# SNI-routing deployment: HAProxy (443) -> mtg + real web backend # # This setup puts an SNI-aware TCP router in front of mtg so that: # - Telegram clients (FakeTLS with the correct SNI) are routed to mtg # - All other TLS traffic (including DPI probes) reaches the real web # server, which responds with a genuine certificate # # The result: active probes see a real website; passive DPI sees matching # SNI/IP because the domain resolves to this server's IP. # # Quick start: # 1. Set DOMAIN in a .env file next to this one (or export it) # 2. mtg generate-secret YOUR_DOMAIN -> paste into mtg-config.toml # 3. docker compose up -d # # DOMAIN is forwarded to both Caddy (TLS cert) and HAProxy (SNI ACL), # so the SNI/cert/secret all line up from a single source. # # See BEST_PRACTICES.md and the project wiki for background. x-domain-env: &domain-env DOMAIN: ${DOMAIN:-example.com} services: haproxy: image: haproxy:lts-alpine # Host networking so HAProxy sees the real client source IP on # inbound (bridge networking with published ports rewrites it to # the bridge gateway under both Docker's userland-proxy and # rootless Podman's slirp4netns/pasta). See "Why host networking" # in README.md. network_mode: host volumes: - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro,Z environment: <<: *domain-env depends_on: - mtg - web restart: unless-stopped mtg: image: nineseconds/mtg:2 volumes: - ./mtg-config.toml:/config/config.toml:ro,Z # Publish on host loopback so the host-mode HAProxy can reach it. ports: - "127.0.0.1:3128:3128" restart: unless-stopped extra_hosts: - "host.containers.internal:host-gateway" web: image: caddy:alpine volumes: - ./Caddyfile:/etc/caddy/Caddyfile:ro,Z - caddy_data:/data - ./www:/srv:ro,Z # Publish on host loopback so the host-mode HAProxy can reach it. # Caddy's HTTP listener is mapped off :80 (occupied by HAProxy) # to :8080; haproxy.cfg dials it on 127.0.0.1:8080 for ACME. ports: - "127.0.0.1:8080:80" - "127.0.0.1:8443:8443" environment: <<: *domain-env restart: unless-stopped volumes: caddy_data: