| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647 |
- # HAProxy SNI router — Layer 4 (TCP mode)
- #
- # Inspects the SNI in the TLS ClientHello and routes traffic:
- # - SNI matching the mtg secret domain -> mtg (FakeTLS / MTProto)
- # - Everything else -> real web backend (Caddy)
- #
- # Because routing happens before TLS termination, each backend sees the
- # raw ClientHello and handles TLS itself. The real web backend therefore
- # presents a genuine certificate to any probe or browser.
-
- global
- log stdout format raw local0 info
- maxconn 4096
-
- defaults
- log global
- mode tcp
- option tcplog
- timeout connect 5s
- timeout client 60s
- timeout server 60s
-
- # --- HTTP :80 — redirect to HTTPS -------------------------------------------
-
- frontend http
- bind *:80
- mode http
- http-request redirect scheme https code 301
-
- # --- TLS :443 — SNI-based routing -------------------------------------------
-
- frontend tls
- bind *:443
- tcp-request inspect-delay 5s
- tcp-request content accept if { req_ssl_hello_type 1 }
-
- # Route Telegram clients to mtg.
- # Replace "example.com" with the domain from your mtg secret.
- use_backend mtg if { req_ssl_sni -i example.com }
-
- default_backend web
-
- backend mtg
- server mtg mtg:3128
-
- backend web
- server web web:8443
|
