# Setup

## Install

Start by installing Go and Git.  On Debian, run:

```
apt install golang git
```

Then fetch and build the program:

```
go get tildegit.org/nervuri/client-hello-mirror
```

The resulting binary should now be at `~/go/bin/client-hello-mirror`.  You can make it available to all users on the system:

```
ln -s ~/go/bin/client-hello-mirror /usr/local/bin/
```

## Run

Generate TLS certificate:

```
# CA-signed:
certbot certonly --webroot -w /var/www/example.com -d example.com
# or self-signed:
openssl req -new -subj "/CN=example.com" -x509 -days 36500 -nodes -out cert.pem -keyout privkey.pem
```

Run on port 1965:

```
~/go/bin/client-hello-mirror -c cert.pem -k privkey.pem :1965
```

## Daemonize

In order to run the program as a daemon and auto-start it on boot, you need to manage it with your operating system's init system.  Here you'll find instructions for systemd.

Sample systemd unit file:

```
[Unit]
Description=TLS Client Hello Mirror
After=network.target

[Service]
Type=simple
Restart=always
ExecStart=client-hello-mirror -u www-data -c /etc/letsencrypt/live/example.org/fullchain.pem -k /etc/letsencrypt/live/example.org/privkey.pem :443 2>/var/log/client-hello-mirror-error.log

[Install]
WantedBy=multi-user.target
```

Modify as needed, save to `/etc/systemd/system/client-hello-mirror.service` and run:

```
systemctl enable client-hello-mirror.service
systemctl start client-hello-mirror.service
```

## Drop root

A standard web-facing setup involves using a CA-signed certificate and binding to privileged port 443.  For security reasons, the program will drop root privileges imediately after loading the certificate and binding to the specified port.  Use the `-u` option to select a user to switch to.  If you really want to run as root, set `-u root` (not recommended).

## Redirect http:// to https://

For this you'll need to use another web server, such as nginx.

## Update

```
go get -u tildegit.org/nervuri/client-hello-mirror
```