There are two servers in this configuration:
* 192.168.1.101
which used to server the clients directly.
* 192.168.1.202
is backend server and clients doesn't aware of.
Install MTProxy:
apt install git curl build-essential libssl-dev zlib1g-dev
git clone https://github.com/TelegramMessenger/MTProxy
cd MTProxy
make && cd objs/bin
curl -s https://core.telegram.org/getProxySecret -o proxy-secret
curl -s https://core.telegram.org/getProxyConfig -o proxy-multi.conf
head -c 16 /dev/urandom | xxd -ps
./mtproto-proxy -u nobody -p 8888 -H 8888 -S <YOUR_SECRET> --aes-pwd proxy-secret proxy-multi.conf
download the latest nginx source and compile it with stream and ssl_stream_module:
wget http://nginx.org/download/nginx-1.17.3.tar.gz
tar xvf nginx-1.17.3.tar.gz
cd nginx-1.17.3
./configure \
--prefix=/usr \
--sbin-path=/usr/sbin \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--http-log-path=/var/log/nginx/access_log \
--error-log-path=/var/log/nginx/error_log \
--without-mail_imap_module \
--without-mail_smtp_module \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-http_dav_module \
--with-http_v2_module \
--with-stream \
--with-stream_ssl_module
make
make install
Issue a self-signed certificate:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
Open the /etc/nginx.conf and put these configuration:
worker_processes 1;
events {
worker_connections 1024;
}
stream {
server {
listen 4433 ssl;
proxy_pass 127.0.0.1:443;
ssl_session_tickets on;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
#ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_handshake_timeout 10s;
}
}
Apply new changes by restarting nginx service:
service nginx restart
download the latest nginx source and compile it with stream and ssl_stream_module:
wget http://nginx.org/download/nginx-1.17.3.tar.gz
tar xvf nginx-1.17.3.tar.gz
cd nginx-1.17.3
./configure \
--prefix=/usr \
--sbin-path=/usr/sbin \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--http-log-path=/var/log/nginx/access_log \
--error-log-path=/var/log/nginx/error_log \
--without-mail_imap_module \
--without-mail_smtp_module \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-http_dav_module \
--with-http_v2_module \
--with-stream \
--with-stream_ssl_module
make
make install
Open the /etc/nginx.conf and put these configuration:
worker_processes 1;
events {
worker_connections 1024;
}
stream {
server {
listen 443;
proxy_pass 192.168.1.202:4433;
proxy_ssl on;
proxy_ssl_verify off;
}
}
Apply new changes by restarting nginx service:
service nginx restart
Generate the link with following schema: tg://proxy?server=192.168.1.202&port=443&secret=SECRET
.