Geekly Articles each Day
📜 ⬆️ ⬇️

Deploying your MTProxy Telegram with statistics


“I inherited this mess,
starting with unscrupulous Zello; LinkedIn
and ending with "all the rest" on the Telegram platform
in my world.

And then hiccuping
the official hastily and loudly added:
but I will put order (here in IT) “
(...) .

Durov rightly believes that authoritarian states should be afraid of him, cipherpunk, and Roskomnadzor and golden shields with their DPI filters do not really bother him. ”
(Political technique)

My technical policy is simpler, here I can write down my thoughts on nonchalant blocking in Runet, but I believe that the progressive citizens of Modern Russian and Habr’s users felt the unprofessionalism of the current government in their shoes, so I will limit myself to the only phrase: our technical policy is “Digital Resistance” . “Providing relatives and friends with a stable communication channel.”

Deploy MTProto proxy Telegram



We will raise our TelegramProxy at the "free / personal" capacities of Amazon-ec2: t2.micro. I used this car.
')
Okay, deployed your free server, go to the official dockerhub website and download the docker container.

No need to search for any image, file, or magic button - “they are not there,” all the magic is done in the CLI:

$ docker pull telegrammessenger/proxy # .

But before “this”, install docker for the CLI:

 sudo apt-get install docker.io docker

Further, in the official documentation of MtprotoProxyTelegram we are offered to do something like this, we do:

 $ sudo su && docker run -d -p443:443 --name=mtproto-proxy --restart=always -v proxy-config:/data telegrammessenger/proxy:latest #   «mtproto-proxy».

After this command, a HEX line will appear in the terminal output, but it is not interesting to us.

We write in the CLI:

 $ docker logs mtproto-proxy

And we get the necessary data:


In the output of this log we are shown (covered up):

A) our server ip (external server ip);
B) and a random secret - a random string in HEX.

Before registering our MtproProxy, you need to configure the main firewall over iptables (no matter how you redirect traffic to this VPC, it will be naughty, since the most important firewall in Amazon-EC2 is in the web interface and has a higher priority over iptables )

We go into the "Amazon-EC2 console " in the Security Group and open the incoming 443 port (logical traffic masking for the first time).



We take our ip and secret data from the log and go to the Telegram messenger, find the official MTProxy Admin Bot (@MTProxybot) and register our MtproProxy: run the command [/ newproxy] and enter [our_ip: 443], and then our [secret / HEX].

If you mess up when entering data, the bot will be angry and send you to ...

If you fill in two lines without errors, you will receive approval and a working link to your current MtprotoProxyTelegram, which you can share with anyone.



Also through this bot you can add your sponsor channel (but not chat), where you will impose your views on users who have connected to your server, but you can not "spam" and not disturb your potential customers without showing the channel in the pinned messenger list.

Just a few words about the bot, there you can request statistics, but "also a donut." Apparently “statistics” is available when “crowd of parasites” is behind you Makhachkala .

Monitoring


And how many users can we connect to our server? And anyway, who / what is there? What? And how many?

We look at the official documentation ... Yeah, here we go:

 $ curl http://localhost:2398/stats    $ docker exec mtproto-proxy curl http://localhost:2398/stats #       CLI.

“Keep your pocket wider” For the proposed commands, we will always get a similar error:

Curl: (7) Failed to connect to localhost port 2398: Connection refused

Our proxy will work. But! Bagel, not statistics, we get.

You can do things for the red-eyed: check

 $ netstat -an | grep 2398 ...

At first I thought that this was another jamb for the Telegram developers (and I still think so), then I found a temporary good solution: to polish the Docker-container with a file.

Later infa caught my eye:

about the state dances of Roskomnadzor around the "statistics".
“We blocked part of the public proxies on our servers using the firehol project databases. This project monitors lists with public proxies and makes databases with them.

From this moment (that is, almost two days already) not a single IP address of our Russian proxy has been blocked.

3. We tell how to make proxies almost invulnerable to Roskomnadzor and share the script for blocking public proxies.

- Update the docker-container (or daemon) of MTProto proxy to the latest version: the ILV calculates old versions using the statistics port, which is bound at 0.0.0.0 and uniquely identified itself for the entire Internet. Better, open the ports you need using iptables, and close the rest (remember that in the case of the docker container, you should use the FORWARD rule).

- Roskomnadzor has long learned to dump traffic: they see calls inside the HTTP and SOCKS5 proxies, and they also see the old version of obfuscation MTProto proxy.

When clients of some providers who have such dumps installed contact Telegram through such proxies, the ILV sees such calls and immediately blocks these proxies. The same goes for MTProto proxy with old obfuscation.

Solution: hand out to clients who connect to the proxy, secret only with dd at the beginning (you do not need to specify additional letters dd in the settings of the mtproto proxy itself). This will include a version of obfuscation that dumps cannot detect.

And no HTTP or SOCKS5 proxies.

- An adjustment by means of which each owner of a telegram proxy who regularly bans ILV can completely (or almost completely) stop blocking (and at the same time make sure that ILV is lying).

A script that bans public proxies and a small manual for it. "

Source

Our proxy is pro-Western, I didn’t encounter any problems / locks for spring and cool summer days, it didn’t attract creative tasks either, so I didn’t deal with the loss of tempo and did not add the dd * prefix to the key.

The manual “receiving statistics / monitoring” according to the official instructions of MtprotoProxyTelegram is non-working / outdated, you will have to repair the docker image.

Fix it.

The container is still running:

 $ docker stop mtproto-proxy #   docker-         

 $ docker run --net=host --name=mtproto-proxy2 -d -p443:443 -v proxy-config:/data -e SECRET=___hex telegrammessenger/proxy:latest

Check the statistics:

 $ curl http://localhost:2398/stats

curl: (7) Failed to connect to 0.0.0.0 port 2398: Connection refused
Statistics are still unavailable.! ..

We find out the identifier of the docker container:

 $ docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f423c209cfdc telegrammessenger / proxy: latest "/ bin / sh -c '/ bin / ba ..." About an hour ago Up About a minute 0.0.0.0-00-0043->443/tcp mtproto-proxy2

We go with our charter inside the docker container:

 $ sudo docker exec -it f423c209cfdc /bin/bash $ apt-get update $ apt-get install nano $ nano -$ run.sh

And in the very last line of the “run.sh” script, add the missing flag:
" --Http-stats "
"Exec / usr / local / bin / mtproto-proxy -p 2398 -H 443 -M" $ WORKERS "-C 60000 --aes-pwd / etc / telegram / hello-explorers-how-are-you-doing -u root $ CONFIG --allow-skip-d h --nat-info "$ INTERNAL_IP: $ IP" $ SECRET_CMD $ TAG_CMD »

Add "--http-stats", something like this should work:

 «exec /usr/local/bin/mtproto-proxy -p 2398 --http-stats -H 443 -M "$WORKERS" -C 60000 --aes-pwd /etc/telegram/hello-explorers-how-are-you-doing -u root $CONFIG --allow-skip-d h --nat-info "$INTERNAL_IP:$IP" $SECRET_CMD $TAG_CMD»

Ctrl + o / Ctrl + x / Ctrl + d (save / exit nano / exit container).

We restart our docker container:

 $ docker restart mtproto-proxy2

Everything, now on command:

 $ curl http://localhost:2398/stats #


In statistics, there is a lot of “garbage” (on the screen 1/3 of its part), create alias:

 $ echo "alias telega='curl localhost:2398/stats | grep -e total_special -e load_average_total'" >> .bashrc && bash

We get what polished the docker container for: the number of connections and the load:

 $ telega


Docker container is working, statistics are spinning.

Resources spent


No matter how cool you are, Stuart Redman even you leave a mark on go on your underpants . A working Docker image leaves a rather big mark.

It does not make sense to describe the advantages and disadvantages of docker images; a docker container is a mini-virtual machine that consumes resources less than a “real” virtual machine, such as VirtualBox, but consumes it.

1) Launched with or without docker image statistics, two clients frolic or ten - resources are disposed of ~ the same way: 75% of the total CPU t2.micro performance.

2) We look at monitoring the VPC server:



From the graph of resource utilization on VPC, we see that the docker container constantly consumes ~ 7.5% of the total max. CPU performance and on May 28 I was stopped intentionally / temporarily (Note - OpenVPN & pptp are also running on the server).

Why is 10% of the constant CPU load the limit for this server?

Because there are restrictions on the part of Amazon EC2 and they are calculated in loans:



1 CPU credit = 1 CPU working with 100% load for one minute, and we have 6 credits (that is, at peak 100% CPU utilization is possible within 6 minutes, and then the CPU power will decrease). Other combinations: for example, 1 CPU credit = 1 CPU working with a 50% load for two minutes (that is, we can use a CPU with a 50% load for 12 minutes), or, for example, a constant 10% - CPU load during the whole time and etc.

findings



Reprint of his article.

UPD: Thanks to some habrayuzers for useful comments, it is really possible (statistics supported?), There are better analogues to the official docker-image of Mtproto proxy Telegram.

Source: https://habr.com/ru/post/461837/

More articles:


All Articles