ei
/
mtg
zrcadlo https://github.com/9seconds/mtg
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Vydání 48 Wiki Aktivita
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
1172 Revize
6 Větve
Strom: 2d7c71657c
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „2d7c71657c“
${ noResults }
mtg/contrib/sni-router/haproxy.cfg

haproxy.cfg 2.4KB
Historie Surový

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 
  1. # HAProxy SNI router — Layer 4 (TCP mode)

  2. #

  3. # Inspects the SNI in the TLS ClientHello and routes traffic:

  4. #   - SNI matching the mtg secret domain  ->  mtg (FakeTLS / MTProto)

  5. #   - Everything else                      ->  real web backend (Caddy)

  6. #

  7. # Because routing happens before TLS termination, each backend sees the

  8. # raw ClientHello and handles TLS itself.  The real web backend therefore

  9. # presents a genuine certificate to any probe or browser.

  10. 

  11. global

  12.     log stdout format raw local0 info

  13.     maxconn 4096

  14. 

  15. defaults

  16.     log     global

  17.     mode    tcp

  18.     option  tcplog

  19.     timeout connect 5s

  20.     timeout client  60s

  21.     timeout server  60s

  22. 

  23. # --- HTTP :80 — ACME challenges + redirect -----------------------------------

  24. 

  25. frontend http

  26.     # Explicit v4 + v6 binds so IPv6 clients are accepted regardless of

  27.     # the host's net.ipv6.bindv6only sysctl.

  28.     bind :80,[::]:80

  29.     mode http

  30. 

  31.     # Let Caddy answer ACME HTTP-01 challenges for Let's Encrypt.

  32.     acl is_acme path_beg /.well-known/acme-challenge/

  33.     use_backend web_acme if is_acme

  34. 

  35.     http-request redirect scheme https code 301

  36. 

  37. # --- TLS :443 — SNI-based routing -------------------------------------------

  38. 

  39. frontend tls

  40.     bind :443,[::]:443

  41.     tcp-request inspect-delay 5s

  42.     tcp-request content accept if { req_ssl_hello_type 1 }

  43. 

  44.     # Route Telegram clients to mtg.  The domain is read from the $DOMAIN

  45.     # environment variable (forwarded by docker-compose), so it stays in

  46.     # sync with Caddy and there is no per-deploy edit to this file.

  47.     use_backend mtg if { req_ssl_sni -i "${DOMAIN}" }

  48. 

  49.     default_backend web

  50. 

  51. # Backends reach mtg and web on host loopback — they publish to 127.0.0.1

  52. # (see docker-compose.yml), and HAProxy runs in the host netns

  53. # (network_mode: host).  PROXY v2 still carries the real client address

  54. # (v4 or v6) end-to-end, independent of the loopback transport.

  55. 

  56. backend mtg

  57.     # send-proxy-v2 prepends a PROXY protocol v2 header so mtg sees the

  58.     # real client IP instead of HAProxy's.  mtg must have

  59.     # `proxy-protocol-listener = true` in its config.

  60.     server mtg 127.0.0.1:3128 send-proxy-v2

  61. 

  62. backend web

  63.     # send-proxy-v2 prepends a PROXY protocol v2 header so Caddy logs the

  64.     # real client IP instead of HAProxy's.  Caddy must enable the

  65.     # proxy_protocol listener wrapper on :8443 (see Caddyfile).

  66.     server web 127.0.0.1:8443 send-proxy-v2

  67. 

  68. backend web_acme

  69.     mode http

  70.     server web 127.0.0.1:8080