2026-01-20 01:20:02 +03:00
# === General Settings ===
[ general ]
fast_mode = true
2026-02-07 19:49:41 +03:00
use_middle_proxy = true
2026-02-19 20:40:11 +03:00
# ad_tag = "00000000000000000000000000000000"
2026-02-19 16:19:58 +03:00
# Path to proxy-secret binary (auto-downloaded if missing).
proxy_secret_path = "proxy-secret"
2026-02-19 20:40:11 +03:00
# disable_colors = false # Disable colored output in logs (useful for files/systemd)
2026-02-19 16:19:58 +03:00
2026-02-19 21:15:42 +03:00
# === Log Level ===
# Log level: debug | verbose | normal | silent
# Can be overridden with --silent or --log-level CLI flags
# RUST_LOG env var takes absolute priority over all of these
log_level = "normal"
# === Middle Proxy - ME ===
2026-02-19 16:19:58 +03:00
# Public IP override for ME KDF when behind NAT; leave unset to auto-detect.
2026-02-19 20:40:11 +03:00
# middle_proxy_nat_ip = "203.0.113.10"
2026-02-19 16:19:58 +03:00
# Enable STUN probing to discover public IP:port for ME.
middle_proxy_nat_probe = true
# Primary STUN server (host:port); defaults to Telegram STUN when empty.
middle_proxy_nat_stun = "stun.l.google.com:19302"
# Optional fallback STUN servers list.
middle_proxy_nat_stun_servers = [ "stun1.l.google.com:19302" , "stun2.l.google.com:19302" ]
# Desired number of concurrent ME writers in pool.
middle_proxy_pool_size = 16
# Pre-initialized warm-standby ME connections kept idle.
middle_proxy_warm_standby = 8
# Ignore STUN/interface mismatch and keep ME enabled even if IP differs.
stun_iface_mismatch_ignore = false
# Keepalive padding frames - fl==4
me_keepalive_enabled = true
me_keepalive_interval_secs = 25 # Period between keepalives
me_keepalive_jitter_secs = 5 # Jitter added to interval
me_keepalive_payload_random = true # Randomize 4-byte payload (vs zeros)
# Stagger extra ME connections on warmup to de-phase lifecycles.
me_warmup_stagger_enabled = true
me_warmup_step_delay_ms = 500 # Base delay between extra connects
me_warmup_step_jitter_ms = 300 # Jitter for warmup delay
# Reconnect policy knobs.
me_reconnect_max_concurrent_per_dc = 1 # Parallel reconnects per DC - EXPERIMENTAL! UNSTABLE!
me_reconnect_backoff_base_ms = 500 # Backoff start
me_reconnect_backoff_cap_ms = 30000 # Backoff cap
me_reconnect_fast_retry_count = 11 # Quick retries before backoff
2026-02-23 20:50:39 +03:00
update_every = 7200 # Resolve the active updater interval for ME infrastructure refresh tasks.
crypto_pending_buffer = 262144 # Max pending ciphertext buffer per client writer (bytes). Controls FakeTLS backpressure vs throughput.
max_client_frame = 16777216 # Maximum allowed client MTProto frame size (bytes).
desync_all_full = false # Emit full crypto-desync forensic logs for every event. When false, full forensic details are emitted once per key window.
me_reinit_drain_timeout_secs = 300 # Drain timeout in seconds for stale ME writers after endpoint map changes. Set to 0 to keep stale writers draining indefinitely (no force-close).
auto_degradation_enabled = true # Enable auto-degradation from ME to Direct-DC.
degradation_min_unavailable_dc_groups = 2 # Minimum unavailable ME DC groups before degrading.
2026-02-07 19:49:41 +03:00
2026-02-19 21:15:42 +03:00
[ general . modes ]
classic = false
secure = false
tls = true
[ general . links ]
show = "*"
# show = ["alice", "bob"] # Only show links for alice and bob
# show = "*" # Show links for all users
# public_host = "proxy.example.com" # Host (IP or domain) for tg:// links
# public_port = 443 # Port for tg:// links (default: server.port)
# === Network Parameters ===
2026-02-18 06:00:21 +03:00
[ network ]
2026-02-19 20:36:09 +03:00
# Enable/disable families: true/false/auto(None)
2026-02-18 06:00:21 +03:00
ipv4 = true
2026-02-19 20:36:09 +03:00
ipv6 = false # UNSTABLE WITH ME
2026-02-18 06:00:21 +03:00
# prefer = 4 or 6
prefer = 4
2026-02-19 20:36:09 +03:00
multipath = false # EXPERIMENTAL!
2026-02-18 06:00:21 +03:00
2026-01-20 01:20:02 +03:00
# === Server Binding ===
[ server ]
2025-12-30 05:08:05 +03:00
port = 443
2026-01-20 01:20:02 +03:00
listen_addr_ipv4 = "0.0.0.0"
listen_addr_ipv6 = "::"
2026-02-16 04:22:26 +03:00
# listen_unix_sock = "/var/run/telemt.sock" # Unix socket
# listen_unix_sock_perm = "0666" # Socket file permissions
2026-02-20 13:51:50 +03:00
# proxy_protocol = false # Enable if behind HAProxy/nginx with PROXY protocol
2026-01-20 01:20:02 +03:00
# metrics_port = 9090
# metrics_whitelist = ["127.0.0.1", "::1"]
2025-12-30 05:08:05 +03:00
2026-02-19 21:15:42 +03:00
# Listen on multiple interfaces/IPs - IPv4
2026-01-20 01:20:02 +03:00
[ [ server . listeners ] ]
ip = "0.0.0.0"
2025-12-30 05:08:05 +03:00
2026-02-19 21:15:42 +03:00
# Listen on multiple interfaces/IPs - IPv6
2026-01-20 01:20:02 +03:00
[ [ server . listeners ] ]
ip = "::"
2025-12-30 05:08:05 +03:00
2026-01-20 01:20:02 +03:00
# === Timeouts (in seconds) ===
[ timeouts ]
2026-02-19 16:19:58 +03:00
client_handshake = 30
2026-01-20 01:20:02 +03:00
tg_connect = 10
client_keepalive = 60
client_ack = 300
2026-02-19 16:19:58 +03:00
# Quick ME reconnects for single-address DCs (count and per-attempt timeout, ms).
me_one_retry = 12
me_one_timeout_ms = 1200
2026-01-20 01:20:02 +03:00
# === Anti-Censorship & Masking ===
[ censorship ]
2026-02-13 03:51:36 +03:00
tls_domain = "petrovich.ru"
2026-02-20 13:51:50 +03:00
# tls_domains = ["example.com", "cdn.example.net"] # Additional domains for EE links
2026-01-20 01:20:02 +03:00
mask = true
mask_port = 443
# mask_host = "petrovich.ru" # Defaults to tls_domain if not set
2026-02-12 18:53:07 +03:00
# mask_unix_sock = "/var/run/nginx.sock" # Unix socket (mutually exclusive with mask_host)
2026-01-20 01:20:02 +03:00
fake_cert_len = 2048
2026-02-20 13:51:50 +03:00
# tls_emulation = false # Fetch real cert lengths and emulate TLS records
# tls_front_dir = "tlsfront" # Cache directory for TLS emulation
2026-01-20 01:20:02 +03:00
# === Access Control & Users ===
[ access ]
replay_check_len = 65536
2026-02-07 18:26:44 +03:00
replay_window_secs = 1800
2026-01-20 01:20:02 +03:00
ignore_time_skew = false
[ access . users ]
# format: "username" = "32_hex_chars_secret"
hello = "00000000000000000000000000000000"
# [access.user_max_tcp_conns]
# hello = 50
2026-02-14 23:04:15 +02:00
# [access.user_max_unique_ips]
2026-02-16 04:22:26 +03:00
# hello = 5
2026-02-14 23:04:15 +02:00
2026-01-20 01:20:02 +03:00
# [access.user_data_quota]
# hello = 1073741824 # 1 GB
2026-02-20 22:02:34 +03:00
# [access.user_expirations]
2026-02-20 22:23:16 +03:00
# format: username = "[year]-[month]-[day]T[hour]:[minute]:[second]Z" UTC
2026-02-20 22:02:34 +03:00
# hello = "2027-01-01T00:00:00Z"
2026-01-20 01:20:02 +03:00
# === Upstreams & Routing ===
[ [ upstreams ] ]
type = "direct"
enabled = true
weight = 10
2026-02-20 13:51:50 +03:00
# interface = "192.168.1.100" # Bind outgoing to specific IP or iface name
# bind_addresses = ["192.168.1.100"] # List for round-robin binding (family must match target)
2026-01-20 01:20:02 +03:00
# [[upstreams]]
# type = "socks5"
2026-02-13 03:51:36 +03:00
# address = "127.0.0.1:1080"
2026-01-20 01:20:02 +03:00
# enabled = false
2026-02-16 04:22:26 +03:00
# weight = 1
# === DC Address Overrides ===
# [dc_overrides]
# "203" = "91.105.192.100:443"
