ei/mtg - Gitea: Git with a cup of tea

Ramo (Branch): master

Autore	SHA1	Messaggio	Data
Alexey Dolotov	3fc3e51e47	contrib/sni-router: render mtg-config.toml from a tracked .example Track `mtg-config.toml.example` with `secret = "${MTG_SECRET}"`; the rendered `mtg-config.toml` and local `.env` are gitignored, so the secret never lands in a tracked file. Quick start switches from "paste the secret into mtg-config.toml" to either `envsubst < mtg-config.toml.example > mtg-config.toml` or `cp` + hand-edit `${MTG_SECRET}` for users without envsubst. After #502 made DOMAIN env-driven, the secret was the last hand-edit of a tracked file in the example. Follow-up to #506.	2 settimane fa
Alexey Dolotov	0fdf6cbab7	sni-router: break domain-fronting loop When the secret's domain resolves back to this server (the SNI-router default), mtg's fallback fronting dial lands on HAProxy, the SNI matches the secret, HAProxy routes the connection back to mtg -> loop. Set [domain-fronting].host = "web" in mtg-config.toml so mtg dials Caddy directly via compose-network DNS, bypassing HAProxy. Requires mtg >= 2.4 (#480 added hostname acceptance for the fronting target). README gains a "Fronting loop" section explaining the cause.	3 settimane fa
Alexey Dolotov	dbb05e9cfa	contrib/sni-router: align mtg-config.toml comments with $DOMAIN flow Comments said 'Replace example.com everywhere' which became stale once $DOMAIN drives haproxy.cfg + Caddyfile + docker-compose. Reword so the user's mental model is: pick a domain, generate the secret with it, put it in .env once.	3 settimane fa
Andrey Butirsky	45635aae82	mtg-config.toml: bind-to both IPv4/6	4 settimane fa
dolonet	170346bb74	Pass real client IPs through with PROXY protocol v2 Without this, mtg and Caddy see HAProxy's container IP for every connection, which breaks meaningful logging, abuse handling, and any IP-based blocklist logic. HAProxy sends a PROXY protocol v2 header on its TCP backends; mtg enables proxy-protocol-listener, and Caddy wraps :8443 with a proxy_protocol listener before tls. The :80 path (ACME HTTP-01 passthrough) is unchanged — client IP there is not useful and HAProxy's http mode already adds X-Forwarded-For if anyone wants it. Requested in https://github.com/9seconds/mtg/pull/462 review.	1 mese fa
dolonet	0c1d001949	Add docker-compose example with HAProxy SNI router Turnkey deployment: HAProxy on :443 peeks at the TLS SNI and routes Telegram clients to mtg while forwarding everything else (including DPI probes) to a real Caddy web server with automatic HTTPS. This is the setup recommended in BEST_PRACTICES.md, packaged so that operators can clone and run it with minimal configuration. Refs: #458	1 mese fa

8 Commit (master)