fix typos

better handling for server-side socket closing in connection pool
fix small bugs
2026-03-14 07:13:09 +00:00 · 2026-02-18 00:04:07 +05:00 · 2026-02-17 21:14:42 +05:00 · 2026-02-10 16:49:20 +05:00 · 2025-11-18 04:27:47 +05:00 · 2025-11-18 03:46:19 +05:00
3 changed files with 90 additions and 41 deletions
--- a/14
+++ b/14
@@ -1,16 +1,14 @@
-FROM python:3.8-slim-buster
+FROM ubuntu:24.04

-RUN apt-get update && apt-get install -y libcap2-bin && rm -rf /var/lib/apt/lists/*
-RUN setcap cap_net_bind_service=+ep /usr/local/bin/python3.8
-
-RUN pip3 --no-cache-dir install cryptography uvloop
-
-COPY mtprotoproxy.py config.py /home/tgproxy/
+RUN apt-get update && apt-get install --no-install-recommends -y python3 python3-uvloop python3-cryptography python3-socks libcap2-bin ca-certificates && rm -rf /var/lib/apt/lists/*
+RUN setcap cap_net_bind_service=+ep /usr/bin/python3.12

 RUN useradd tgproxy -u 10000
-RUN chown -R tgproxy:tgproxy /home/tgproxy

 USER tgproxy

 WORKDIR /home/tgproxy/
+
+COPY --chown=tgproxy mtprotoproxy.py config.py /home/tgproxy/
+
 CMD ["python3", "mtprotoproxy.py"]
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,4 +7,10 @@ services:
    volumes:
        - ./config.py:/home/tgproxy/config.py
        - ./mtprotoproxy.py:/home/tgproxy/mtprotoproxy.py
+        - /etc/localtime:/etc/localtime:ro
+    logging:
+        driver: "json-file"
+        options:
+            max-file: "10"
+            max-size: "10m"
 #    mem_limit: 1024m
--- a/mtprotoproxy.py
+++ b/mtprotoproxy.py
@@ -36,10 +36,10 @@ TG_DATACENTERS_V6 = [
 # This list will be updated in the runtime
 TG_MIDDLE_PROXIES_V4 = {
    1: [("149.154.175.50", 8888)], -1: [("149.154.175.50", 8888)],
-    2: [("149.154.162.38", 80)], -2: [("149.154.162.38", 80)],
+    2: [("149.154.161.144", 8888)], -2: [("149.154.161.144", 8888)],
    3: [("149.154.175.100", 8888)], -3: [("149.154.175.100", 8888)],
    4: [("91.108.4.136", 8888)], -4: [("149.154.165.109", 8888)],
-    5: [("91.108.56.181", 8888)], -5: [("91.108.56.181", 8888)]
+    5: [("91.108.56.183", 8888)], -5: [("91.108.56.183", 8888)]
 }

 TG_MIDDLE_PROXIES_V6 = {
@@ -47,7 +47,7 @@ TG_MIDDLE_PROXIES_V6 = {
    2: [("2001:67c:04e8:f002::d", 80)], -2: [("2001:67c:04e8:f002::d", 80)],
    3: [("2001:b28:f23d:f003::d", 8888)], -3: [("2001:b28:f23d:f003::d", 8888)],
    4: [("2001:67c:04e8:f004::d", 8888)], -4: [("2001:67c:04e8:f004::d", 8888)],
-    5: [("2001:b28:f23f:f005::d", 8888)], -5: [("2001:67c:04e8:f004::d", 8888)]
+    5: [("2001:b28:f23f:f005::d", 8888)], -5: [("2001:b28:f23f:f005::d", 8888)]
 }

 PROXY_SECRET = bytes.fromhex(
@@ -62,7 +62,6 @@ PREKEY_LEN = 32
 KEY_LEN = 32
 IV_LEN = 16
 HANDSHAKE_LEN = 64
-TLS_HANDSHAKE_LEN = 1 + 2 + 2 + 512
 PROTO_TAG_POS = 56
 DC_IDX_POS = 60

@@ -140,10 +139,10 @@ def init_config():
    # use middle proxy, necessary to show ad
    conf_dict.setdefault("USE_MIDDLE_PROXY", len(conf_dict["AD_TAG"]) == 16)

-    # if IPv6 avaliable, use it by default
+    # if IPv6 available, use it by default
    conf_dict.setdefault("PREFER_IPV6", socket.has_ipv6)

-    # disables tg->client trafic reencryption, faster but less secure
+    # disables tg->client traffic reencryption, faster but less secure
    conf_dict.setdefault("FAST_MODE", True)

    # enables some working modes
@@ -196,6 +195,9 @@ def init_config():
    # the next host to forward bad clients
    conf_dict.setdefault("MASK_HOST", conf_dict["TLS_DOMAIN"])

+    # set the home domain for the proxy, has an influence only on the log message
+    conf_dict.setdefault("MY_DOMAIN", False)
+
    # the next host's port to forward bad clients
    conf_dict.setdefault("MASK_PORT", 443)

@@ -481,7 +483,7 @@ myrandom = MyRandom()


 class TgConnectionPool:
-    MAX_CONNS_IN_POOL = 64
+    MAX_CONNS_IN_POOL = 16

    def __init__(self):
        self.pools = {}
@@ -498,6 +500,16 @@ class TgConnectionPool:
                                          timeout=config.TG_CONNECT_TIMEOUT)
        return reader_tgt, writer_tgt

+    def is_conn_dead(self, reader, writer):
+        if writer.transport.is_closing():
+            return True
+        raw_reader = reader
+        while hasattr(raw_reader, 'upstream'):
+            raw_reader = raw_reader.upstream
+        if raw_reader.at_eof():
+            return True
+        return False
+
    def register_host_port(self, host, port, init_func):
        if (host, port, init_func) not in self.pools:
            self.pools[(host, port, init_func)] = []
@@ -510,15 +522,16 @@ class TgConnectionPool:
        self.register_host_port(host, port, init_func)

        ret = None
-        for task in self.pools[(host, port, init_func)][::]:
+        for task in self.pools[(host, port, init_func)][:]:
            if task.done():
                if task.exception():
                    self.pools[(host, port, init_func)].remove(task)
                    continue

                reader, writer, *other = task.result()
-                if writer.transport.is_closing():
+                if self.is_conn_dead(reader, writer):
                    self.pools[(host, port, init_func)].remove(task)
+                    writer.transport.abort()
                    continue

                if not ret:
@@ -655,7 +668,7 @@ class CryptoWrappedStreamReader(LayeredStreamReaderBase):

            needed_till_full_block = -len(data) % self.block_size
            if needed_till_full_block > 0:
-                data += self.upstream.readexactly(needed_till_full_block)
+                data += await self.upstream.readexactly(needed_till_full_block)
            return self.decryptor.decrypt(data)

    async def readexactly(self, n):
@@ -776,7 +789,7 @@ class MTProtoCompactFrameStreamWriter(LayeredStreamWriterBase):

    def write(self, data, extra={}):
        SMALL_PKT_BORDER = 0x7f
-        LARGE_PKT_BORGER = 256 ** 3
+        LARGE_PKT_BORDER = 256 ** 3

        if len(data) % 4 != 0:
            print_err("BUG: MTProtoFrameStreamWriter attempted to send msg with len", len(data))
@@ -789,7 +802,7 @@ class MTProtoCompactFrameStreamWriter(LayeredStreamWriterBase):

        if len_div_four < SMALL_PKT_BORDER:
            return self.upstream.write(bytes([len_div_four]) + data)
-        elif len_div_four < LARGE_PKT_BORGER:
+        elif len_div_four < LARGE_PKT_BORDER:
            return self.upstream.write(b'\x7f' + int.to_bytes(len_div_four, 3, 'little') + data)
        else:
            print_err("Attempted to send too large pkt len =", len(data))
@@ -865,6 +878,7 @@ class ProxyReqStreamReader(LayeredStreamReaderBase):
        RPC_PROXY_ANS = b"\x0d\xda\x03\x44"
        RPC_CLOSE_EXT = b"\xa2\x34\xb6\x5e"
        RPC_SIMPLE_ACK = b"\x9b\x40\xac\x3b"
+        RPC_UNKNOWN = b'\xdf\xa2\x30\x57'

        data = await self.upstream.read(1)

@@ -883,8 +897,11 @@ class ProxyReqStreamReader(LayeredStreamReaderBase):
            conn_id, confirm = data[4:12], data[12:16]
            return confirm, {"SIMPLE_ACK": True}

+        if ans_type == RPC_UNKNOWN:
+            return b"", {"SKIP_SEND": True}
+
        print_err("unknown rpc ans type:", ans_type)
-        return b""
+        return b"", {"SKIP_SEND": True}


 class ProxyReqStreamWriter(LayeredStreamWriterBase):
@@ -1229,7 +1246,7 @@ async def handle_handshake(reader, writer):
    global last_client_ips
    global last_clients_with_same_handshake

-    TLS_START_BYTES = b"\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03"
+    TLS_START_BYTES = b"\x16\x03\x01"

    if writer.transport.is_closing() or writer.get_extra_info("peername") is None:
        return False
@@ -1255,7 +1272,13 @@ async def handle_handshake(reader, writer):
            break

    if is_tls_handshake:
-        handshake += await reader.readexactly(TLS_HANDSHAKE_LEN - len(handshake))
+        handshake += await reader.readexactly(2)
+        tls_handshake_len = int.from_bytes(handshake[-2:], "big")
+        if tls_handshake_len < 512:
+            is_tls_handshake = False
+
+    if is_tls_handshake:
+        handshake += await reader.readexactly(tls_handshake_len)
        tls_handshake_result = await handle_fake_tls_handshake(handshake, reader, writer, peer)

        if not tls_handshake_result:
@@ -1352,7 +1375,7 @@ async def do_direct_handshake(proto_tag, dc_idx, dec_key_and_iv=None):
        print_err("Got connection refused while trying to connect to", dc, TG_DATACENTER_PORT)
        return False
    except ConnectionAbortedError as E:
-        print_err("The Telegram server connection is bad: %d (%s %s) %s" % (dc_idx, addr, port, E))
+        print_err("The Telegram server connection is bad: %d (%s %s) %s" % (dc_idx, dc, TG_DATACENTER_PORT, E))
        return False
    except (OSError, asyncio.TimeoutError) as E:
        print_err("Unable to connect to", dc, TG_DATACENTER_PORT)
@@ -1567,6 +1590,9 @@ async def tg_connect_reader_to_writer(rd, wr, user, rd_buf_size, is_upstream):
            else:
                extra = {}

+            if extra.get("SKIP_SEND"):
+                continue
+
            if not data:
                wr.write_eof()
                await wr.drain()
@@ -1722,6 +1748,7 @@ def make_metrics_pkt(metrics):

    pkt_header_list = []
    pkt_header_list.append("HTTP/1.1 200 OK")
+    pkt_header_list.append("Connection: close")
    pkt_header_list.append("Content-Length: %d" % len(pkt_body))
    pkt_header_list.append("Content-Type: text/plain; version=0.0.4; charset=utf-8")
    pkt_header_list.append("Date: %s" % time.strftime("%a, %d %b %Y %H:%M:%S GMT", time.gmtime()))
@@ -1914,6 +1941,16 @@ async def get_encrypted_cert(host, port, server_name):
    if record3_type != 23:
        return b""

+    if len(record3) < MIN_CERT_LEN:
+        record4_type, record4 = await get_tls_record(reader)
+        if record4_type != 23:
+            return b""
+        msg = ("The MASK_HOST %s sent some TLS record before certificate record, this makes the " +
+               "proxy more detectable") % config.MASK_HOST
+        print_err(msg)
+
+        return record4
+
    return record3


@@ -1974,7 +2011,7 @@ async def get_srv_time():
                    continue
                line = line[len("Date: "):].decode()
                srv_time = datetime.datetime.strptime(line, "%a, %d %b %Y %H:%M:%S %Z")
-                now_time = datetime.datetime.utcnow()
+                now_time = datetime.datetime.now(datetime.timezone.utc)
                is_time_skewed = (now_time-srv_time).total_seconds() > MAX_TIME_SKEW
                if is_time_skewed and config.USE_MIDDLE_PROXY and not disable_middle_proxy:
                    print_err("Time skew detected, please set the clock")
@@ -2082,6 +2119,10 @@ def init_ip_info():
    my_ip_info["ipv4"] = get_ip_from_url(IPV4_URL1) or get_ip_from_url(IPV4_URL2)
    my_ip_info["ipv6"] = get_ip_from_url(IPV6_URL1) or get_ip_from_url(IPV6_URL2)

+    # the server can return ipv4 address instead of ipv6
+    if my_ip_info["ipv6"] and ":" not in my_ip_info["ipv6"]:
+        my_ip_info["ipv6"] = None
+
    if my_ip_info["ipv6"] and (config.PREFER_IPV6 or not my_ip_info["ipv4"]):
        print_err("IPv6 found, using it for external communication")

@@ -2103,9 +2144,12 @@ def print_tg_info():
            print("Since you have TLS only mode enabled the best port is 443", flush=True)
        print_default_warning = True

-    ip_addrs = [ip for ip in my_ip_info.values() if ip]
-    if not ip_addrs:
-        ip_addrs = ["YOUR_IP"]
+    if not config.MY_DOMAIN:
+        ip_addrs = [ip for ip in my_ip_info.values() if ip]
+        if not ip_addrs:
+            ip_addrs = ["YOUR_IP"]
+    else:
+        ip_addrs = [config.MY_DOMAIN]

    proxy_links = []

@@ -2113,15 +2157,15 @@ def print_tg_info():
        for ip in ip_addrs:
            if config.MODES["classic"]:
                params = {"server": ip, "port": config.PORT, "secret": secret}
-                params_encodeded = urllib.parse.urlencode(params, safe=':')
-                classic_link = "tg://proxy?{}".format(params_encodeded)
+                params_encoded = urllib.parse.urlencode(params, safe=':')
+                classic_link = "tg://proxy?{}".format(params_encoded)
                proxy_links.append({"user": user, "link": classic_link})
                print("{}: {}".format(user, classic_link), flush=True)

            if config.MODES["secure"]:
                params = {"server": ip, "port": config.PORT, "secret": "dd" + secret}
-                params_encodeded = urllib.parse.urlencode(params, safe=':')
-                dd_link = "tg://proxy?{}".format(params_encodeded)
+                params_encoded = urllib.parse.urlencode(params, safe=':')
+                dd_link = "tg://proxy?{}".format(params_encoded)
                proxy_links.append({"user": user, "link": dd_link})
                print("{}: {}".format(user, dd_link), flush=True)

@@ -2131,8 +2175,8 @@ def print_tg_info():
                # tls_secret = bytes.fromhex("ee" + secret) + config.TLS_DOMAIN.encode()
                # tls_secret_base64 = base64.urlsafe_b64encode(tls_secret)
                params = {"server": ip, "port": config.PORT, "secret": tls_secret}
-                params_encodeded = urllib.parse.urlencode(params, safe=':')
-                tls_link = "tg://proxy?{}".format(params_encodeded)
+                params_encoded = urllib.parse.urlencode(params, safe=':')
+                tls_link = "tg://proxy?{}".format(params_encoded)
                proxy_links.append({"user": user, "link": tls_link})
                print("{}: {}".format(user, tls_link), flush=True)

@@ -2276,21 +2320,21 @@ def create_servers(loop):
 def create_utilitary_tasks(loop):
    tasks = []

-    stats_printer_task = asyncio.Task(stats_printer())
+    stats_printer_task = asyncio.Task(stats_printer(), loop=loop)
    tasks.append(stats_printer_task)

    if config.USE_MIDDLE_PROXY:
-        middle_proxy_updater_task = asyncio.Task(update_middle_proxy_info())
+        middle_proxy_updater_task = asyncio.Task(update_middle_proxy_info(), loop=loop)
        tasks.append(middle_proxy_updater_task)

        if config.GET_TIME_PERIOD:
-            time_get_task = asyncio.Task(get_srv_time())
+            time_get_task = asyncio.Task(get_srv_time(), loop=loop)
            tasks.append(time_get_task)

-    get_cert_len_task = asyncio.Task(get_mask_host_cert_len())
+    get_cert_len_task = asyncio.Task(get_mask_host_cert_len(), loop=loop)
    tasks.append(get_cert_len_task)

-    clear_resolving_cache_task = asyncio.Task(clear_ip_resolving_cache())
+    clear_resolving_cache_task = asyncio.Task(clear_ip_resolving_cache(), loop=loop)
    tasks.append(clear_resolving_cache_task)

    return tasks
@@ -2312,9 +2356,10 @@ def main():

    if sys.platform == "win32":
        loop = asyncio.ProactorEventLoop()
-        asyncio.set_event_loop(loop)
+    else:
+        loop = asyncio.new_event_loop()

-    loop = asyncio.get_event_loop()
+    asyncio.set_event_loop(loop)
    loop.set_exception_handler(loop_exception_handler)

    utilitary_tasks = create_utilitary_tasks(loop)
Author	SHA1	Message	Date
Alexander Bersenev	1f7ce9e977	fix typos	2026-02-18 00:04:07 +05:00
Alexander Bersenev	8920faf650	better handling for server-side socket closing in connection pool	2026-02-17 21:14:42 +05:00
Alexander Bersenev	34f743858c	fix small bugs	2026-02-10 16:49:20 +05:00
Alexander Bersenev	375fee1535	update default proxy addresses	2025-11-18 04:27:47 +05:00
Alexander Bersenev	e0ea17978c	update client hello handling for newer tg clients	2025-11-18 03:46:19 +05:00
Rustam @SecondFry Gubaydullin	8bb885ada5	Upgrade base image to Ubuntu 24.04 and Python version	2025-11-13 14:09:38 +05:00
Alexander Bersenev	bc841cff48	change middle proxy default port from 80 to 8888	2024-11-12 01:08:57 +05:00
Alexander Bersenev	c89479000f	change ip of default second middle proxy server, it was updated on the telegram side	2024-09-21 02:51:18 +05:00
Viacheslav Komarov	74711c4212	Hotfix, Change ubuntu version to 22.04 LTS in Dockerfile (#296 )	2023-10-30 18:49:14 +05:00
Alexander Bersenev	51b2482dec	support domains which send several tls records, but print warning	2023-02-27 00:40:25 +05:00
Alexander Bersenev	87f4370927	update ubuntu version in docker	2023-02-20 14:45:21 +05:00
Alexander Bersenev	a978eae922	ignore all new rpc calls instead of closing connection	2023-02-20 14:37:16 +05:00
Alexander Bersenev	88c8c57a44	add handling of some unknown new rpc	2023-02-17 20:16:52 +05:00
Alexander Bersenev	446682521b	use newer Ubuntu and Python in Dockerfile	2022-05-09 00:05:24 +05:00
Alexander Bersenev	b26873176a	compat with python3.10	2022-05-09 00:00:14 +05:00
Alexander Bersenev	6e8e8b63b2	add check if returned ipv6 address is correct	2021-03-02 17:04:54 +05:00
AlisonTNT	3b4f239cc1	Add Pysocks in Dockerfile (#239 ) It's necessary if using upstream SOCKS5 proxy.	2020-09-29 18:29:49 +05:00
Erfan	0283d6264a	set the home domain instead of IP (#231 ) * set the home domain set the home domain for the proxy, has an influence only on the log message * fixed a bug	2020-08-09 13:51:43 +05:00
Erfan	15a8f607ca	added ability to load time from local time set on original server (#230 ) using this command the local time setting will be pushed to docker as a read-only file so you can use your local time	2020-06-20 15:59:25 +05:00
Alexander Bersenev	6076db9f8c	add certificates to Dockerfile	2020-06-17 15:45:47 +05:00
Alexander Bersenev	6560a6c1d2	use new ubuntu 20.04 as base image	2020-04-28 16:20:33 +05:00
Peter Dave Hello	24479e68ab	Add `--no-install-recommends` to `apt-get` in Dockerfile (#221 ) Prevent to install unnecessary recommended packages, make it lighter.	2020-04-28 15:25:38 +05:00
Peter Dave Hello	6ecf0ec9ac	Refactor Dockerfile with less layer and improved layer cache (#220 )	2020-04-27 17:22:57 +05:00
Allineer	18a80e52cd	metrics: broken pipe fix (#210 ) I think, this fixes my issue #208.	2020-03-29 22:18:33 +05:00
Alexander Bersenev	ea3b8a44c3	restrict the logs size with 100MB	2020-03-17 03:11:13 +05:00