haproxy.cfg

# HAProxy SNI router — Layer 4 (TCP mode)
#
# Inspects the SNI in the TLS ClientHello and routes traffic:
#   - SNI matching the mtg secret domain  ->  mtg (FakeTLS / MTProto)
#   - Everything else                      ->  real web backend (Caddy)
#
# Because routing happens before TLS termination, each backend sees the
# raw ClientHello and handles TLS itself.  The real web backend therefore
# presents a genuine certificate to any probe or browser.

global
    log stdout format raw local0 info
    maxconn 4096

defaults
    log     global
    mode    tcp
    option  tcplog
    timeout connect 5s
    timeout client  60s
    timeout server  60s

# --- HTTP :80 — ACME challenges + redirect -----------------------------------

frontend http
    bind *:80
    mode http

    # Let Caddy answer ACME HTTP-01 challenges for Let's Encrypt.
    acl is_acme path_beg /.well-known/acme-challenge/
    use_backend web_acme if is_acme

    http-request redirect scheme https code 301

# --- TLS :443 — SNI-based routing -------------------------------------------

frontend tls
    bind *:443
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    # Route Telegram clients to mtg.
    # Replace "example.com" with the domain from your mtg secret.
    use_backend mtg if { req_ssl_sni -i example.com }

    default_backend web

backend mtg
    # send-proxy-v2 prepends a PROXY protocol v2 header so mtg sees the
    # real client IP instead of HAProxy's.  mtg must have
    # `proxy-protocol-listener = true` in its config.
    server mtg mtg:3128 send-proxy-v2

backend web
    # send-proxy-v2 prepends a PROXY protocol v2 header so Caddy logs the
    # real client IP instead of HAProxy's.  Caddy must enable the
    # proxy_protocol listener wrapper on :8443 (see Caddyfile).
    server web web:8443 send-proxy-v2

backend web_acme
    mode http
    server web web:80