"I inherited this mess,
starting with the shameless Zello; LinkedIn
and ending with "everyone else" on the Telegram platform
in my world.And then hiccup,
The official added hastily and loudly:
but I will put things in order (here in IT)"
(...).
Durov, rightly believes that it is authoritarian states that should be afraid of him, a cypherpunk, and Roskomnadzor and golden shields with their DPI filters do not really bother him.
(Political technique)
My technical policy is simpler, I can describe here my thoughts on careless blocking in Runet, but I believe that the progressive citizens of Modern Russian and Habr users have felt the unprofessionalism of the current government in their own skin, so I will limit myself to a single phrase: our technical policy is “Digital Resistance” . "providing relatives and friends with a stable communication channel."
Deploying MTProto proxy Telegram
- The technical level of complexity is “easy”, if, for example, you follow this cheat sheet.
- The reliability level is “above average”: the docker image works stably, it does not need to be restarted every day, as the developers wrote in their official Telegram documentation, but the container probably contains some vulnerabilities.
- The level of resistance/anxiety - 10 ISIS members are weaving their conspiracies "relatives use", the ban has not come from the RKN even once all the time (since spring).
- The trust level is "public baby distrust", a problem on the client side (some friends are suspicious of my MtprotoProxy).
- Testosterone levels - "did not get higher."
- Financial costs - "0₽".
- Financial reward - "does not depend on citizen Durov." Promotion - the ability to impose advertising.
We will raise our TelegramProxy on the “free / personal” capacities of Amazon-ec2: t2.micro. I used a car.
Okay, deployed your free server, go to the official website and download the docker container.
No need to look for some image, file, or magic button - "they are not there", all the magic is done in the CLI:
$ docker pull telegrammessenger/proxy #образ скачан.But before "that", install docker for CLI:
sudo apt-get install docker.io dockerFurther, in the official documentation of MtprotoProxyTelegram, we are offered to do something like the following, we do:
$ sudo su && docker run -d -p443:443 --name=mtproto-proxy --restart=always -v proxy-config:/data telegrammessenger/proxy:latest #запускаем наш контейнер «mtproto-proxy».
After this command, a HEX string will appear in the terminal output, but we are not interested in it.
We write in CLI:
$ docker logs mtproto-proxyAnd we get the required data:
In the output of this log, we are shown (smeared):
A) our server ip (external server ip);
B) and a random secret - a random string in HEX.
Before registering our MtproProxy, you need to configure the main firewall over iptables (no matter how you redirect traffic to this VPC, it will be naughty, since the main firewall in Amazon-EC2 is located in the web interface and has a higher priority over iptables ).
We go to " Amazon-EC2" in the Security Group and open incoming port 443 (logical masking for the first time).
We take our “ip and secret” data from the log and go to the Telegram messenger, find the official MTProxy Admin Bot (@MTProxybot) and register our MtproProxy: run the [/newproxy] command and enter [our_ip:443], and then our [secret /HEX].
If you mess up when entering data, the bot will get angry and send you to ...
If you fill in two lines without errors, you will receive approval and a working link to your current MtprotoProxyTelegram, which you can share with anyone.
Also, through this bot, you can add your sponsorship channel (but not a chat), where you will impose your views on users who have connected to your server, or you can not "spam" and not bother your being-potential customers without showing the channel in the pinned messenger list.
A few more words about the bot, where you can request statistics, but “also a donut”. Apparently, "statistics" is available when you have "a crowd of freeloaders" behind you Makhachkala.
Monitoring
How many users can we connect to our server? And anyway, who / what is there? What? And how many?
We look at what is there according to the official documentation ... Yeah, here, do it like this:
$ curl http://localhost:2398/stats или вот так $ docker exec mtproto-proxy curl http://localhost:2398/stats # и нам выдадут статистику прямо в CLI.“Keep your pocket wider” According to the proposed commands, we will always receive a similar error:
«curl: (7) Failed to connect to localhost port 2398: Connection refused»
Our proxy will work. But! Bagel, not statistics we get.
You can do things for the red-eyed: check
$ netstat -an | grep 2398 и...At first I thought that this was another jamb behind the Telegram developers (and I still think so), then I found a temporary good solution: polish the Docker Container with a file.
Later, an infa caught my eye:
about the state dances of Roskomnadzor around "statistics".
“We have blocked some of the public proxies on our servers using the databases of the firehol project. This project monitors lists with public proxies and makes databases with them.
Since that moment (that is, almost two days already), not a single IP address of our Russian proxy has been blocked.
3. We tell you how to make a proxy that is almost invulnerable to Roskomnadzor and share a script for blocking public proxies.
- Update the MTProto proxy docker container (or daemon) to the latest version: RKN calculates old versions by the statistics port, which was bound to 0.0.0.0 and uniquely identified itself for the entire Internet. Better yet, open the necessary ports using iptables, and close the rest (remember that in the case of a docker container, you should use the FORWARD rule).
— Roskomnadzor learned how to dump traffic long ago: they see requests inside HTTP and SOCKS5 proxies, and they also see the old version of MTProto proxy obfuscation.
When clients of some providers who have such dumps installed access Telegram through such proxies, the RKN sees such requests and immediately blocks these proxies. The same goes for MTProto proxy with old obfuscation.
Solution: distribute secret only with dd at the beginning to clients that connect to the proxy (no need to specify additional letters dd in the settings of the mtproto proxy itself). This will enable a version of obfuscation that dumppiles cannot detect.
And no HTTP or SOCKS5 proxies.
- Adjustment, with the help of which each owner of a telegram proxy, who is regularly banned by the RKN, can completely (or almost completely) stop blocking (and at the same time make sure that the RKN is lying).
A script that bans public proxies and a small manual for it.
→
Our proxy is pro-Western, I didn’t encounter any problems / blockages during spring and cool summer days, it didn’t attract a creative task either, so I didn’t lose pace and didn’t add the dd* prefix to the key.
The manual “getting statistics/monitoring” according to the official instructions of MtprotoProxyTelegram is not working/outdated, you will have to repair the docker image.
We fix it.
The container is still running:
$ docker stop mtproto-proxy #останавливаем наш запущенный docker-контейнер и запускаем новый образ с пропущенным флагом статистики
$ docker run --net=host --name=mtproto-proxy2 -d -p443:443 -v proxy-config:/data -e SECRET=ваш_предыдущий_секрет_hex telegrammessenger/proxy:latest
Let's check the statistics:
$ curl http://localhost:2398/stats
curl: (7) Failed to connect to 0.0.0.0 port 2398: Connection refused
Statistics are still unavailable.!..
Find out the ID of the docker container:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f423c209cfdc telegrammessenger/proxy:latest "/bin/sh -c '/bin/ba…" About an hour ago Up About a minute 0.0.0.0:443->443/tcp mtproto-proxy2
We go with our charter inside the docker container:
$ sudo docker exec -it f423c209cfdc /bin/bash
$ apt-get update
$ apt-get install nano
$ nano -$ run.sh
And in the very last line of the "run.sh" script, add the missing flag:
«--http-stats»
"exec /usr/local/bin/mtproto-proxy -p 2398 -H 443 -M "$WORKERS" -C 60000 --aes-pwd /etc/telegram/hello-explorers-how-are-you-doing -u root $CONFIG --allow-skip-d h --nat-info "$INTERNAL_IP:$IP" $SECRET_CMD $TAG_CMD"
Add "--http-stats", something like this should work:
«exec /usr/local/bin/mtproto-proxy -p 2398 --http-stats -H 443 -M "$WORKERS" -C 60000 --aes-pwd /etc/telegram/hello-explorers-how-are-you-doing -u root $CONFIG --allow-skip-d h --nat-info "$INTERNAL_IP:$IP" $SECRET_CMD $TAG_CMD»
Ctrl+o/Ctrl+x/Ctrl+d (save/exit nano/exit container).
Restart our docker container:
$ docker restart mtproto-proxy2Everything, now on command:
$ curl http://localhost:2398/stats #получаем объемную статистику
There is a lot of “garbage” in the statistics (1/3 of it is on the screen), create an alias:
$ echo "alias telega='curl localhost:2398/stats | grep -e total_special -e load_average_total'" >> .bashrc && bashWe get what the docker container was polished for: the number of connections and the load:
$ telega
The Docker container is running, the statistics are spinning.
Resources spent
As cool as you are Stuart Redman, even you leave a mark on your panties. A running Docker image leaves a big footprint.
It makes no sense to describe the advantages and disadvantages of docker images, a docker container is a mini-virtual machine that consumes less resources than a “real” virtual machine, such as VirtualBox, but it does.
1) Launched with or without docker-image statistics, two clients frolic or ten - resources are utilized ~ the same way: 75% of the entire CPU t2.micro performance.
2) We look at the monitoring of the VPC server:
From the resource utilization graph on the VPC, we see that the docker container constantly consumes ~ 7,5% of the total max. CPU performance and on May 28 was stopped by me intentionally/temporarily (Note - OpenVPN & pptp are also running on the server).
Why is 10% constant CPU usage the limit for this server?
Because there are restrictions from Amazon EC2 and they are calculated in credits:
1 CPU credit = 1 CPU working at 100% load for one minute, and we have 6 credits (that is, at peaks, 100% CPU utilization is possible within 6 minutes, and then the CPU power will decrease). Other combinations: for example, 1 CPU credit = 1 CPU running at 50% load for two minutes (i.e. we can use the CPU at 50% load for 12 minutes), or, for example, a constant 10%- th CPU load during the whole time, etc.
Conclusions
- We are part of the "Digital Resistance". Provided their "fathers and mothers" with a reliable communication channel.
- If you have MtprotoProxyTelegram and OpenVPN deployed on the server, but no more, there will be no delays / pings / failures, but if you are constantly experimenting with your t2 / micro, then wait for communication brakes.
- My overseas ping is ~100-250ms, there are no delays in voice communication.
- Financial costs for all "this" (including VPC resources) = 0₽.
Reprint of your article.
UPD: Thanks to some habrausers for useful comments, indeed, it is possible (is the statistics supported?), There are better analogues of the official Mtproto proxy Telegram docker image.
Source: habr.com