ei
/
mtg
镜像来自 https://github.com/9seconds/mtg
關註 1
收藏 0
複製 0
程式碼 問題管理 0 版本發佈 48 Wiki Activity
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1152 Commit
9 分支
目錄樹: b86a9cf85d
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from 'b86a9cf85d'
${ noResults }
mtg/contrib/sni-router/docker-compose.yml

docker-compose.yml 2.2KB
文件歷史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 
  1. # SNI-routing deployment: HAProxy (443) -> mtg + real web backend

  2. #

  3. # This setup puts an SNI-aware TCP router in front of mtg so that:

  4. #   - Telegram clients (FakeTLS with the correct SNI) are routed to mtg

  5. #   - All other TLS traffic (including DPI probes) reaches the real web

  6. #     server, which responds with a genuine certificate

  7. #

  8. # The result: active probes see a real website; passive DPI sees matching

  9. # SNI/IP because the domain resolves to this server's IP.

  10. #

  11. # Quick start:

  12. #   1. Set DOMAIN in a .env file next to this one (or export it)

  13. #   2. mtg generate-secret YOUR_DOMAIN   -> paste into mtg-config.toml

  14. #   3. docker compose up -d

  15. #

  16. # DOMAIN is forwarded to both Caddy (TLS cert) and HAProxy (SNI ACL),

  17. # so the SNI/cert/secret all line up from a single source.

  18. #

  19. # See BEST_PRACTICES.md and the project wiki for background.

  20. 

  21. x-domain-env: &domain-env

  22.   DOMAIN: ${DOMAIN:-example.com}

  23. 

  24. services:

  25.   haproxy:

  26.     image: haproxy:lts-alpine

  27.     # Host networking so HAProxy sees the real client source IP on

  28.     # inbound (bridge networking with published ports rewrites it to

  29.     # the bridge gateway under both Docker's userland-proxy and

  30.     # rootless Podman's slirp4netns/pasta).  See "Why host networking"

  31.     # in README.md.

  32.     network_mode: host

  33.     volumes:

  34.       - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro,Z

  35.     environment:

  36.       <<: *domain-env

  37.     depends_on:

  38.       - mtg

  39.       - web

  40.     restart: unless-stopped

  41. 

  42.   mtg:

  43.     image: nineseconds/mtg:2

  44.     volumes:

  45.       - ./mtg-config.toml:/config/config.toml:ro,Z

  46.     # Publish on host loopback so the host-mode HAProxy can reach it.

  47.     ports:

  48.       - "127.0.0.1:3128:3128"

  49.     restart: unless-stopped

  50.     extra_hosts:

  51.       - "host.containers.internal:host-gateway"

  52. 

  53.   web:

  54.     image: caddy:alpine

  55.     volumes:

  56.       - ./Caddyfile:/etc/caddy/Caddyfile:ro,Z

  57.       - caddy_data:/data

  58.       - ./www:/srv:ro,Z

  59.     # Publish on host loopback so the host-mode HAProxy can reach it.

  60.     # Caddy's HTTP listener is mapped off :80 (occupied by HAProxy)

  61.     # to :8080; haproxy.cfg dials it on 127.0.0.1:8080 for ACME.

  62.     ports:

  63.       - "127.0.0.1:8080:80"

  64.       - "127.0.0.1:8443:8443"

  65.     environment:

  66.       <<: *domain-env

  67.     restart: unless-stopped

  68. 

  69. volumes:

  70.   caddy_data: