| 1234567891011121314151617181920212223242526272829303132333435 |
- # Minimal mtg configuration template for the SNI-router setup.
- #
- # This is the tracked template; `docker compose` mounts `mtg-config.toml`
- # (gitignored), so render or copy this file before `docker compose up -d`:
- #
- # 1. Set DOMAIN=<your.domain> in .env (HAProxy + Caddy pick it up).
- # 2. Generate the secret: mtg generate-secret --hex <your.domain>
- # 3. Produce mtg-config.toml — pick one:
- # export MTG_SECRET=... # paste the hex secret
- # envsubst < mtg-config.toml.example > mtg-config.toml
- # or just copy and hand-edit `${MTG_SECRET}`:
- # cp mtg-config.toml.example mtg-config.toml && $EDITOR mtg-config.toml
-
- secret = "${MTG_SECRET}"
- bind-to = "[::]:3128"
-
- # HAProxy in front sends PROXY protocol v2 headers so mtg can see the
- # real client IP. Keep this in sync with haproxy.cfg (`send-proxy-v2`).
- proxy-protocol-listener = true
-
- # Fronting target: point mtg at the Caddy container directly so its
- # fallback dial (for non-Telegram TLS) bypasses HAProxy and doesn't
- # loop back here. Without this, mtg resolves the secret's hostname
- # via DNS, which in this setup resolves to this server -> HAProxy ->
- # mtg again. See README's "Fronting loop" section for the long form.
- # Requires mtg >= 2.4 (#480 added hostname acceptance for the target).
- [domain-fronting]
- host = "web"
- port = 8443
- proxy-protocol = true
-
- [defense.anti-replay]
- enabled = true
- max-size = "1mib"
- error-rate = 0.001
|
