CERBERUS/mtproto_proxy
1
0
Fork 0
mirror of https://github.com/seriyps/mtproto_proxy.git synced 2026-05-13 16:57:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
mtproto_proxy/config/vm.args.front.example
Sergey Prokhorov 121d8b7413
docs: split-mode setup guide, architecture diagrams, cert script, build 
README:
- New 'Split-mode setup' section: motivation, firewall rules, step-by-step
  instructions for both VPN tunnel and TLS distribution options
- Split-mode bullet added to Features list
- Notes on DPI-resistant tunnels (Shadowsocks, VLESS/XRay, Hysteria2) for
  Russian deployment; standard VPN protocols (WireGuard, OpenVPN) may be blocked
- Install instructions updated to use `make init-config` (copies templates,
  auto-detects public IP) instead of manual cp; ROLE= documented throughout
- Split-mode Step 4 uses `make ROLE=back/front` so template-change detection
  works correctly after `git pull`

Makefile:
- ROLE ?= both variable selects config templates (both/front/back)
- Config prereq rules use $(SYS_CONFIG_SRC) / $(VM_ARGS_SRC) based on ROLE
- New `init-config` target: force-copies templates, auto-detects public IP,
  prints edit reminder; replaces manual cp in install workflow

scripts/gen_dist_certs.sh:
- Two-step workflow: `init <dir>` on back server (CA + back cert),
  `add-node <dir> <name>` per front server (cert signed by existing CA)
- Generates per-node ssl_dist.<name>.conf with paths substituted (no
  NODE_NAME placeholder to edit manually)
- ssl_dist.<name>.conf is now used directly (no rename to ssl_dist.conf);
  vm.args examples and README updated to match

config/vm.args.{front,back}.example:
- -ssl_dist_optfile points to role-specific filename (ssl_dist.front.conf /
  ssl_dist.back.conf) so cert files can be copied as-is without renaming

AGENTS.md:
- Role-overview Mermaid flowchart showing front/back/both process split
- Data-plane section replaced with links to doc/ (no duplication)
- Supervision tree, key interactions, split-mode config keys updated

doc/handler-downstream-flow.md, doc/migration-flow.md:
- Mermaid box grouping to visually separate FRONT and BACK node participants
- erpc:call reference corrected (was rpc:call)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-12 00:34:45 +02:00

45 lines
1.9 KiB
Text
Raw Permalink Blame History

## vm.args for the FRONT node (domestic server — accepts client connections).
##
## Replace 10.0.0.1 with the actual IP address of this (front) server.
-name front@10.0.0.1
## Cookie must be identical on both front and back nodes.
## Generate with: openssl rand -hex 32
-setcookie mtproto-proxy-cookie
## Essential for >500 connections
+K true
+A 2
+SDio 2
## -----------------------------------------------------------------------
## Inter-server link security
##
## The front and back nodes communicate over Erlang distribution.
## You MUST protect this link — it allows arbitrary code execution.
## Choose ONE of the following options:
##
## Option A: Censorship-resistant tunnel (recommended if front is in Russia)
## - Russia blocks WireGuard and OpenVPN by DPI. Use a tunnel that blends
## in with normal traffic: Shadowsocks, VLESS/XRay, Hysteria2, etc.
## - Set up the tunnel between front and back servers and use the tunnel
## interface IP in -name above (e.g., front@10.8.0.1).
## - No extra Erlang config needed once the tunnel is up.
## - If front is NOT in a censored region, WireGuard/IPsec work fine too.
##
## Option B: TLS distribution (no tunnel required)
## - On back server: `scripts/gen_dist_certs.sh init /etc/mtproto-proxy/dist`
## - Run per front: `scripts/gen_dist_certs.sh add-node /etc/mtproto-proxy/dist front`
## - Place ca.pem, front.pem, front.key in /etc/mtproto-proxy/dist/ here.
## - Place ssl_dist.front.conf in /etc/mtproto-proxy/dist/ on the front server.
## - Uncomment the lines below:
##
# -proto_dist inet_tls
# -ssl_dist_optfile /etc/mtproto-proxy/dist/ssl_dist.front.conf
##
## Firewall: allow TCP on the distribution port (9199 below) only between
## the front and back servers, never to the public internet.
##
# -kernel inet_dist_listen_min 9199
# -kernel inet_dist_listen_max 9199
## -----------------------------------------------------------------------
Reference in a new issue View git blame Copy permalink