| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758 |
- # SNI-routing deployment: HAProxy (443) -> mtg + real web backend
- #
- # This setup puts an SNI-aware TCP router in front of mtg so that:
- # - Telegram clients (FakeTLS with the correct SNI) are routed to mtg
- # - All other TLS traffic (including DPI probes) reaches the real web
- # server, which responds with a genuine certificate
- #
- # The result: active probes see a real website; passive DPI sees matching
- # SNI/IP because the domain resolves to this server's IP.
- #
- # Quick start:
- # 1. Set YOUR_DOMAIN below (and in mtg-config.toml)
- # 2. docker compose up -d
- # 3. mtg generate-secret YOUR_DOMAIN -> put it in mtg-config.toml
- # 4. docker compose restart mtg
- #
- # See BEST_PRACTICES.md and the project wiki for background.
-
- services:
- haproxy:
- image: haproxy:lts-alpine
- ports:
- - "443:443"
- - "80:80"
- volumes:
- - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro,Z
- depends_on:
- - mtg
- - web
- restart: unless-stopped
- sysctls:
- - net.ipv4.ip_unprivileged_port_start=80
-
- mtg:
- image: nineseconds/mtg:2
- volumes:
- - ./mtg-config.toml:/config/config.toml:ro,Z
- expose:
- - "3128"
- restart: unless-stopped
- extra_hosts:
- - "host.containers.internal:host-gateway"
-
- web:
- image: caddy:alpine
- volumes:
- - ./Caddyfile:/etc/caddy/Caddyfile:ro,Z
- - caddy_data:/data
- - ./www:/srv:ro,Z
- expose:
- - "80"
- - "8443"
- environment:
- DOMAIN: ${DOMAIN:-example.com}
- restart: unless-stopped
-
- volumes:
- caddy_data:
|
