ei
/
mtg
spegling av https://github.com/9seconds/mtg
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Släpp 48 Wiki Aktiviteter
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
917 Incheckningar
4 Grenar
Träd: d7db8ca98b
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från 'd7db8ca98b'
${ noResults }
mtg/example.config.toml

example.config.toml 10KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266 
  1. # This is an example of the configuration file for mtg. You actually can

  2. # run mtg with it. It starts a proxy on all interfaces with a secret

  3. # ee367a189aee18fa31c190054efd4a8e9573746f726167652e676f6f676c65617069732e636f6d

  4. #

  5. # It has all possible options with default values. So, a real world

  6. # configuration file should contain only those options you are going to

  7. # use. You do not need to enumerate all of them. In other words, each

  8. # option here has a default value. If you comment a key-value pair, it

  9. # should not make any effect.

  10. #

  11. # stats is the only exception.

  12. 

  13. # Debug starts application in debug mode. It starts to be quite verbose

  14. # in output. Actually, the idea is that you run it in debug mode only if

  15. # you have any issue.

  16. debug = true

  17. 

  18. # A secret. Please remember that mtg supports only FakeTLS mode, legacy

  19. # simple and secured mode are prohibited. For you it means that secret

  20. # should either be base64-encoded or starts with ee.

  21. secret = "ee367a189aee18fa31c190054efd4a8e9573746f726167652e676f6f676c65617069732e636f6d"

  22. 

  23. # Host:port pair to run proxy on.

  24. bind-to = "0.0.0.0:3128"

  25. 

  26. # This defines what types of traffic mtg listens to. If you are not sure,

  27. # then definitely keep it disable. Enable it only and only if incoming traffic

  28. # is coming from some sort of load-balancer like HAProxy or ELB.

  29. # https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt

  30. #

  31. # mtg uses a library that supports v1 and v2 versions of ProxyProtocol.

  32. # default value is false.

  33. # proxy-protocol-listener = false

  34. 

  35. # Defines how many concurrent connections are allowed to this proxy.

  36. # All other incoming connections are going to be dropped.

  37. concurrency = 8192

  38. 

  39. # Sometimes you want to enforce mtg to use some types of

  40. # IP connectivity to Telegram. We have 4 modes:

  41. #   - prefer-ipv6:

  42. #     We can use both ipv4 and ipv6 but ipv6 has a preference

  43. #   - prefer-ipv4:

  44. #     We can use both ipv4 and ipv6 but ipv4 has a preference

  45. #   - only-ipv6:

  46. #     Only ipv6 connectivity is used

  47. #   - only-ipv4:

  48. #     Only ipv4 connectivity is used

  49. prefer-ip = "prefer-ipv6"

  50. 

  51. # FakeTLS uses domain fronting protection. So it needs to know a port to

  52. # access.

  53. #

  54. # Deprecated: use [domain-fronting] configuration block. If relevant option

  55. # is defined there, this one would be ignored.

  56. # domain-fronting-port = 443

  57. 

  58. # By default, mtg resolves the fronting hostname (from the secret) via DNS

  59. # to establish a TCP connection. If DNS resolution of that hostname is blocked,

  60. # you can specify an IP address to connect to directly. The hostname is still

  61. # used for SNI in the TLS handshake.

  62. #

  63. # default value is not set (DNS resolution is used).

  64. #

  65. # Deprecated: use [domain-fronting] configuration block. If relevant option

  66. # is defined there, this one would be ignored.

  67. # domain-fronting-ip = "10.0.0.10"

  68. 

  69. # This makes a communication between both fronting website and mtg to use

  70. # proxy protocol.

  71. #

  72. # Deprecated: use [domain-fronting] configuration block. If relevant option

  73. # is defined there, this one would be ignored.

  74. # domain-fronting-proxy-protocol = false

  75. 

  76. # FakeTLS can compare timestamps to prevent probes. Each message has

  77. # encrypted timestamp. So, mtg can compare this timestamp and decide if

  78. # we need to proceed with connection or not.

  79. #

  80. # Sometimes time can be skewed so we accept all messages within a

  81. # time range of this parameter.

  82. tolerate-time-skewness = "5s"

  83. 

  84. # Telegram has a concept of DC. You can think about DC as a number of a cluster

  85. # with a certain purpose. Some clusters serve media, some - messages, some rule

  86. # channels and so on. But sometimes unknown DC number is requested by client.

  87. # It could be a bug or some global reconfiguration of the Telegram.

  88. #

  89. # By default, proxy rejects such requests. But it is also possible to fallback

  90. # this request to any DC. Telegram works in a way that any DC is able to serve

  91. # any request but sacrificing a latency.

  92. #

  93. # If this setting is disabled (default), mtg will reject a connection.

  94. # Otherwise, chose a new DC.

  95. allow-fallback-on-unknown-dc = false

  96. 

  97. # This section is relevant to communication with fronting domain. Usually

  98. # you do not need to setup anything here but there are plenty of cases, especially

  99. # if you put mtg behind load balancer, when some specific configuration is

  100. # required.

  101. [domain-fronting]

  102. # By default, mtg resolves the fronting hostname (from the secret) via DNS

  103. # to establish a TCP connection. If DNS resolution of that hostname is blocked,

  104. # you can specify an IP address to connect to directly. The hostname is still

  105. # used for SNI in the TLS handshake.

  106. #

  107. # default value is not set (DNS resolution is used).

  108. # ip = "10.10.10.11"

  109. 

  110. # FakeTLS uses domain fronting protection. So it needs to know a port to

  111. # access. Default value is 443

  112. # port = 443

  113. 

  114. # This makes a communication between both fronting website and mtg to use

  115. # proxy protocol.

  116. # proxy-protocol = false

  117. 

  118. # network defines different network-related settings

  119. [network]

  120. # please be aware that mtg needs to do some external requests. For

  121. # example, if you do not pass public ips, it will request your public ip

  122. # address from some external service.

  123. #

  124. # As for 2.0, if you set a public-ip on your own, mtg won't issue any

  125. # network requests except of those required for Telegram.

  126. #

  127. # so, in order of doing them, it needs to do DNS lookup. mtg ignores DNS

  128. # resolver of the operating system and uses DOH instead. This is a host

  129. # it has to access.

  130. #

  131. # By default we use Cloudflare.

  132. doh-ip = "1.1.1.1"

  133. 

  134. # mtg can work via proxies (for now, we support only socks5). Proxy

  135. # configuration is done via list. So, you can specify many proxies

  136. # there.

  137. #

  138. # Actually, if you supply an empty list, then no proxies are going to be

  139. # used. If you supply a single proxy, then mtg will use it exclusively.

  140. # If you supply >= 2, then mtg will load balance between them.

  141. #

  142. # If you add an empty string here, this is an equivalent of 'plain network',

  143. # with no proxy usage.

  144. #

  145. # Proxy configuration is done via ordinary URI schema:

  146. #

  147. #     socks5://user:password@host:port?open_threshold=5&half_open_timeout=1m&reset_failures_timeout=10s

  148. #

  149. # Only socks5 proxy is used. user/password is optional. As you can

  150. # see, you can specify some parameters in GET query. These parameters

  151. # configure circuit breaker.

  152. #

  153. # open_threshold means a number of errors which should happen so we stop

  154. # use a proxy.

  155. #

  156. # half_open_timeout means a time period (in Golang duration notation)

  157. # after which we can retry with this proxy

  158. #

  159. # reset_failures_timeout means a time period when we flush out errors

  160. # when circuit breaker in closed state.

  161. #

  162. # Please see https://docs.microsoft.com/en-us/azure/architecture/patterns/circuit-breaker

  163. # on details about circuit breakers.

  164. proxies = [

  165.     # "socks5://user:password@host:port?open_threshold=5&half_open_timeout=1m&reset_failures_timeout=10s"

  166. ]

  167. 

  168. # network timeouts define different settings for timeouts. tcp timeout

  169. # define a global timeout on establishing of network connections. idle

  170. # means a timeout on pumping data between sockset when nothing is

  171. # happening.

  172. #

  173. # please be noticed that handshakes have no timeouts intentionally. You can

  174. # find a reasoning here:

  175. # https://www.ndss-symposium.org/wp-content/uploads/2020/02/23087-paper.pdf

  176. [network.timeout]

  177. tcp = "5s"

  178. http = "10s"

  179. idle = "1m"

  180. 

  181. # Some countries do active probing on Telegram connections. This technique

  182. # allows to protect from such effort.

  183. #

  184. # mtg has a cache of some connection fingerprints. Actually, first bytes

  185. # of each connection. So, it stores them in some in-memory LRU+TTL cache.

  186. # You can configure this cache here.

  187. [defense.anti-replay]

  188. # You can enable/disable this feature.

  189. enabled = true

  190. # max size of such a cache. Please be aware that this number is

  191. # approximate we try hard to store data quite dense but it is possible

  192. # that we can go over this limit for 10-20% under some conditions and

  193. # architectures.

  194. max-size = "1mib"

  195. # we use stable bloom filters for anti-replay cache. This helps

  196. # to maintain a desired error ratio.

  197. error-rate = 0.001

  198. 

  199. # You can protect proxies by using different blocklists. If client has

  200. # ip from the given range, we do not try to do a proper handshake. We

  201. # actually route it to fronting domain. So, this client will never ever

  202. # have a chance to use mtg to access Telegram.

  203. #

  204. # Please remember that blocklists are initialized in async way. So,

  205. # when you start a proxy, blocklists are empty, they are populated and

  206. # processed in backgrounds. An error in any URL is ignored.

  207. [defense.blocklist]

  208. # You can enable/disable this feature.

  209. enabled = true

  210. # This is a limiter for concurrency. In order to protect website

  211. # from overloading, we download files in this number of threads.

  212. download-concurrency = 2

  213. # A list of URLs in FireHOL format (https://iplists.firehol.org/)

  214. # You can provider links here (starts with https:// or http://) or

  215. # path to a local file, but in this case it should be absolute.

  216. urls = [

  217.     "https://iplists.firehol.org/files/firehol_level1.netset",

  218.     # "/local.file"

  219. ]

  220. # How often do we need to update a blocklist set.

  221. update-each = "24h"

  222. 

  223. # Allowlist is an opposite to a blocklist. Only those IPs that are coming from

  224. # subnets defined in these lists are allowed. All others will be rejected.

  225. #

  226. # If this feature is disabled, then there won't be any check performed by this

  227. # validator. It is possible to combine both blocklist and whitelist.

  228. [defense.allowlist]

  229. # You can enable/disable this feature.

  230. enabled = false

  231. # This is a limiter for concurrency. In order to protect website

  232. # from overloading, we download files in this number of threads.

  233. download-concurrency = 2

  234. # A list of URLs in FireHOL format (https://iplists.firehol.org/)

  235. # You can provider links here (starts with https:// or http://) or

  236. # path to a local file, but in this case it should be absolute.

  237. urls = [

  238.     # "https://iplists.firehol.org/files/firehol_level1.netset",

  239.     # "/local.file"

  240. 

  241. ]

  242. update-each = "24h"

  243. 

  244. # statsd statistics integration.

  245. [stats.statsd]

  246. # enabled/disabled

  247. enabled = false

  248. # host:port for UDP endpoint of statsd

  249. address = "127.0.0.1:8888"

  250. # prefix of metric for statsd

  251. metric-prefix = "mtg"

  252. # tag format to use

  253. # supported values are 'datadog', 'influxdb' and 'graphite'

  254. # default format is graphite.

  255. tag-format = "datadog"

  256. 

  257. # prometheus metrics integration.

  258. [stats.prometheus]

  259. # enabled/disabled

  260. enabled = true

  261. # host:port where to start http server for endpoint

  262. bind-to = "127.0.0.1:3129"

  263. # prefix of http path

  264. http-path = "/"

  265. # prefix for metrics for prometheus

  266. metric-prefix = "mtg"