🚀 New Release: v4.11.0
SOCKS5 upstream support in check command (#57), Cloudflare Spectrum docs (#55).
-
New
- Handle buffer allocation failures gracefully instead of crashing (#58).
- Fix PROXY protocol metrics always reporting 0 in multi-worker mode (#53).
- New deployment guide: Cloudflare Spectrum.
Release notes | GitHub
SOCKS5 upstream support in check command (#57), Cloudflare Spectrum docs (#55).
-
teleproxy check now routes DC probes through the configured SOCKS5 proxy.New
--socks5 URL CLI flag; also reads from TOML config.- Handle buffer allocation failures gracefully instead of crashing (#58).
- Fix PROXY protocol metrics always reporting 0 in multi-worker mode (#53).
- New deployment guide: Cloudflare Spectrum.
Release notes | GitHub
👍3
💬 Comment on #59: OOM / server hangs
Not a memory leak — the default
The dominant memory consumer is kernel TCP socket buffers: each open socket allocates ~46 KB of kernel memory (
Lowering the default to 10,000 in the next release. For now, set
Periodic restart shouldn't be necessary with a correct connection limit. If OOM persists after lowering it, check
Will also add a tuning guide to the docs.
View comment
Not a memory leak — the default
MAX_CONNECTIONS=60000 is too aggressive for a 2 GB machine.The dominant memory consumer is kernel TCP socket buffers: each open socket allocates ~46 KB of kernel memory (
tcp_rmem + tcp_wmem defaults), so 60k sockets alone need ~2.7 GB — more than your total RAM. The proxy has userspace protections (LRU eviction, per-connection buffer caps), but those can't control kernel-side allocation, which is what triggers OOM.Lowering the default to 10,000 in the next release. For now, set
MAX_CONNECTIONS=10000 in your Docker environment — that's safe for 2 GB and handles typical proxy loads. If you need more, scale up proportionally ((RAM_MB - 300) * 10 is a reasonable upper bound).Periodic restart shouldn't be necessary with a correct connection limit. If OOM persists after lowering it, check
net.ipv4.tcp_rmem / net.ipv4.tcp_wmem sysctl values.Will also add a tuning guide to the docs.
View comment
💬 Comment on #60: Doesn't load pics and videos by chats in direct mode
Let's keep this open for direct mode fixes
View comment
Let's keep this open for direct mode fixes
View comment
💬 Comment on #64: Adding an improved version of the dashboard
Thanks @PentiumB — merged into main in 4caa7f7 with your commit f084765 recorded as a merge parent in c913f7a so the attribution is preserved in git history.
Apologies for the PR showing as closed rather than merged — that's a mishap on my side with how the commit landed, not a rejection. The dashboard is shipped as-is in
Small follow-ups I'll handle in a separate commit: change
View comment
Thanks @PentiumB — merged into main in 4caa7f7 with your commit f084765 recorded as a merge parent in c913f7a so the attribution is preserved in git history.
Apologies for the PR showing as closed rather than merged — that's a mishap on my side with how the commit landed, not a rejection. The dashboard is shipped as-is in
dashboards/teleproxy-instance.json.Small follow-ups I'll handle in a separate commit: change
uid from teleproxy to teleproxy-instance so it doesn't collide with the existing dashboard on import, and strip the hardcoded current.value / datasource uid so the file is portable. Nothing you need to do.View comment
📋 New Issue #69: RFC: WebSocket transport (Type3) as complementary deployment mode — coexist with existing nginx, front via free Cloudflare Workers
by toxeh
View issue
by toxeh
View issue
📋 New Issue #70: Metrics bug: bytes_sent/received counters appear swapped; unique_ips always 0
by qcode-star
View issue
by qcode-star
View issue
🚀 New Release: v4.12.0
Bug fixes for Docker deployments and per-secret metrics.
- Fix
only incremented when a secret had
plain secrets are now tracked too.
- Clarify
"received" is uploads (proxy from clients), "sent" is downloads (proxy to
clients). The counters are direct-mode only; relay-mode aggregation is a
separate gap, tracked for a follow-up.
- Change
match its actual cumulative behaviour.
- Fix Docker
TOML
(
- Add
connection link than the internal listen port (#66) — needed when Docker
maps
consumed by the
Release notes | GitHub
Bug fixes for Docker deployments and per-secret metrics.
- Fix
teleproxy_secret_unique_ips always reporting 0 (#70). The counter wasonly incremented when a secret had
max_ips or rate_limit configured;plain secrets are now tracked too.
- Clarify
teleproxy_secret_bytes_received_total / _sent_total HELP text:"received" is uploads (proxy from clients), "sent" is downloads (proxy to
clients). The counters are direct-mode only; relay-mode aggregation is a
separate gap, tracked for a follow-up.
- Change
teleproxy_secret_unique_ips TYPE from gauge to counter tomatch its actual cumulative behaviour.
- Fix Docker
SECRET=hex:label,hex:label writing the entire string as theTOML
key instead of splitting label off (#67). The numbered-secret path(
SECRET_LABEL_N) was already correct.- Add
EXTERNAL_PORT env var for advertising a different port in theconnection link than the internal listen port (#66) — needed when Docker
maps
-p 4443:443. Also added a matching external_port TOML option,consumed by the
/link HTML page and teleproxy link URL builder.Release notes | GitHub
🚀 New Release: v4.12.1
Hotfix for log spam introduced in 4.12.0.
- Fix
on busy plain secrets (#71). The 4.12.0 fix for #70 made every secret
populate a fixed-size 256-entry per-IP table, which overflows on any
proxy serving more than ~256 distinct source IPs since startup. Plain
secrets (no
table entirely and feed the cumulative
counter from a per-secret Bloom filter — bounded memory, no overflow.
- For limit-bearing secrets where the table can still legitimately fill
if
slot and include the secret label and a remediation hint.
Release notes | GitHub
Hotfix for log spam introduced in 4.12.0.
- Fix
WARNING: IP tracking table full for secret 0 flooding docker logson busy plain secrets (#71). The 4.12.0 fix for #70 made every secret
populate a fixed-size 256-entry per-IP table, which overflows on any
proxy serving more than ~256 distinct source IPs since startup. Plain
secrets (no
max_ips, no rate_limit) now bypass the precise trackingtable entirely and feed the cumulative
teleproxy_secret_unique_ipscounter from a per-secret Bloom filter — bounded memory, no overflow.
- For limit-bearing secrets where the table can still legitimately fill
if
max_ips exceeds 256, throttle the warning to once per minute perslot and include the secret label and a remediation hint.
Release notes | GitHub
💬 Comment on #68: Compatible with compilation using Clang on x86_64 systems.
Landed in fb62089 with attribution preserved. Branch protection rejected the GitHub merge button (CodeQL doesn't run on fork PRs), so I cherry-picked the commit onto main directly. Thanks for the patch.
View comment
Landed in fb62089 with attribution preserved. Branch protection rejected the GitHub merge button (CodeQL doesn't run on fork PRs), so I cherry-picked the commit onto main directly. Thanks for the patch.
View comment
💬 Comment on #73: Verify __builtin_ia32_punpckhdq128 under clang in crc32.c
Closing — the new build-clang CI job (#72, commit f9ad4c7) ran
View comment
Closing — the new build-clang CI job (#72, commit f9ad4c7) ran
make CC=clang on ubuntu-latest and succeeded. Clang ships __builtin_ia32_punpckhdq128 as a native builtin, so no 7th alias is needed.View comment
🚀 New Release: v4.12.2
Build hygiene. No runtime changes.
- Compile cleanly with
intrinsic shims for the GCC-only
affected.
- New
build path so future regressions surface in CI rather than only in
third-party packaging (#72).
Release notes | GitHub
Build hygiene. No runtime changes.
- Compile cleanly with
make CC=clang on x86_64 (#68). Adds _mm_*intrinsic shims for the GCC-only
__builtin_ia32_* names used insrc/common/crc32.c, gated to x86 so Apple Silicon clang isn'taffected.
- New
build-clang job in the CI matrix exercises the clang x86_64build path so future regressions surface in CI rather than only in
third-party packaging (#72).
Release notes | GitHub