mtproto-docker-haproxy/mtproto.md

### 1.Генерация ключа
```bash
docker run --rm nineseconds/mtg:2 generate-secret --hex nextcloud.s.prox07-tg.ru
Итог: ee5d4504a8802be40de729445e45ec644c6e657874636c6f75642e732e70726f7830372d74672e7275
```
### 2.Поднятие в докере MTProto + faketls
```
docker run -d \
  --name mtproto-proxy \
  --restart unless-stopped \
  -p 443:443 \
  nineseconds/mtg:2 \
  simple-run -n 1.1.1.1 -i prefer-ipv4 0.0.0.0:443 ee5d4504a8802be40de729445e45ec644c6e657874636c6f75642e732e70726f7830372d74672e7275
```

docker-compose.yml
```
version: '3.8'

services:
  mtproto-proxy:
    image: nineseconds/mtg:2
    container_name: mtproto-proxy
    restart: unless-stopped
    ports:
      - "443:443"
    command: 
      - simple-run 
      - -n 
      - 1.1.1.1 
      - -i 
      - prefer-ipv4 
      - 0.0.0.0:443 
      - ee5d4504a8802be40de729445e45ec644c6e657874636c6f75642e732e70726f7830372d74672e72
```
### 3.Настройка sni + балансировка в roundrobin
файл `/etc/haproxy/haproxy.cfg`:
```haproxy
frontend https_front
    bind *:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    # Разделение по доменам (SNI)
    use_backend ide_backend if { req_ssl_sni -i ide.prox07-tg.ru }
    use_backend ide_backend if { req_ssl_sni -i proxmox.lord-mikrotik.ru }
    use_backend mtproto_backend if { req_ssl_sni -i nextcloud.s.prox07-tg.ru }

    # Если зашли по IP или левому домену — на Nginx (заглушка)
    default_backend ide_backend

backend ide_backend
    mode tcp
    server local_nginx 127.0.0.1:4443 # Тут висит Nginx

backend mtproto_backend
    mode tcp
    balance roundrobin
    #Основные ноды
    server nextcloud 77.232.135.174:7443 check weight 100 inter 2s rise 2 fall 3
    server gitea-matrix 188.225.32.119:9443 check weight 100 inter 2s rise 2 fall 3
    #Резервные ноды
    server dns 45.153.70.57:9443 check backup inter 2s rise 2 fall 3
```
### 4.Получение сертификатов для поддоменов
```bash
certbot certonly --standalone -d ваш_домен.com
```
### 5.Пример найтроенного nginx 
файл `/etc/nginx/sites-available/default`:
```nginx
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


server {
    listen 4443 ssl;
    server_name nextcloud.s.prox07-tg.ru;

    ssl_certificate /etc/letsencrypt/live/nextcloud.s.prox07-tg.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.s.prox07-tg.ru/privkey.pem;

    # Редирект на другой сервер
    return 301 https://nextcloud.lord-mikrotik.ru$request_uri;
}

server {
    listen 4443 ssl http2;
    server_name ide.prox07-tg.ru;

    ssl_certificate /etc/letsencrypt/live/ide.prox07-tg.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ide.prox07-tg.ru/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8082; # Порт code-server
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
}

server {
    listen 4443 ssl http2;
    server_name proxmox.lord-mikrotik.ru;

    ssl_certificate /etc/letsencrypt/live/proxmox.lord-mikrotik.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/proxmox.lord-mikrotik.ru/privkey.pem;

    location / {
        proxy_pass https://10.135.0.243:8006; # Порт proxmox
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
}
```