mtproto-docker-haproxy/mtproto.md

1.Генерация ключа

docker run --rm nineseconds/mtg:2 generate-secret --hex nextcloud.s.prox07-tg.ru
Итог: ee5d4504a8802be40de729445e45ec644c6e657874636c6f75642e732e70726f7830372d74672e7275

2.Поднятие в докере MTProto + faketls

docker run -d
--name mtproto-proxy
--restart unless-stopped
-p 443:443
nineseconds/mtg:2
simple-run -n 1.1.1.1 -i prefer-ipv4 0.0.0.0:443 ee5d4504a8802be40de729445e45ec644c6e657874636c6f75642e732e70726f7830372d74672e7275

3.Настройка sni + балансировка в roundrobin

файл /etc/haproxy/haproxy.cfg:

frontend https_front
    bind *:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    # Разделение по доменам (SNI)
    use_backend ide_backend if { req_ssl_sni -i ide.prox07-tg.ru }
    use_backend ide_backend if { req_ssl_sni -i proxmox.lord-mikrotik.ru }
    use_backend mtproto_backend if { req_ssl_sni -i nextcloud.s.prox07-tg.ru }

    # Если зашли по IP или левому домену — на Nginx (заглушка)
    default_backend ide_backend

backend ide_backend
    mode tcp
    server local_nginx 127.0.0.1:4443 # Тут висит Nginx

backend mtproto_backend
    mode tcp
    balance roundrobin
    #Основные ноды
    server nextcloud 77.232.135.174:7443 check weight 100 inter 2s rise 2 fall 3
    server gitea-matrix 188.225.32.119:9443 check weight 100 inter 2s rise 2 fall 3
    #Резервные ноды
    server dns 45.153.70.57:9443 check backup inter 2s rise 2 fall 3

4.Получение сертификатов для поддоменов

certbot certonly --standalone -d ваш_домен.com

5.Пример найтроенного nginx

файл /etc/nginx/sites-available/default:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


server {
    listen 4443 ssl;
    server_name nextcloud.s.prox07-tg.ru;

    ssl_certificate /etc/letsencrypt/live/nextcloud.s.prox07-tg.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.s.prox07-tg.ru/privkey.pem;

    # Редирект на другой сервер
    return 301 https://nextcloud.lord-mikrotik.ru$request_uri;
}

server {
    listen 4443 ssl http2;
    server_name ide.prox07-tg.ru;

    ssl_certificate /etc/letsencrypt/live/ide.prox07-tg.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ide.prox07-tg.ru/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8082; # Порт code-server
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
}

server {
    listen 4443 ssl http2;
    server_name proxmox.lord-mikrotik.ru;

    ssl_certificate /etc/letsencrypt/live/proxmox.lord-mikrotik.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/proxmox.lord-mikrotik.ru/privkey.pem;

    location / {
        proxy_pass https://10.135.0.243:8006; # Порт proxmox
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
}