Skip to content

Instantly share code, notes, and snippets.

@yeganemehr

yeganemehr/how-to-setup-mtproxy.md

Created August 26, 2019 18:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save yeganemehr/5d61609f12313779897541217c0d8f62 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save yeganemehr/5d61609f12313779897541217c0d8f62 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
how-to-setup-mtproxy.md

How to setup MTProxy using nginx stream proxy

There are two servers in this configuration: * 192.168.1.101 which used to server the clients directly. * 192.168.1.202 is backend server and clients doesn't aware of.

On 192.168.1.202

Install MTProxy:

apt install git curl build-essential libssl-dev zlib1g-dev
git clone https://github.com/TelegramMessenger/MTProxy
cd MTProxy
make && cd objs/bin
curl -s https://core.telegram.org/getProxySecret -o proxy-secret
curl -s https://core.telegram.org/getProxyConfig -o proxy-multi.conf
head -c 16 /dev/urandom | xxd -ps
./mtproto-proxy -u nobody -p 8888 -H 8888 -S <YOUR_SECRET> --aes-pwd proxy-secret proxy-multi.conf

download the latest nginx source and compile it with stream and ssl_stream_module:

wget http://nginx.org/download/nginx-1.17.3.tar.gz
tar xvf nginx-1.17.3.tar.gz
cd nginx-1.17.3
./configure \
	--prefix=/usr \
	--sbin-path=/usr/sbin \
	--conf-path=/etc/nginx/nginx.conf \
	--pid-path=/var/run/nginx.pid \
	--http-log-path=/var/log/nginx/access_log \
	--error-log-path=/var/log/nginx/error_log \
	--without-mail_imap_module \
	--without-mail_smtp_module \
	--with-http_ssl_module \
	--with-http_realip_module \
	--with-http_stub_status_module \
	--with-http_gzip_static_module \
	--with-http_dav_module \
	--with-http_v2_module \
	--with-stream \
	--with-stream_ssl_module
make
make install

Issue a self-signed certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Open the /etc/nginx.conf and put these configuration:

worker_processes  1;
events {
    worker_connections  1024;
}
stream {
	server {
        listen     4433 ssl;
        proxy_pass 127.0.0.1:443;
		ssl_session_tickets on;
		ssl_certificate       /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key   /etc/ssl/private/nginx-selfsigned.key;
        #ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 10s;
    }
}

Apply new changes by restarting nginx service:

service nginx restart

On 192.168.1.101

download the latest nginx source and compile it with stream and ssl_stream_module:

wget http://nginx.org/download/nginx-1.17.3.tar.gz
tar xvf nginx-1.17.3.tar.gz
cd nginx-1.17.3
./configure \
	--prefix=/usr \
	--sbin-path=/usr/sbin \
	--conf-path=/etc/nginx/nginx.conf \
	--pid-path=/var/run/nginx.pid \
	--http-log-path=/var/log/nginx/access_log \
	--error-log-path=/var/log/nginx/error_log \
	--without-mail_imap_module \
	--without-mail_smtp_module \
	--with-http_ssl_module \
	--with-http_realip_module \
	--with-http_stub_status_module \
	--with-http_gzip_static_module \
	--with-http_dav_module \
	--with-http_v2_module \
	--with-stream \
	--with-stream_ssl_module
make
make install

Open the /etc/nginx.conf and put these configuration:

worker_processes  1;
events {
    worker_connections  1024;
}
stream {
	server {
        listen     443;
        proxy_pass 192.168.1.202:4433;
		proxy_ssl on;
		proxy_ssl_verify off; 
    }
}

Apply new changes by restarting nginx service:

service nginx restart

Generate the link with following schema: tg://proxy?server=192.168.1.202&port=443&secret=SECRET.

@ratijas
Copy link

ratijas commented Aug 27, 2025

That's cool for the usecase where the one and only https port 443 on the public machine is used for MTProxy only. But it doesn't explain how to detect and multiplex other traffic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment