uses DOH instead. This is a host

  134. # it has to access.

  135. #

  136. # By default we use Cloudflare.

  137. doh-ip = "1.1.1.1"

  138. 

  139. # mtg can work via proxies (for now, we support only socks5). Proxy

  140. # configuration is done via list. So, you can specify many proxies

  141. # there.

  142. #

  143. # Actually, if you supply an empty list, then no proxies are going to be

  144. # used. If you supply a single proxy, then mtg will use it exclusively.

  145. # If you supply >= 2, then mtg will load balance between them.

  146. #

  147. # If you add an empty string here, this is an equivalent of 'plain network',

  148. # with no proxy usage.

  149. #

  150. # Proxy configuration is done via ordinary URI schema:

  151. #

  152. #     socks5://user:password@host:port?open_threshold=5&half_open_timeout=1m&reset_failures_timeout=10s

  153. #

  154. # Only socks5 proxy is used. user/password is optional. As you can

  155. # see, you can specify some parameters in GET query. These parameters

  156. # configure circuit breaker.

  157. #

  158. # open_threshold means a number of errors which should happen so we stop

  159. # use a proxy.

  160. #

  161. # half_open_timeout means a time period (in Golang duration notation)

  162. # after which we can retry with this proxy

  163. #

  164. # reset_failures_timeout means a time period when we flush out errors

  165. # when circuit breaker in closed state.

  166. #

  167. # Please see https://docs.microsoft.com/en-us/azure/architecture/patterns/circuit-breaker

  168. # on details about circuit breakers.

  169. proxies = [

  170.     # "socks5://user:password@host:port?open_threshold=5&half_open_timeout=1m&reset_failures_timeout=10s"

  171. ]

  172. 

  173. # network timeouts define different settings for timeouts. tcp timeout

  174. # define a global timeout on establishing of network connections. idle

  175. # means a timeout on pumping data between sockset when nothing is

  176. # happening.

  177. #

  178. # please be noticed that handshakes have no timeouts intentionally. You can

  179. # find a reasoning here:

  180. # https://www.ndss-symposium.org/wp-content/uploads/2020/02/23087-paper.pdf

  181. [network.timeout]

  182. tcp = "5s"

  183. http = "10s"

  184. idle = "1m"

  185. 

  186. # Some countries do active probing on Telegram connections. This technique

  187. # allows to protect from such effort.

  188. #

  189. # mtg has a cache of some connection fingerprints. Actually, first bytes

  190. # of each connection. So, it stores them in some in-memory LRU+TTL cache.

  191. # You can configure this cache here.

  192. [defense.anti-replay]

  193. # You can enable/disable this feature.

  194. enabled = true

  195. # max size of such a cache. Please be aware that this number is

  196. # approximate we try hard to store data quite dense but it is possible

  197. # that we can go over this limit for 10-20% under some conditions and

  198. # architectures.

  199. max-size = "1mib"

  200. # we use stable bloom filters for anti-replay cache. This helps

  201. # to maintain a desired error ratio.

  202. error-rate = 0.001

  203. 

  204. # You can protect proxies by using different blocklists. If client has

  205. # ip from the given range, we do not try to do a proper handshake. We

  206. # actually route it to fronting domain. So, this client will never ever

  207. # have a chance to use mtg to access Telegram.

  208. #

  209. # Please remember that blocklists are initialized in async way. So,

  210. # when you start a proxy, blocklists are empty, they are populated and

  211. # processed in backgrounds. An error in any URL is ignored.

  212. [defense.blocklist]

  213. # You can enable/disable this feature.

  214. enabled = true

  215. # This is a limiter for concurrency. In order to protect website

  216. # from overloading, we download files in this number of threads.

  217. download-concurrency = 2

  218. # A list of URLs in FireHOL format (https://iplists.firehol.org/)

  219. # You can provider links here (starts with https:// or http://) or

  220. # path to a local file, but in this case it should be absolute.

  221. urls = [

  222.     "https://iplists.firehol.org/files/firehol_level1.netset",

  223.     # "/local.file"

  224. ]

  225. # How often do we need to update a blocklist set.

  226. update-each = "24h"

  227. 

  228. # Allowlist is an opposite to a blocklist. Only those IPs that are coming from

  229. # subnets defined in these lists are allowed. All others will be rejected.

  230. #

  231. # If this feature is disabled, then there won't be any check performed by this

  232. # validator. It is possible to combine both blocklist and whitelist.

  233. [defense.allowlist]

  234. # You can enable/disable this feature.

  235. enabled = false

  236. # This is a limiter for concurrency. In order to protect website

  237. # from overloading, we download files in this number of threads.

  238. download-concurrency = 2

  239. # A list of URLs in FireHOL format (https://iplists.firehol.org/)

  240. # You can provider links here (starts with https:// or http://) or

  241. # path to a local file, but in this case it should be absolute.

  242. urls = [

  243.     # "https://iplists.firehol.org/files/firehol_level1.netset",

  244.     # "/local.file"

  245. 

  246. ]

  247. update-each = "24h"

  248. 

  249. # statsd statistics integration.

  250. [stats.statsd]

  251. # enabled/disabled

  252. enabled = false

  253. # host:port for UDP endpoint of statsd

  254. address = "127.0.0.1:8888"

  255. # prefix of metric for statsd

  256. metric-prefix = "mtg"

  257. # tag format to use

  258. # supported values are 'datadog', 'influxdb' and 'graphite'

  259. # default format is graphite.

  260. tag-format = "datadog"

  261. 

  262. # prometheus metrics integration.

  263. [stats.prometheus]

  264. # enabled/disabled

  265. enabled = true

  266. # host:port where to start http server for endpoint

  267. bind-to = "127.0.0.1:3129"

  268. # prefix of http path

  269. http-path = "/"

  270. # prefix for metrics for prometheus

  271. metric-prefix = "mtg"