How to run behind reverse proxy #312
Comments
|
I recently solved a similar problem, but I have been running mtg in Kubernetes with Traefik as the Ingress controller. Here are the key points of the manifest I used to run it: apiVersion: apps/v1
kind: Deployment
metadata:
name: proxy-mtg
namespace: apps
labels: {app: "proxy-mtg"}
spec:
replicas: 1
selector: {matchLabels: {app: "proxy-mtg"}}
template:
metadata: {labels: {app: "proxy-mtg"}}
spec:
automountServiceAccountToken: false
containers:
- name: "proxy-mtg"
image: "ghcr.io/9seconds/mtg:2.1.7"
args:
- simple-run
- 0.0.0.0:443
- <SECRET_HERE>
- --concurrency=512
- --prefer-ip=prefer-ipv4
- --domain-fronting-port=443
- --doh-ip=9.9.9.9
- --antireplay-cache-size=1MB
ports:
- {name: tg-proxy-port, containerPort: 443, protocol: TCP}
---
apiVersion: v1
kind: Service
metadata:
name: proxy-mtg-service
namespace: apps
labels: {app: "proxy-mtg"}
spec:
type: ClusterIP
selector: {app: "proxy-mtg"}
ports:
- name: proxy-mtg-tcp-port
protocol: TCP
port: 443
targetPort: 443
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: proxy-mtg-http-tcp-ingress
namespace: apps
spec:
entryPoints: [websecure]
routes:
# IMPORTANT: You need to regenerate the secret whenever the domain name is changed!
- match: HostSNI(`mtg.example.com`)
services: [{name: "proxy-mtg-service", namespace: apps, port: 443}]
tls: {passthrough: true} # <-- IMPORTANTI would be happy if this helps save someone time 🐱 |
|
Sorry, I also encountered traefik and am trying to find solutions for selfsteal... @tarampampam My guess is that with this configuration you are using faketls from someone else's domain, but not from the same machine/cluster - is that correct? services:
mtg-proxy:
image: nineseconds/mtg:2
container_name: mtg-proxy
volumes:
- ./config.toml:/config.toml
networks:
- traefik_default
restart: unless-stopped
depends_on:
- uptime-kuma
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_default"
# TCP-роутер: используем правило HostSNI для определения по SNI запроса
- "traefik.tcp.routers.mtg-proxy.rule=HostSNI(`kuma-fake.domain`)"
- "traefik.tcp.routers.mtg-proxy.entrypoints=websecure"
- "traefik.tcp.routers.mtg-proxy.tls.passthrough=true"
- "traefik.tcp.services.mtg-proxy.loadbalancer.server.port=3128"
uptime-kuma:
container_name: uptime-kuma
image: louislam/uptime-kuma:latest
volumes:
- ./kuma-data:/app/data
networks:
- traefik_default
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_default"
- "traefik.http.routers.uptime-kuma.rule=Host(`kuma-real.domain`)"
- "traefik.http.routers.uptime-kuma.entrypoints=websecure"
- traefik.http.routers.uptime-kuma.tls=true
- "traefik.http.routers.uptime-kuma.tls.certresolver=myresolver"
- "traefik.http.routers.uptime-kuma-http.rule=Host(`kuma-real.domain`)"
- "traefik.http.routers.uptime-kuma-http.entrypoints=web"
- "traefik.http.routers.uptime-kuma-http.middlewares=https-redirect"
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- traefik.http.services.uptime-kuma.loadbalancer.server.port=3001
networks:
traefik_default:
external: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
The mentioned repository in #162 no longer exists, also that answer is for v1.
Can you provide a guide on how to share 443 of the host with other services like Nginx or Traefik?
I have a Traefik reverse proxy on my host that uses port 443, other services like nginx, open-connect, ... are behind that, I know nothing about Fake TLS, Please help me to run mtg v2 behind a reverse proxy.
Thank you.
The text was updated successfully, but these errors were encountered: