ei/mtg: Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2

Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2

History

dolonet b86a9cf85d contrib/sni-router: use host networking for HAProxy to preserve client IPs Move HAProxy into the host network namespace so it sees the real client source IP on inbound connections. With bridge networking + published ports the source IP is rewritten to the bridge gateway by the runtime (Docker's userland-proxy, rootless Podman's slirp4netns or pasta), and the PROXY v2 header HAProxy then sends to mtg and Caddy carries that useless address. mtg and Caddy stay on the compose bridge and publish their ports on host loopback; the host-mode HAProxy dials them at 127.0.0.1. Caddy's proxy_protocol allow list is tightened to loopback only. The 'sysctls: net.ipv4.ip_unprivileged_port_start=80' line is removed because Docker refuses to apply namespaced sysctls when the netns is shared with the host. Rootless Podman users binding the privileged ports need the equivalent host-side sysctl once; this is documented in README.md. Fixes #498.		1 month ago
..
sni-router	contrib/sni-router: use host networking for HAProxy to preserve client IPs	1 month ago

dolonet b86a9cf85d contrib/sni-router: use host networking for HAProxy to preserve client IPs

Move HAProxy into the host network namespace so it sees the real
client source IP on inbound connections.  With bridge networking +
published ports the source IP is rewritten to the bridge gateway by
the runtime (Docker's userland-proxy, rootless Podman's slirp4netns
or pasta), and the PROXY v2 header HAProxy then sends to mtg and
Caddy carries that useless address.

mtg and Caddy stay on the compose bridge and publish their ports on
host loopback; the host-mode HAProxy dials them at 127.0.0.1.  Caddy's
proxy_protocol allow list is tightened to loopback only.

The 'sysctls: net.ipv4.ip_unprivileged_port_start=80' line is removed
because Docker refuses to apply namespaced sysctls when the netns is
shared with the host.  Rootless Podman users binding the privileged
ports need the equivalent host-side sysctl once; this is documented
in README.md.

Fixes #498.

1 month ago

sni-router

contrib/sni-router: use host networking for HAProxy to preserve client IPs

1 month ago