ei/mtg - Gitea: Git with a cup of tea

目录树: bf501a80f7

作者	SHA1	备注	提交日期
Alexey	bf501a80f7	sni-router: clarify fronting-loop trigger is DNS, not name equality	1 个月前
Alexey	0f7c58e2ad	sni-router: review fixes — compose style, subnet caveat, IPv6 note - Use list form for `networks: [sni]` on services that need no per-network config; keep map form only on `web` where ipv4_address requires it. - README: note that the 172.28.0.0/24 subnet can be changed if it collides with an existing host network (and remind to update both files in lockstep). - README: caveat that IPv6 fronting may lose the real client IP in Caddy's logs because mtg constructs a mixed-family PROXY v2 header (IPv6 source, IPv4 destination); Telegram traffic unaffected.	1 个月前
Alexey	f0f3611a37	sni-router: break domain-fronting loop with pinned Caddy IP When the secret's domain points at this server (the recommended deployment), mtg's default fronting behavior dials that domain on :443 and the connection lands on HAProxy. HAProxy sees the SNI matching the secret and routes back to mtg, looping until something gives. Pin Caddy's container address via a static `sni` network and point mtg's `[domain-fronting]` at it directly with `proxy-protocol = true`, matching Caddy's :8443 PROXY listener wrapper. mtg's `domain-fronting.ip` only accepts a literal IP (not a hostname), so the network needs a fixed subnet. README documents the loop, the fix, and the requirement to keep the pinned IP in sync between docker-compose.yml and mtg-config.toml. Reported by @gaudima in #462.	1 个月前
Andrey Butirsky	d6ad17acce	README.md: fix ASCII graphic offset	1 个月前
dolonet	170346bb74	Pass real client IPs through with PROXY protocol v2 Without this, mtg and Caddy see HAProxy's container IP for every connection, which breaks meaningful logging, abuse handling, and any IP-based blocklist logic. HAProxy sends a PROXY protocol v2 header on its TCP backends; mtg enables proxy-protocol-listener, and Caddy wraps :8443 with a proxy_protocol listener before tls. The :80 path (ACME HTTP-01 passthrough) is unchanged — client IP there is not useful and HAProxy's http mode already adds X-Forwarded-For if anyone wants it. Requested in https://github.com/9seconds/mtg/pull/462 review.	1 个月前
dolonet	d0412b21f6	Fix ACME HTTP-01 passthrough in HAProxy config Add an ACL that routes /.well-known/acme-challenge/ requests on :80 to Caddy instead of redirecting to HTTPS, so Let's Encrypt certificate issuance works out of the box. Also simplify Caddyfile to use Caddy's http_port/https_port directives.	1 个月前
dolonet	0c1d001949	Add docker-compose example with HAProxy SNI router Turnkey deployment: HAProxy on :443 peeks at the TLS SNI and routes Telegram clients to mtg while forwarding everything else (including DPI probes) to a real Caddy web server with automatic HTTPS. This is the setup recommended in BEST_PRACTICES.md, packaged so that operators can clone and run it with minimal configuration. Refs: #458	1 个月前

7 次代码提交 (bf501a80f7e01cb2e80917cb79a13414a69bd866)