| 123456789101112131415161718192021222324252627282930 |
- # Minimal mtg configuration for the SNI-router setup.
- #
- # 1. Generate a secret: mtg generate-secret --hex example.com
- # 2. Paste it below.
- # 3. Replace example.com with your actual domain everywhere.
-
- secret = "PASTE_YOUR_SECRET_HERE"
- bind-to = "0.0.0.0:3128"
-
- # HAProxy in front sends PROXY protocol v2 headers so mtg can see the
- # real client IP. Keep this in sync with haproxy.cfg (`send-proxy-v2`).
- proxy-protocol-listener = true
-
- # Domain-fronting target. Without an explicit IP here, mtg resolves the
- # secret's hostname via DNS, which points back to this server -> lands
- # on HAProxy -> SNI matches the secret -> routed back to mtg -> loop.
- #
- # The IP below pins Caddy's container address (see docker-compose.yml
- # `networks.sni.ipv4_address`) so mtg dials Caddy directly, bypassing
- # HAProxy. `proxy-protocol = true` matches Caddy's :8443 listener
- # wrapper so the real client IP propagates end-to-end.
- [domain-fronting]
- ip = "172.28.0.10"
- port = 8443
- proxy-protocol = true
-
- [defense.anti-replay]
- enabled = true
- max-size = "1mib"
- error-rate = 0.001
|
