ei
/
mtg
зеркало из https://github.com/9seconds/mtg
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Релизы 48 Вики Активность
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
1172 коммитов
6 Ветки
Дерево: 2d7c71657c
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из '2d7c71657c'
${ noResults }
mtg/contrib/sni-router/docker-compose.yml

docker-compose.yml 2.4KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. # SNI-routing deployment: HAProxy (443) -> mtg + real web backend

  2. #

  3. # This setup puts an SNI-aware TCP router in front of mtg so that:

  4. #   - Telegram clients (FakeTLS with the correct SNI) are routed to mtg

  5. #   - All other TLS traffic (including DPI probes) reaches the real web

  6. #     server, which responds with a genuine certificate

  7. #

  8. # The result: active probes see a real website; passive DPI sees matching

  9. # SNI/IP because the domain resolves to this server's IP.

  10. #

  11. # Quick start:

  12. #   1. Set DOMAIN in a .env file next to this one (or export it)

  13. #   2. mtg generate-secret YOUR_DOMAIN   -> render mtg-config.toml:

  14. #        export MTG_SECRET=...     # paste the hex secret

  15. #        envsubst < mtg-config.toml.example > mtg-config.toml

  16. #      (the rendered file is gitignored). See README.md for the cp+edit variant.

  17. #   3. docker compose up -d

  18. #

  19. # DOMAIN is forwarded to both Caddy (TLS cert) and HAProxy (SNI ACL),

  20. # so the SNI/cert/secret all line up from a single source.

  21. #

  22. # See BEST_PRACTICES.md and the project wiki for background.

  23. 

  24. x-domain-env: &domain-env

  25.   DOMAIN: ${DOMAIN:-example.com}

  26. 

  27. services:

  28.   haproxy:

  29.     image: haproxy:lts-alpine

  30.     # Host netns so HAProxy sees real client IPs (v4/v6) instead of the

  31.     # bridge gateway address.  Linux host only; see README → "Why HAProxy

  32.     # uses network_mode: host" for the rationale and trade-off.

  33.     network_mode: host

  34.     volumes:

  35.       - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro,Z

  36.     environment:

  37.       <<: *domain-env

  38.     depends_on:

  39.       - mtg

  40.       - web

  41.     restart: unless-stopped

  42. 

  43.   mtg:

  44.     # FIXME: :master until #480 lands in a tagged release; switch back to :2/:3 after release

  45.     image: nineseconds/mtg:master

  46.     volumes:

  47.       - ./mtg-config.toml:/config/config.toml:ro,Z

  48.     # Published on host loopback only — HAProxy (host netns) reaches it via

  49.     # 127.0.0.1.

  50.     ports:

  51.       - "127.0.0.1:3128:3128"

  52.     restart: unless-stopped

  53.     extra_hosts:

  54.       - "host.containers.internal:host-gateway"

  55. 

  56.   web:

  57.     image: caddy:alpine

  58.     volumes:

  59.       - ./Caddyfile:/etc/caddy/Caddyfile:ro,Z

  60.       - caddy_data:/data

  61.       - ./www:/srv:ro,Z

  62.     # Published on host loopback only — HAProxy reaches Caddy on 127.0.0.1.

  63.     # Port 8080 (not 80) on the host because HAProxy already owns host :80.

  64.     ports:

  65.       - "127.0.0.1:8080:80"

  66.       - "127.0.0.1:8443:8443"

  67.     environment:

  68.       <<: *domain-env

  69.     restart: unless-stopped

  70. 

  71. volumes:

  72.   caddy_data: