Deployment Overview of Telegram MTProxy on Server¶
Prerequisites and Basic Requirements¶
To successfully deploy the Telegram MTProxy application, the following system requirements must be met:
-
Operating System: Ubuntu (compatible with Docker Engine).
-
Privileges: Root access or
sudoprivileges are required to manage Docker containers and system directories. -
Docker Engine: Docker and Docker Compose must be installed and running on the host server.
-
Network Access: The server must have a public IPv4 address reachable by clients.
-
Ports: Port
443must be open on the server firewall to allow incoming proxy connections.
File and Directory Structure¶
The application utilizes a specific directory structure to store configuration files, secrets, and Docker Compose definitions. All files are located under the root user's home directory.
-
Base Directory:
/root/telegram-proxy -
Compose File:
/root/telegram-proxy/compose.yml -
Secret Key File:
/root/telegram-proxy/secret
Application Installation Process¶
The Telegram MTProxy is deployed using Docker Compose. The installation process involves the following steps:
-
Create the directory
/root/telegram-proxywith permissions set to0750owned byroot. -
Generate a cryptographic secret key using
openssl rand -hex 16if one does not already exist. -
Persist the generated secret to the file
/root/telegram-proxy/secretwith permissions0600. -
Generate the
compose.ymlfile within the base directory, injecting the secret key into the environment variables. -
Execute the Docker Compose command to start the container in detached mode.
The deployment uses the official image telegrammessenger/proxy:latest.
Docker Containers and Their Deployment¶
The application runs as a single Docker container managed by Docker Compose.
-
Container Name:
mtproxy -
Image:
telegrammessenger/proxy:latest -
Restart Policy:
unless-stopped -
Port Mapping: Host port
443maps to container port443. -
Environment Variables:
SECRET: The cryptographic key required for client authentication.
To deploy the container, navigate to the configuration directory and run:
Access Rights and Security¶
Security is enforced through file permissions and network isolation.
-
Directory Permissions: The
/root/telegram-proxydirectory is set to0750(read/write/execute for owner, read/execute for group). -
Secret File Permissions: The secret file
/root/telegram-proxy/secretis set to0600(read/write for owner only), ensuring the secret key is not accessible by other users. -
Ownership: All files and directories are owned by the
rootuser androotgroup. -
Firewall: Ensure that port
443is allowed through the server's firewall (e.g.,ufworiptables) to accept incoming traffic.
Available Ports for Connection¶
Clients connect to the proxy using the following port configuration:
| Protocol | Port | Description |
|---|---|---|
| TCP | 443 | Primary port for MTProxy traffic |
Starting, Stopping, and Updating¶
Service management is handled via Docker Compose commands executed from the /root/telegram-proxy directory.
-
Start the Service:
-
Stop the Service:
-
Update the Image: To pull the latest version of the
telegrammessenger/proxy:latestimage and restart the container:
Location of Configuration Files and Data¶
The critical configuration and data files are located as follows:
-
Docker Compose Definition:
/root/telegram-proxy/compose.yml -
Secret Key:
/root/telegram-proxy/secret
The secret key is automatically generated on the first run and stored in the secret file. This key is required to construct the connection links for Telegram clients.
Connection Links¶
Once deployed, clients can connect using the server's public IP address, port 443, and the secret key stored in /root/telegram-proxy/secret. The connection links follow these formats:
-
Telegram App Link:
tg://proxy?server=<SERVER_IP>&port=443&secret=<SECRET> -
Web Link:
https://t.me/proxy?server=<SERVER_IP>&port=443&secret=<SECRET>
Replace <SERVER_IP> with the server's public IPv4 address and <SECRET> with the content of the secret file.