luminoso/mtg.service

## mtg.service
[Unit]
Description=mtproxy
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
ExecStart=/opt/mtg run -v -w 128KB -r 128KB --prefer-ip ipv6 --cloak-port 993 -b 0.0.0.0:443 ee5c557d37ddde51c21d4577a29b88bbcc6d747072782e6e6f772e696d
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=never
RestartSec=1
LimitNOFILE=65536

# hardening
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=yes
ProtectControlGroups=yes
DynamicUser=yes
ProtectSystem=full
RestrictSUIDSGID=true
PrivateTmp=yes
NoNewPrivileges=yes
#PrivateUsers=yes
ProtectClock=yes
ProtectKernelLogs=yes
CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_SYS_PTRACE
RestrictNamespaces=~CLONE_NEWUSER

[Install]
WantedBy=multi-user.target

## nginx.conf
server {
        listen 80;
        listen [::]:80;
        server_name mtprx.now.im;
        error_log /var/log/nginx/mtprx_80_err.log warn;

        root /var/www/mtproxy.now.im;
        index index.html;
        gzip on;

        location / {
                try_files $uri $uri/ =404;
        }

        location /grafana/ {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://127.0.0.1:3000/;
        }
}

server {
        listen [::]:993 ssl ipv6only=on; # managed by Certbot
        listen 993 ssl; # managed by Certbot
        server_name mtprx.now.im;
        error_log /var/log/nginx/mtprx_993_err.log warn;

        root /var/www/mtproxy.now.im;
        index index.html;
        gzip on;

        location / {
                 try_files $uri $uri/ =404;
#                proxy_buffering off;
#                proxy_set_header Host $host;
#                proxy_set_header X-Real-IP $remote_addr;
#                proxy_pass https://127.0.0.1:3128/;
        }

        location /grafana/ {
                proxy_pass http://127.0.0.1:3000/;
        }

        ssl_certificate /etc/letsencrypt/live/mtprx.now.im/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/mtprx.now.im/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
	[Unit]
	Description=mtproxy
	Wants=network-online.target
	After=network-online.target

	[Service]
	Type=simple
	ExecStart=/opt/mtg run -v -w 128KB -r 128KB --prefer-ip ipv6 --cloak-port 993 -b 0.0.0.0:443 ee5c557d37ddde51c21d4577a29b88bbcc6d747072782e6e6f772e696d
	AmbientCapabilities=CAP_NET_BIND_SERVICE
	Restart=never
	RestartSec=1
	LimitNOFILE=65536

	# hardening
	PrivateDevices=true
	ProtectControlGroups=true
	ProtectHome=true
	ProtectKernelTunables=true
	ProtectKernelModules=yes
	ProtectControlGroups=yes
	DynamicUser=yes
	ProtectSystem=full
	RestrictSUIDSGID=true
	PrivateTmp=yes
	NoNewPrivileges=yes
	#PrivateUsers=yes
	ProtectClock=yes
	ProtectKernelLogs=yes
	CapabilityBoundingSet=~CAP_SET(UID\|GID\|PCAP)
	CapabilityBoundingSet=~CAP_SYS_ADMIN
	CapabilityBoundingSet=~CAP_SYS_PTRACE
	RestrictNamespaces=~CLONE_NEWUSER

	[Install]
	WantedBy=multi-user.target
	server {
	listen 80;
	listen [::]:80;
	server_name mtprx.now.im;
	error_log /var/log/nginx/mtprx_80_err.log warn;

	root /var/www/mtproxy.now.im;
	index index.html;
	gzip on;

	location / {
	try_files $uri $uri/ =404;
	}

	location /grafana/ {
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_pass http://127.0.0.1:3000/;
	}
	}

	server {
	listen [::]:993 ssl ipv6only=on; # managed by Certbot
	listen 993 ssl; # managed by Certbot
	server_name mtprx.now.im;
	error_log /var/log/nginx/mtprx_993_err.log warn;

	root /var/www/mtproxy.now.im;
	index index.html;
	gzip on;

	location / {
	try_files $uri $uri/ =404;
	# proxy_buffering off;
	# proxy_set_header Host $host;
	# proxy_set_header X-Real-IP $remote_addr;
	# proxy_pass https://127.0.0.1:3128/;
	}

	location /grafana/ {
	proxy_pass http://127.0.0.1:3000/;
	}

	ssl_certificate /etc/letsencrypt/live/mtprx.now.im/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/mtprx.now.im/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	}