# Minimal mtg configuration for the SNI-router setup.
#
# 1. Generate a secret:  mtg generate-secret --hex example.com
# 2. Paste it below.
# 3. Replace example.com with your actual domain everywhere.

secret = "PASTE_YOUR_SECRET_HERE"
bind-to = "0.0.0.0:3128"

# HAProxy in front sends PROXY protocol v2 headers so mtg can see the
# real client IP.  Keep this in sync with haproxy.cfg (`send-proxy-v2`).
proxy-protocol-listener = true

# Domain-fronting target.  Without an explicit IP here, mtg resolves the
# secret's hostname via DNS, which points back to this server -> lands
# on HAProxy -> SNI matches the secret -> routed back to mtg -> loop.
#
# The IP below pins Caddy's container address (see docker-compose.yml
# `networks.sni.ipv4_address`) so mtg dials Caddy directly, bypassing
# HAProxy.  `proxy-protocol = true` matches Caddy's :8443 listener
# wrapper so the real client IP propagates end-to-end.
[domain-fronting]
ip = "172.28.0.10"
port = 8443
proxy-protocol = true

[defense.anti-replay]
enabled = true
max-size = "1mib"
error-rate = 0.001