Deprecation of dc-overrides
Apparently, Telegram made a bit better way of getting CDN DC. Now we can extract them from a public list. So, this setting is no longer relevant. Anyway, there was no a good way of getting those IPs
So, if you have this setting in your config:
# Telegram uses different DCs for different purposes. Unfortunately, most of
# DCs are not public, and dependent on a location of the current user, so
# mtg cannot know upfront about all of them, and how to access them. It has
# a default list of DCs, including some CDN IPs, but it is possible that some
# of them are not working for you. In this case, you can override them here.
[[dc-overrides]]
dc = 101
ips = ["127.0.0.1:443"]You can delete it. It is ignored. Now we have more robust way of doing that with autoupdates.
Rework of domain fronting configuration
Before that mtg used a following configuration for domain fronting:
# FakeTLS uses domain fronting protection. So it needs to know a port to
# access.
domain-fronting-port = 443Now there is a special dedicated section for that:
# This section is relevant to communication with fronting domain. Usually
# you do not need to setup anything here but there are plenty of cases, especially
# if you put mtg behind load balancer, when some specific configuration is
# required.
[domain-fronting]
# By default, mtg resolves the fronting hostname (from the secret) via DNS
# to establish a TCP connection. If DNS resolution of that hostname is blocked,
# you can specify an IP address to connect to directly. The hostname is still
# used for SNI in the TLS handshake.
#
# default value is not set (DNS resolution is used).
ip = "10.10.10.11"
# FakeTLS uses domain fronting protection. So it needs to know a port to
# access. Default value is 443
port = 443
# This makes a communication between both fronting website and mtg to use
# proxy protocol.
proxy-protocol = falseAll is optional.
domain-fronting.port
This is literally the same as domain-fronting-port setting. Old way is still working but deprecated. So, your configs will remain working. New setting has higher priority than old one.
domain-fronting.ip
Let's imagine that you have a website that is placed behind a load balancer. You also put mtg there. So, if you get a Telegram request, it would be served, otherwise mtg should rereoute to the real backend. But if you specify a domain, then mtg would access mtg again, and you can get a loop. This setting should force mtg to use this IP as a domain fronting IP, and this will make IP routing more reasonable.
domain-fronting.proxy-protocol
Same as above: if you have a chain of services that pass request to each other, it make sense to see real IPs in logs. Proxy protocol allows doing that. If you set this setting to true mtg will start talking with upstream using proxy protocol instead of plain TCP connection.
What's Changed
- Add domain-fronting-ip option by @ivulit in #334
- Check for vulnerabilities by @9seconds in #337
- Fetch DC203 from Telegram by @9seconds in #336
- Add support for domain fronting proxy protocol by @9seconds in #338
- Domain fronting config grouping by @9seconds in #339
New Contributors
Full Changelog: v2.1.10...v2.1.11