| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 |
- # HAProxy SNI router — Layer 4 (TCP mode)
- #
- # Inspects the SNI in the TLS ClientHello and routes traffic:
- # - SNI matching the mtg secret domain -> mtg (FakeTLS / MTProto)
- # - Everything else -> real web backend (Caddy)
- #
- # Because routing happens before TLS termination, each backend sees the
- # raw ClientHello and handles TLS itself. The real web backend therefore
- # presents a genuine certificate to any probe or browser.
-
- global
- log stdout format raw local0 info
- maxconn 4096
-
- defaults
- log global
- mode tcp
- option tcplog
- timeout connect 5s
- timeout client 60s
- timeout server 60s
-
- # --- HTTP :80 — ACME challenges + redirect -----------------------------------
-
- frontend http
- bind *:80
- mode http
-
- # Let Caddy answer ACME HTTP-01 challenges for Let's Encrypt.
- acl is_acme path_beg /.well-known/acme-challenge/
- use_backend web_acme if is_acme
-
- http-request redirect scheme https code 301
-
- # --- TLS :443 — SNI-based routing -------------------------------------------
-
- frontend tls
- bind *:443
- tcp-request inspect-delay 5s
- tcp-request content accept if { req_ssl_hello_type 1 }
-
- # Route Telegram clients to mtg.
- # Replace "example.com" with the domain from your mtg secret.
- use_backend mtg if { req_ssl_sni -i example.com }
-
- default_backend web
-
- backend mtg
- # send-proxy-v2 prepends a PROXY protocol v2 header so mtg sees the
- # real client IP instead of HAProxy's. mtg must have
- # `proxy-protocol-listener = true` in its config.
- server mtg mtg:3128 send-proxy-v2
-
- backend web
- # send-proxy-v2 prepends a PROXY protocol v2 header so Caddy logs the
- # real client IP instead of HAProxy's. Caddy must enable the
- # proxy_protocol listener wrapper on :8443 (see Caddyfile).
- server web web:8443 send-proxy-v2
-
- backend web_acme
- mode http
- server web web:80
|
