MTProxy for Telegram on Rust + Tokio
10K+
A minimal, secure, and production-oriented Docker image for Telemt — a fast MTProto proxy server (MTProxy) written in Rust + Tokio.
Built as a fully static and semi static binary and shipped in a distroless runtime image, running as non-root by default.
amd64 and arm64.gcr.io/distroless/static:nonroot.gcr.io/distroless/cc:nonroot./etc/telemt/config.toml and go.9090) via config.Telemt is a Telegram proxy (MTProto). Operating proxies may be restricted or monitored depending on your country/ISP and may carry legal/operational risks.
You are responsible for compliance with local laws and for safe deployment (firewalling, access control, logs, monitoring).
3.0.3, 3.0.3-distroless-cc, distroless-cc, latest3.0.3-distroless-mc, distroless-mc3.0.3-debian13, 3.0.3-debian, debian13, debian3.0.3-alpine3.23, 3.0.3-alpine, alpine3.23, alpineThe telemt images come in many flavors, each designed for a specific use case.
telemt:<version>-distroless-ccThis is the defacto image. If you are unsure about what your needs are, you probably want to use this one.
Application build with glibc.
Image based on debian for build stage and gcr.io/distroless/cc:nonroot for runtime.
telemt:<version>-distroless-mcThis is the alternative defacto image. If you are want to smaller image than distroless-cc, you probably want to use this one.
Application build with musl.
Image based on alpine for build stage and gcr.io/distroless/static:nonroot for runtime.
This variant is useful when final image size being as small as possible is your primary concern. The main caveat to note is that it does use musl libc instead of glibc and friends, so performance may be lower if depending on the depth of libc requirements/assumptions. See this Hacker News comment thread for more discussion of the issues that might arise and some pro/con comparisons of using musl-based builds.
telemt:<version>-debianThis image is based on the Debian project, available in the debian official image. Used Debian Linux slim tag, that is much smaller than others, and thus leads slimmer images in general.
Application build with glibc.
This image contains some additional tools, like ping, telnet, curl, etc. to connectivity checks.
telemt:<version>-alpineThis image is based on the popular Alpine Linux project, available in the alpine official image. Alpine Linux is much smaller than most distribution base images (~5MB), and thus leads to much slimmer images in general.
Application build with musl.
This variant is useful when final image size being as small as possible with additional is your primary concern. The main caveat to note is that it does use musl libc instead of glibc and friends, so performance may be lower if depending on the depth of libc requirements/assumptions. See this Hacker News comment thread for more discussion of the issues that might arise and some pro/con comparisons of using Alpine-based images.
This image contains some additional tools, like ping, telnet, curl, etc. to connectivity checks.
Telemt users require a 32-hex-char secret (16 bytes):
openssl rand -hex 16
or
head -c 16 /dev/urandom | xxd -ps
or
xxd -l 16 -p /dev/urandom
or
python3 -c 'import os; print(os.urandom(16).hex())'
config.tomlRefer to the upstream repository for the configuration format and examples:
👉 https://github.com/telemt/telemt
Place your configuration file as ./config.toml.
docker-compose.ymlNote: the container runs as non-root, but Telemt binds to 443 by default.
To allow binding to privileged ports, we addNET_BIND_SERVICE.
---
services:
telemt:
container_name: telemt
image: "raylabpro/telemt:${TELEMT_TAG:-distroless-cc}"
restart: "unless-stopped"
pull_policy: "always"
# network_mode: host
ports:
- "18443:443"
- "127.0.0.1:19090:9090/tcp"
ulimits:
nofile:
soft: 65536
hard: 65536
environment:
TZ: "Europe/Moscow"
RUST_LOG: info
volumes:
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
- "/etc/hostname:/etc/hostname:ro"
- "./config.toml:/etc/telemt/config.toml:ro"
# Hardening
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
read_only: true
tmpfs:
- /tmp:rw,nosuid,nodev,noexec,size=16m
# Resource limits (optional)
deploy:
resources:
limits:
cpus: "0.50"
memory: 256M
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
docker compose up -d
Logs:
docker compose logs -f
| Variable | Mandatory | Default | Description |
|---|---|---|---|
RUST_LOG | No | — | Telemt log level (e.g. info, debug, trace). |
| Container Path | Purpose |
|---|---|
/etc/telemt/config.toml | Main Telemt configuration file (you mount it from the host). |
| Port | Purpose |
|---|---|
443/tcp | Main MTProxy listener (commonly used for TLS-like traffic). |
9090/tcp | Metrics port (only if enabled in config.toml). |
/usr/local/bin/telemt/etc/telemt/config.tomlSo the container effectively runs:
/usr/local/bin/telemt /etc/telemt/config.toml
To use a different config path, override the command:
docker run ... raylabpro/telemt:latest /path/to/config.toml
Content type
Image
Digest
sha256:36914954b…
Size
16.2 MB
Last updated
about 1 month ago
docker pull raylabpro/telemt