Skip to content

Instantly share code, notes, and snippets.

@yeganemehr

yeganemehr/how-to-setup-mtproxy.md

Created August 26, 2019 18:26
Show Gist options
  • Save yeganemehr/5d61609f12313779897541217c0d8f62 to your computer and use it in GitHub Desktop.
Save yeganemehr/5d61609f12313779897541217c0d8f62 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
how-to-setup-mtproxy.md

How to setup MTProxy using nginx stream proxy

There are two servers in this configuration: * 192.168.1.101 which used to server the clients directly. * 192.168.1.202 is backend server and clients doesn't aware of.

On 192.168.1.202

Install MTProxy:

apt install git curl build-essential libssl-dev zlib1g-dev
git clone https://github.com/TelegramMessenger/MTProxy
cd MTProxy
make && cd objs/bin
curl -s https://core.telegram.org/getProxySecret -o proxy-secret
curl -s https://core.telegram.org/getProxyConfig -o proxy-multi.conf
head -c 16 /dev/urandom | xxd -ps
./mtproto-proxy -u nobody -p 8888 -H 8888 -S <YOUR_SECRET> --aes-pwd proxy-secret proxy-multi.conf

download the latest nginx source and compile it with stream and ssl_stream_module:

wget http://nginx.org/download/nginx-1.17.3.tar.gz
tar xvf nginx-1.17.3.tar.gz
cd nginx-1.17.3
./configure \
	--prefix=/usr \
	--sbin-path=/usr/sbin \
	--conf-path=/etc/nginx/nginx.conf \
	--pid-path=/var/run/nginx.pid \
	--http-log-path=/var/log/nginx/access_log \
	--error-log-path=/var/log/nginx/error_log \
	--without-mail_imap_module \
	--without-mail_smtp_module \
	--with-http_ssl_module \
	--with-http_realip_module \
	--with-http_stub_status_module \
	--with-http_gzip_static_module \
	--with-http_dav_module \
	--with-http_v2_module \
	--with-stream \
	--with-stream_ssl_module
make
make install

Issue a self-signed certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Open the /etc/nginx.conf and put these configuration:

worker_processes  1;
events {
    worker_connections  1024;
}
stream {
	server {
        listen     4433 ssl;
        proxy_pass 127.0.0.1:443;
		ssl_session_tickets on;
		ssl_certificate       /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key   /etc/ssl/private/nginx-selfsigned.key;
        #ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 10s;
    }
}

Apply new changes by restarting nginx service:

service nginx restart

On 192.168.1.101

download the latest nginx source and compile it with stream and ssl_stream_module:

wget http://nginx.org/download/nginx-1.17.3.tar.gz
tar xvf nginx-1.17.3.tar.gz
cd nginx-1.17.3
./configure \
	--prefix=/usr \
	--sbin-path=/usr/sbin \
	--conf-path=/etc/nginx/nginx.conf \
	--pid-path=/var/run/nginx.pid \
	--http-log-path=/var/log/nginx/access_log \
	--error-log-path=/var/log/nginx/error_log \
	--without-mail_imap_module \
	--without-mail_smtp_module \
	--with-http_ssl_module \
	--with-http_realip_module \
	--with-http_stub_status_module \
	--with-http_gzip_static_module \
	--with-http_dav_module \
	--with-http_v2_module \
	--with-stream \
	--with-stream_ssl_module
make
make install

Open the /etc/nginx.conf and put these configuration:

worker_processes  1;
events {
    worker_connections  1024;
}
stream {
	server {
        listen     443;
        proxy_pass 192.168.1.202:4433;
		proxy_ssl on;
		proxy_ssl_verify off; 
    }
}

Apply new changes by restarting nginx service:

service nginx restart

Generate the link with following schema: tg://proxy?server=192.168.1.202&port=443&secret=SECRET.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment