-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathconfig.example.toml
More file actions
99 lines (78 loc) · 3.22 KB
/
config.example.toml
File metadata and controls
99 lines (78 loc) · 3.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# TeleGO Configuration Example
# Copy this file to config.toml and customize
# General settings
[general]
# Network binding address
# TCP: "0.0.0.0:443" or "tcp://0.0.0.0:443"
# Unix socket: "/run/telego/telego.sock" or "unix:///run/telego/telego.sock"
bind-to = "0.0.0.0:443"
# Log level: trace, debug, info, warn, error
log-level = "info"
# Accept incoming PROXY protocol headers (from HAProxy/nginx)
# When enabled, parses PROXY protocol v1/v2 to get real client IP
# proxy-protocol = false
# Maximum connections per IP (0 = unlimited)
# Applies to ALL connections (including unauthenticated) from a single IP.
# Protects against connection floods from scanners/probes.
# max-connections-per-ip = 100
# Max time to complete handshake before closing (default: 5s)
# Connections that don't authenticate within this time are dropped.
# handshake-timeout = "5s"
# Maximum unique IP addresses per user/secret (0 = unlimited)
# When exceeded, oldest IP is evicted and blocked. Protects against secret sharing.
# max-ips-per-user = 3
# How long evicted IPs stay blocked (refreshes on connection attempts)
# ip-block-timeout = "5m"
# Named secrets (32 hex characters = 16 bytes)
# Generate with: telego generate <hostname>
[secrets]
user1 = "0123456789abcdef0123456789abcdef"
# user2 = "fedcba9876543210fedcba9876543210"
# TLS fronting configuration
[tls-fronting]
# Host to mimic - used for certificate fetching and SNI validation
# Must match the hostname in your secret
mask-host = "www.google.com"
# Port for mask-host (optional, default: 443)
# mask-port = 443
# Where to fetch TLS certificate from (optional)
# Defaults to mask-host:mask-port if not set
# Useful when running behind a front proxy (e.g., Xray) and you need
# to fetch certs from a local nginx instance directly
# cert-host = "127.0.0.1"
# cert-port = 8443
# Where to forward unrecognized/invalid clients (optional)
# Useful for forwarding probes to a local decoy server
# Defaults to mask-host:mask-port if not set
# splice-host = "127.0.0.1"
# splice-port = 8080
# Send PROXY protocol header to splice target (optional)
# Allows backend (nginx/haproxy) to see real client IP
# 0 = off (default), 1 = v1 (text), 2 = v2 (binary)
# splice-proxy-protocol = 1
# Idle timeout for spliced (unrecognized) connections (default: 30s)
# Shorter than authenticated connections since these are just decoy traffic.
# splice-idle-timeout = "30s"
# Performance tuning (all optional)
[performance]
# IP preference for DC connections: prefer-ipv4, prefer-ipv6, only-ipv4, only-ipv6
prefer-ip = "prefer-ipv4"
# Connection idle timeout
idle-timeout = "5m"
# Number of event loops (0 = auto, uses all CPU cores)
num-event-loops = 0
# Max pending write bytes per connection before closing slow client (MB)
# Prevents memory exhaustion when clients are slow to receive data
# 0 = 4MB default, which allows ~4MB buffered data per connection
# max-write-buffer-mb = 4
# Upstream (DC connection) settings
[upstream]
# SOCKS5 proxy for Telegram DC connections
# Useful for routing through VPN/tunnel (e.g., Hysteria2, VLESS)
# socks5 = "127.0.0.1:1080"
# Prometheus metrics endpoint (optional)
[metrics]
# Address to bind metrics server (empty = disabled)
# bind-to = "127.0.0.1:9090"
# Metrics path (default: /metrics)
# path = "/metrics"