nervuri
/
client-hello-mirror
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
client-hello-mirror/INSTALL.md

2.6 KiB
Raw Permalink Blame History

Setup

Install

You'll need Go version 1.19 or later.

Fetch and build the program:

go install tildegit.org/nervuri/client-hello-mirror@latest

The same command can be used to update it. Subscribe to this RSS feed to be notified of new releases.

The resulting binary should now be at ~/go/bin/client-hello-mirror. Put it somewhere in $PATH, if you wish:

ln -s ~/go/bin/client-hello-mirror /usr/local/bin/

Run

Generate TLS certificate:

# CA-signed:
certbot certonly --webroot -w /var/www/example.com -d example.com
# or self-signed:
openssl req -new -subj "/CN=example.com" -addext "subjectAltName = DNS:example.com" -x509 -days 36500 -nodes -out cert.pem -keyout privkey.pem

Run on port 1965:

~/go/bin/client-hello-mirror -c cert.pem -k privkey.pem :1965

Daemonize

In order to run the program as a daemon and auto-start it on boot, you need to manage it with your operating system's init system. Here you'll find instructions for systemd.

Sample systemd unit file:

[Unit]
Description=TLS Client Hello Mirror
After=network.target

[Service]
Type=simple
Restart=always
ExecStart=client-hello-mirror -u www-data -c /etc/letsencrypt/live/example.com/fullchain.pem -k /etc/letsencrypt/live/example.com/privkey.pem :443 2>>/var/log/client-hello-mirror-error.log

[Install]
WantedBy=multi-user.target

Modify as needed, save to /etc/systemd/system/client-hello-mirror.service and run:

systemctl enable client-hello-mirror.service
systemctl start client-hello-mirror.service

Remember, if you are using a program such as certbot to automatically renew the TLS certificate, then you'll also want to restart client-hello-mirror afterward, for it to use the new certificate. You can do this with a renewal hook (see certbot's --deploy-hook option), for example:

# Place this in /etc/letsencrypt/renewal-hooks/deploy/restart-services.sh
if echo "$RENEWED_DOMAINS" | grep -q example.com; then
	systemctl restart client-hello-mirror.service
fi

Drop root privileges

A standard web-facing setup involves using a CA-signed certificate and binding to privileged port 443. For security reasons, the program will drop root privileges immediately after loading the certificate and binding to the specified port. Use the -u option to select a user to switch to.

Redirect http:// to https://

For this you'll need to use another web server, such as nginx.