README
¶
caddy-clienthello
A caddy plugin to forward TLS ClientHello packets on requests as a header.
Building locally
CGO_ENABLED=1 xcaddy build \
--with github.com/mholt/caddy-ratelimit \
--with github.com/prosopo/chaddy=/path/to/chaddy/repo \
to build caddy, which will output a bin file in your cwd. Then
./caddy run --config ./path/to/the/Caddyfile
Building with xcaddy
xcaddy build \
--with github.com/prosopo/chaddy
Sample Caddyfile
Note that this enforces HTTPS (TLS).
You can add a http_redirect to automatically redirect http -> https like shown below.
TLS ClientHellos do not exist on HTTP/3 connections.
No X-TLS-ClientHello header will be present on such requests.
I recommended to disable HTTP/3.
{
order ja3 before reverse_proxy
client_hello {
# Configure the maximum allowed ClientHello packet size in bytes (1-16384)
max_client_hello_size 16384
}
servers {
# Disable HTTP/3
protocols h1 h2
listener_wrappers {
http_redirect
client_hello
tls
}
}
}
localhost {
client_hello
# ClientHello will be available as the `X-TLS-ClientHello` header
reverse_proxy http://other.service
}
Details
The X-TLS-ClientHello header will be present on all requests that use an underlying TLS connection.
It contains the raw ClientHello bytes as a base64 encoded string.
If the ClientHello exceeds the configured max_client_hello_size in bytes, then the X-TLS-ClientHello
header will instead be set to the value EXCEEDS_MAXIMUM_SIZE. The maximum allowed size value should be
carefully selected as I have observed sizes ranging anywhere from 200 to 2500 bytes and possibly more.
In the case of an internal error and a missing X-TLS-ClientHello header, this is not representative of
a suspicious client and should not be factored in to a bot score.
This module also disables TLS session resumption globally to always retrieve a full ClientHello.
This is done through the usage of
caddytls's session_tickets/disabled
config option automatically.
Documentation
¶
Index ¶
- Constants
- type Cache
- func (Cache) CaddyModule() caddy.ModuleInfo
- func (c *Cache) ClearClientHello(addr string)
- func (c *Cache) GetClientHello(addr string) *string
- func (c *Cache) Provision(ctx caddy.Context) error
- func (c *Cache) SetClientHello(addr string, encoded string)
- func (c *Cache) Start() error
- func (c *Cache) Stop() error
- type CacheEntry
- type ClientHelloConnWrapper
- type ClientHelloHandler
- func (ClientHelloHandler) CaddyModule() caddy.ModuleInfo
- func (h *ClientHelloHandler) Provision(ctx caddy.Context) error
- func (h *ClientHelloHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next caddyhttp.Handler) error
- func (h *ClientHelloHandler) UnmarshalCaddyfile(_ *caddyfile.Dispenser) error
- type ClientHelloListenerWrapper
- func (ClientHelloListenerWrapper) CaddyModule() caddy.ModuleInfo
- func (l *ClientHelloListenerWrapper) Provision(ctx caddy.Context) error
- func (l *ClientHelloListenerWrapper) UnmarshalCaddyfile(_ *caddyfile.Dispenser) error
- func (l *ClientHelloListenerWrapper) WrapListener(ln net.Listener) net.Listener
- type Config
Constants ¶
const (
CacheAppId = "client_hello.cache"
)
const (
ConfigAppId = "client_hello.config"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Cache ¶
type Cache struct {
// contains filtered or unexported fields
}
func (Cache) CaddyModule ¶
func (Cache) CaddyModule() caddy.ModuleInfo
CaddyModule implements caddy.Module
func (*Cache) ClearClientHello ¶
func (*Cache) GetClientHello ¶
func (*Cache) SetClientHello ¶
type CacheEntry ¶
type CacheEntry struct {
Value string
}
type ClientHelloConnWrapper ¶
type ClientHelloConnWrapper struct {
net.Conn // embed the net.Conn interface (crucial for setReadTimeout to be applied by caddy to avoid blocking reads!)
// contains filtered or unexported fields
}
ClientHelloConnWrapper is a custom wrapper for net.Conn that intercepts the Read operation and allows us to collect the client hello bytes
func NewClientHelloConnWrapper ¶
func NewClientHelloConnWrapper(conn net.Conn, cache *Cache, log *zap.Logger) *ClientHelloConnWrapper
NewClientHelloConnWrapper creates a new wrapper
func (*ClientHelloConnWrapper) Close ¶
func (r *ClientHelloConnWrapper) Close() error
Close closes the connection
type ClientHelloHandler ¶
type ClientHelloHandler struct {
// contains filtered or unexported fields
}
func (ClientHelloHandler) CaddyModule ¶
func (ClientHelloHandler) CaddyModule() caddy.ModuleInfo
CaddyModule implements caddy.Module
func (*ClientHelloHandler) Provision ¶
func (h *ClientHelloHandler) Provision(ctx caddy.Context) error
Provision implements caddy.Provisioner
func (*ClientHelloHandler) ServeHTTP ¶
func (h *ClientHelloHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next caddyhttp.Handler) error
ServeHTTP implements caddyhttp.MiddlewareHandler
func (*ClientHelloHandler) UnmarshalCaddyfile ¶
func (h *ClientHelloHandler) UnmarshalCaddyfile(_ *caddyfile.Dispenser) error
UnmarshalCaddyfile implements caddyfile.Unmarshaler
type ClientHelloListenerWrapper ¶
type ClientHelloListenerWrapper struct {
// contains filtered or unexported fields
}
func (ClientHelloListenerWrapper) CaddyModule ¶
func (ClientHelloListenerWrapper) CaddyModule() caddy.ModuleInfo
CaddyModule implements caddy.Module
func (*ClientHelloListenerWrapper) Provision ¶
func (l *ClientHelloListenerWrapper) Provision(ctx caddy.Context) error
func (*ClientHelloListenerWrapper) UnmarshalCaddyfile ¶
func (l *ClientHelloListenerWrapper) UnmarshalCaddyfile(_ *caddyfile.Dispenser) error
UnmarshalCaddyfile implements caddyfile.Unmarshaler
func (*ClientHelloListenerWrapper) WrapListener ¶
func (l *ClientHelloListenerWrapper) WrapListener(ln net.Listener) net.Listener
WrapListener implements caddy.ListenerWrapper
type Config ¶
type Config struct {
MaxClientHelloSize uint16 `json:"max_client_hello_size"`
}
func (Config) CaddyModule ¶
func (Config) CaddyModule() caddy.ModuleInfo
CaddyModule implements caddy.Module
Source Files