A minimal, secure, and production-oriented Docker image for Telemt — a fast MTProto proxy server (MTProxy) written in Rust + Tokio.
Built as a fully static binary and shipped in a distroless runtime image, running as non-root by default.
- 🔐 Secure by default: Distroless runtime + non-root user.
- 🏗 Multi-arch: Supports
amd64andarm64. - 📦 Fully static binary: Designed for
gcr.io/distroless/static:nonroot. - 🧾 Config-driven: You mount a single
/etc/telemt.tomland go. - 📈 Metrics-ready: Supports Telemt metrics port (
9090) via config. - 🧰 Build-time pinning: Upstream repo/ref are configurable via build args.
Telemt is a Telegram proxy (MTProto). Operating proxies may be restricted or monitored depending on your country/ISP and may carry legal/operational risks.
You are responsible for compliance with local laws and for safe deployment (firewalling, access control, logs, monitoring).
Telemt users require a 32-hex-char secret (16 bytes):
openssl rand -hex 16Refer to the upstream repository for the configuration format and examples:
👉 https://github.com/telemt/telemt
Place your configuration file as ./telemt.toml.
Note: the container runs as non-root, but Telemt binds to 443 by default.
To allow binding to privileged ports, we addNET_BIND_SERVICE.
services:
telemt:
image: whn0thacked/telemt-docker:latest
container_name: telemt
restart: unless-stopped
# Telemt uses RUST_LOG for verbosity (optional)
environment:
RUST_LOG: "info"
# Telemt reads config from CMD (default: /etc/telemt.toml)
volumes:
- ./telemt.toml:/etc/telemt.toml:ro
ports:
- "443:443/tcp"
# If you enable metrics_port=9090 in config:
# - "127.0.0.1:9090:9090/tcp"
# Hardening
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
read_only: true
tmpfs:
- /tmp:rw,nosuid,nodev,noexec,size=16m
# Resource limits (optional)
deploy:
resources:
limits:
cpus: "0.50"
memory: 256M
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"docker compose up -dLogs:
docker compose logs -f| Variable | Mandatory | Default | Description |
|---|---|---|---|
RUST_LOG |
No | — | Telemt log level (e.g. info, debug, trace). |
| Container Path | Purpose |
|---|---|
/etc/telemt.toml |
Main Telemt configuration file (you mount it from the host). |
| Port | Purpose |
|---|---|
443/tcp |
Main MTProxy listener (commonly used for TLS-like traffic). |
9090/tcp |
Metrics port (only if enabled in telemt.toml). |
- ENTRYPOINT:
telemt - CMD (default):
/etc/telemt.toml
So the container effectively runs:
telemt /etc/telemt.toml
To use a different config path, override the command:
docker run ... whn0thacked/telemt-docker:latest /path/to/config.tomlThis Dockerfile supports pinning upstream Telemt source:
TELEMT_REPO(default:https://github.com/telemt/telemt.git)TELEMT_REF(default:main)
docker buildx build \
--platform linux/amd64,linux/arm64 \
-t whn0thacked/telemt-docker:latest \
--push .docker buildx build \
--build-arg TELEMT_REF=v1.1.0.0 \
-t whn0thacked/telemt-docker:v1.1.0.0 \
--push .- Telemt upstream: https://github.com/telemt/telemt
- MTProxy ad tag bot: https://t.me/mtproxybot
- Distroless images: https://github.com/GoogleContainerTools/distroless