Bỏ qua

Changelog

4.9.0

PROXY protocol v1/v2 listener support (#50).

  • PROXY protocol — accept HAProxy PROXY protocol v1 (text) and v2 (binary) headers on client listeners. Required when running behind a load balancer (HAProxy, nginx, AWS NLB) that injects client IP. Enable with --proxy-protocol (CLI), proxy_protocol = true (TOML), or PROXY_PROTOCOL=true (Docker).
  • Auto-detects v1 and v2 headers, extracts real client IP, re-checks IP ACLs against the real address.
  • v2 LOCAL command accepted for load balancer health check probes.
  • New Prometheus metrics: teleproxy_proxy_protocol_connections_total, teleproxy_proxy_protocol_errors_total.
  • Fix auto-generated secret not written to TOML config — start.sh now correctly stores the generated secret in the TOML config.
  • Documentation: complete SEO overhaul with per-page meta descriptions, OpenGraph tags, JSON-LD structured data, and robots.txt.
  • Translations: Russian documentation now at 100% coverage, Farsi and Vietnamese expanded to 38%.
  • TON wallet added as a donation option alongside Tribute.

4.8.0

DC health probes (#47).

  • DC latency probes - periodic TCP handshake measurement to all 5 Telegram DCs, exposed as Prometheus histograms (teleproxy_dc_latency_seconds), failure counters, and last-latency gauges. Helps operators diagnose slow downloads and pick optimal DC routing.
  • Disabled by default. Enable with --dc-probe-interval 30 (CLI), dc_probe_interval = 30 (TOML), or DC_PROBE_INTERVAL=30 (Docker env).
  • Probes run in the master process only. Completion is tracked via non-blocking poll to preserve sub-millisecond accuracy.
  • Text stats endpoint includes per-DC latency, average, count, and failure fields.

4.7.0

Per-secret quotas, unique-IP limits, and expiration (#26).

  • Data quota — cap total bytes transferred per secret; active connections are closed and new ones rejected when exhausted. Configurable in bytes or human-readable sizes (quota = "10G")
  • Unique IP limit — cap how many distinct client IPs can use a secret simultaneously (max_ips = 5). Additional connections from an already-connected IP are always allowed
  • Secret expiration — auto-disable a secret after a timestamp (expires = 2025-12-31T23:59:59Z). Existing connections continue; only new ones are rejected
  • Per-reason rejection counters in Prometheus and plain-text stats (rejected_quota, rejected_ips, rejected_expired)
  • Docker env vars: SECRET_QUOTA_N, SECRET_MAX_IPS_N, SECRET_EXPIRES_N
  • SOCKS5 upstream proxy support (#22)
  • One-click cloud deploy page
  • Documentation: install/upgrade instructions, SOCKS5 docs, Observatory link

4.6.0

DPI resistance and operational improvements.

  • ServerHello size variation widened from ±1 to ±32 bytes, mimicking the natural variation in certificate chain and session ticket sizes seen from real TLS servers
  • ServerHello fragmentation: ServerHello and CCS+AppData are now sent as separate TCP segments, defeating DPI that pattern-matches the full handshake response in a single packet
  • Docker healthcheck respects custom STATS_PORT — previously hardcoded to 8888, now uses ${STATS_PORT:-8888} (#38)
  • install.sh supports multiple secrets via comma-separated SECRET or numbered SECRET_N variables
  • /link endpoint serves connection links as HTML pages with scannable QR codes

New documentation: DPI Resistance — covers server-side mitigations, recommended setup, and client-side bypass tools.

Client-side detection

The primary detection vector for MTProxy fake-TLS in Russia is the Telegram client's TLS fingerprint, which cannot be fixed server-side. Telegram Desktop fixed several fingerprint artifacts; keep clients updated. For affected networks, client-side bypass tools like zapret and GoodbyeDPI can help.

4.5.0

QR codes for connection links.

  • teleproxy link subcommand prints a proxy URL and renders a scannable QR code in the terminal using UTF-8 half-block characters
  • Docker start.sh and install.sh now display QR codes automatically at startup — point a phone camera at the screen to connect
  • Vendored nayuki/QR-Code-generator (MIT) for zero-dependency QR rendering on any platform
  • E2E tests decode the rendered QR output with pyzbar and verify it matches the expected URL
  • Documentation: new "Connection Links" page (en + ru)

4.4.0

  • teleproxy check diagnostic subcommand — validates configuration and tests connectivity before accepting clients. Checks DC reachability, NTP clock drift, fake-TLS domain probe, and SNI/DNS mismatch. Exit 0/1/2 for pass/fail/bad-args.

4.3.0

Direct mode connection resilience.

  • IPv6 auto-detection: probe at startup, enable without -6 if reachable
  • Multiple addresses per DC with synchronous failover on connect failure
  • Connection retry with exponential backoff (200ms–800ms, 3 attempts)
  • --dc-override dc_id:host:port to add or replace DC addresses (repeatable). Docker: DC_OVERRIDE=2:1.2.3.4:443,2:5.6.7.8:443
  • New stat: direct_dc_retries / teleproxy_direct_dc_retries_total

4.2.1

  • Fix aarch64 build: remove unused x86-only sys/io.h include
  • Add native ARM64 glibc build to CI (catches platform-specific issues masked by Alpine/musl)

4.2.0

  • --stats-allow-net CIDR flag to extend stats endpoint access beyond RFC1918 ranges (repeatable). Docker: STATS_ALLOW_NET=100.64.0.0/10,fd00::/8

4.1.0

MTProto transport protocol compliance improvements.

  • Detect and log transport error codes (-404, -429, etc.) from DCs in direct mode
  • Detect transport error codes in medium mode client parse path
  • Track quick ACK packets with teleproxy_quickack_packets_total counter
  • Track transport errors with teleproxy_transport_errors_total counter

4.0.0

Rebrand to Teleproxy. Binary renamed from mtproto-proxy to teleproxy.

  • Binary name: teleproxy (was mtproto-proxy)
  • Prometheus metrics prefix: teleproxy_ (was mtproxy_)
  • Docker user/paths: /opt/teleproxy/ (was /opt/mtproxy/)
  • Environment variables: TELEPROXY_* (old MTPROXY_* still accepted with deprecation warning)
  • Docker image includes backward-compat symlink mtproto-proxy -> teleproxy
  • CLI flags and behavior unchanged