| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 |
- # SNI-routing deployment: HAProxy (443) -> mtg + real web backend
- #
- # This setup puts an SNI-aware TCP router in front of mtg so that:
- # - Telegram clients (FakeTLS with the correct SNI) are routed to mtg
- # - All other TLS traffic (including DPI probes) reaches the real web
- # server, which responds with a genuine certificate
- #
- # The result: active probes see a real website; passive DPI sees matching
- # SNI/IP because the domain resolves to this server's IP.
- #
- # Quick start:
- # 1. Set DOMAIN in a .env file next to this one (or export it)
- # 2. mtg generate-secret YOUR_DOMAIN -> paste into mtg-config.toml
- # 3. docker compose up -d
- #
- # DOMAIN is forwarded to both Caddy (TLS cert) and HAProxy (SNI ACL),
- # so the SNI/cert/secret all line up from a single source.
- #
- # See BEST_PRACTICES.md and the project wiki for background.
-
- services:
- haproxy:
- image: haproxy:lts-alpine
- ports:
- - "443:443"
- - "80:80"
- volumes:
- - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro,Z
- environment:
- DOMAIN: ${DOMAIN:-example.com}
- depends_on:
- - mtg
- - web
- restart: unless-stopped
- sysctls:
- - net.ipv4.ip_unprivileged_port_start=80
-
- mtg:
- image: nineseconds/mtg:2
- volumes:
- - ./mtg-config.toml:/config/config.toml:ro,Z
- expose:
- - "3128"
- restart: unless-stopped
- extra_hosts:
- - "host.containers.internal:host-gateway"
-
- web:
- image: caddy:alpine
- volumes:
- - ./Caddyfile:/etc/caddy/Caddyfile:ro,Z
- - caddy_data:/data
- - ./www:/srv:ro,Z
- expose:
- - "80"
- - "8443"
- environment:
- DOMAIN: ${DOMAIN:-example.com}
- restart: unless-stopped
-
- volumes:
- caddy_data:
|
