mtg-multi/contrib/sni-router/docker-compose.yml at 37e2f90a2808e7d10d6811e940c5fe2c52e2fc29 · dolonet/mtg-multi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# SNI-routing deployment: HAProxy (443) -> mtg + real web backend
#
# This setup puts an SNI-aware TCP router in front of mtg so that:
#   - Telegram clients (FakeTLS with the correct SNI) are routed to mtg
#   - All other TLS traffic (including DPI probes) reaches the real web
#     server, which responds with a genuine certificate
#
# The result: active probes see a real website; passive DPI sees matching
# SNI/IP because the domain resolves to this server's IP.
#
# Quick start:
#   1. Set YOUR_DOMAIN below (and in mtg-config.toml)
#   2. docker compose up -d
#   3. mtg generate-secret YOUR_DOMAIN   -> put it in mtg-config.toml
#   4. docker compose restart mtg
#
# See BEST_PRACTICES.md and the project wiki for background.

services:
  haproxy:
    image: haproxy:lts-alpine
    ports:
      - "443:443"
      - "80:80"
    volumes:
      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
    depends_on:
      - mtg
      - web
    restart: unless-stopped

  mtg:
    image: nineseconds/mtg:2
    volumes:
      - ./mtg-config.toml:/config/config.toml:ro
    expose:
      - "3128"
    restart: unless-stopped

  web:
    image: caddy:alpine
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - ./www:/srv:ro
    expose:
      - "80"
      - "8443"
    environment:
      DOMAIN: ${DOMAIN:-example.com}
    restart: unless-stopped

volumes:
  caddy_data: