Skip to content
This repository was archived by the owner on Feb 17, 2026. It is now read-only.
/ MTProxy Public archive

Distroless MTProto Proxy: Hardened image🚀

msftcnsi.com

License

GPL-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ammnt/MTProxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
.github
.github
 
 
.dockerignore
.dockerignore
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile.template
Dockerfile.template
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
hadolint.yaml
hadolint.yaml
 
 

Repository files navigation

🚀 Distroless MTProto Proxy: Hardened image

CI/CD GitHub stars Feature GitHub issues open GitHub Maintained GitHub Maintained

Production-ready, security-focused MTProto Proxy for Telegram with minimal attack surface.

Important

This is the official Telegram MTProto proxy, not third-party implementations. Fully compatible with all Telegram clients⚠️

Tip

Use TLS mode (-D flag) to make traffic indistinguishable from HTTPS - recommended for censored networksđź’ˇ

Important

UID/GID is set to 10480 - prevents conflicts with system users and follows security best practices⚠️

📦 Quick Start

Generate Secret Key and TLS secret (ee + random + domain in hex)

DOMAIN="cloudflare.com"
DOMAIN_HEX=$(echo -n cloudflare.com | xxd -ps)
RANDOM_HEX=$(head -c 16 /dev/urandom | xxd -ps)
EXTERNAL_IP=$(curl -s ifconfig.me)
INTERNAL_IP=172.17.0.2 # your container local IP

docker run -d \
  --name mtproxy \
  -p 443:3478 \
  -p 8888:8888 \
  ammnt/mtproxy:slim \
  --nat-info $INTERNAL_IP:$EXTERNAL_IP \
  -S $RANDOM_HEX \
  -D $DOMAIN

echo "Your secret key: ee${RANDOM_HEX}${DOMAIN_HEX}"

🔧 Advanced Configuration

Docker Compose (recommended example configuration)

services:
  mtproxy:
    image: ammnt/mtproxy:slim
    container_name: mtproxy
    restart: unless-stopped
    ports:
      - "443:3478"
      - "8888:8888"
    command:
      - "--nat-info"
      - "172.17.0.2:${EXTERNAL_IP}"
      - "-S"
      - "${RANDOM_HEX}"
      - "-D"
      - "${DOMAIN}"
    environment:
      - EXTERNAL_IP=${EXTERNAL_IP}
      - RANDOM_HEX=${RANDOM_HEX}
      - DOMAIN=${DOMAIN}

🎯 Recommended to use in Rootless mode:

https://docs.docker.com/engine/security/rootless/

🔥 Why Choose This Image?

Hardened Security

  • Distroless base - built from scratch with zero bloat, no shell, no package manager
  • Minimal attack surface - only the binary and shared libraries in the final image
  • Rootless by design - runs as non-root user mtproxy (UID/GID 10480)
  • CIS Docker Benchmark - follows industry security best practices
  • Stripped symbols - no debugging information in production
  • UPX compressed - minimal memory footprint with fast decompression
  • Pinned dependencies - exact versions for all build packages
  • Minimal layers - optimized Docker layer caching
  • Efficient logging - direct to stdout for container integration
  • Graceful shutdown - SIGQUIT handling for connection draining
  • Comprehensive labels - full OCI metadata compliance

🤝 Contributing & Support

Found an issue or have an improvement?

đź“„ License

This project is open source and maintained with ❤️ by ammnt

Based on the official Telegram MTProxy under GPLv2 license.

About

Distroless MTProto Proxy: Hardened image🚀

msftcnsi.com

Topics

docker tls debian https mtproto unprivileged hardened distroless mtproxy faketls

Resources

Readme

License

GPL-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

0.0.1 Latest
Feb 16, 2026

Contributors 2

  •  
  •  

Languages