add http/1.1 for ALPN

check record type; reject non-TLS connections
INSTALL.md: add update command
2022-06-04 00:00:00 +00:00 · 2022-06-04 00:00:00 +00:00 · 2022-06-04 00:00:00 +00:00 · 2022-06-04 00:00:00 +00:00
2 changed files with 12 additions and 1 deletions
--- a/INSTALL.md
+++ b/INSTALL.md
@ -51,7 +51,7 @@ After=network.target
 [Service]
 Type=simple
 Restart=always
-ExecStart=client-hello-mirror -u www-data -c /etc/letsencrypt/live/example.org/cert.pem -k /etc/letsencrypt/live/example.org/privkey.pem :443 2>/var/log/client-hello-mirror-error.log
+ExecStart=client-hello-mirror -u www-data -c /etc/letsencrypt/live/example.org/fullchain.pem -k /etc/letsencrypt/live/example.org/privkey.pem :443 2>/var/log/client-hello-mirror-error.log

 [Install]
 WantedBy=multi-user.target
@ -71,3 +71,9 @@ A standard web-facing setup involves using a CA-signed certificate and binding t
 ## Redirect http:// to https://

 For this you'll need to use another web server, such as nginx.
+
+## Update
+
+```
+go get -u tildegit.org/nervuri/client-hello-mirror
+```
--- a/server.go
+++ b/server.go
@ -138,6 +138,10 @@ func peek(conn net.Conn, tlsConfig *tls.Config) {
 		log.Println(err)
 		return
 	}
+	if buf.Bytes()[0] != 0x16 {
+		// Not a Client Hello message.
+		return
+	}
 	length := binary.BigEndian.Uint16(buf.Bytes()[3:5])
 	_, err = io.CopyN(&buf, conn, int64(length))
 	if err != nil {
@ -291,6 +295,7 @@ func main() {
 	tlsConfig := tls.Config{
 		Certificates: []tls.Certificate{cert},
 		//MaxVersion: tls.VersionTLS12,
+		NextProtos: []string{"http/1.1"},
 	}

 	// Listen for connections
Author	SHA1	Message	Date
nervuri	3e8d967595	add http/1.1 for ALPN	2022-06-04 00:00:00 +00:00
nervuri	e896674f39	check record type; reject non-TLS connections	2022-06-04 00:00:00 +00:00
nervuri	5bba2500af	INSTALL.md: add update command	2022-06-04 00:00:00 +00:00
nervuri	9743f24eab	INSTALL.md: use fullchain.pem instead of cert.pem	2022-06-04 00:00:00 +00:00