ei
/
mtg
镜像来自 https://github.com/9seconds/mtg
關註 1
收藏 0
複製 0
程式碼 問題管理 0 版本發佈 48 Wiki Activity
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1137 Commit
7 分支
目錄樹: b293a33d99
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from 'b293a33d99'
${ noResults }
mtg/contrib/sni-router/haproxy.cfg

haproxy.cfg 2.0KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. # HAProxy SNI router — Layer 4 (TCP mode)

  2. #

  3. # Inspects the SNI in the TLS ClientHello and routes traffic:

  4. #   - SNI matching the mtg secret domain  ->  mtg (FakeTLS / MTProto)

  5. #   - Everything else                      ->  real web backend (Caddy)

  6. #

  7. # Because routing happens before TLS termination, each backend sees the

  8. # raw ClientHello and handles TLS itself.  The real web backend therefore

  9. # presents a genuine certificate to any probe or browser.

  10. 

  11. global

  12.     log stdout format raw local0 info

  13.     maxconn 4096

  14. 

  15. defaults

  16.     log     global

  17.     mode    tcp

  18.     option  tcplog

  19.     timeout connect 5s

  20.     timeout client  60s

  21.     timeout server  60s

  22. 

  23. # --- HTTP :80 — ACME challenges + redirect -----------------------------------

  24. 

  25. frontend http

  26.     bind *:80

  27.     mode http

  28. 

  29.     # Let Caddy answer ACME HTTP-01 challenges for Let's Encrypt.

  30.     acl is_acme path_beg /.well-known/acme-challenge/

  31.     use_backend web_acme if is_acme

  32. 

  33.     http-request redirect scheme https code 301

  34. 

  35. # --- TLS :443 — SNI-based routing -------------------------------------------

  36. 

  37. frontend tls

  38.     bind *:443

  39.     tcp-request inspect-delay 5s

  40.     tcp-request content accept if { req_ssl_hello_type 1 }

  41. 

  42.     # Route Telegram clients to mtg.  The domain is read from the $DOMAIN

  43.     # environment variable (forwarded by docker-compose), so it stays in

  44.     # sync with Caddy and there is no per-deploy edit to this file.

  45.     use_backend mtg if { req_ssl_sni -i "${DOMAIN}" }

  46. 

  47.     default_backend web

  48. 

  49. backend mtg

  50.     # send-proxy-v2 prepends a PROXY protocol v2 header so mtg sees the

  51.     # real client IP instead of HAProxy's.  mtg must have

  52.     # `proxy-protocol-listener = true` in its config.

  53.     server mtg mtg:3128 send-proxy-v2

  54. 

  55. backend web

  56.     # send-proxy-v2 prepends a PROXY protocol v2 header so Caddy logs the

  57.     # real client IP instead of HAProxy's.  Caddy must enable the

  58.     # proxy_protocol listener wrapper on :8443 (see Caddyfile).

  59.     server web web:8443 send-proxy-v2

  60. 

  61. backend web_acme

  62.     mode http

  63.     server web web:80