2.0 KiB
Setup
Install
Start by installing Go, Git, GCC and glibc (the program is written in Go, but a tiny bit of C code is used to drop privileges when running as root). On Debian, run:
apt install golang git gcc libc6-dev
Then fetch and build the program:
go get tildegit.org/nervuri/client-hello-mirror
The resulting binary should now be at ~/go/bin/client-hello-mirror
. You can make it available to all users on the system:
ln -s ~/go/bin/client-hello-mirror /usr/local/bin/
Run
Generate TLS certificate:
# CA-signed:
certbot certonly --webroot -w /var/www/example.com -d example.com
# or self-signed:
openssl req -new -subj "/CN=example.com" -x509 -days 36500 -nodes -out cert.pem -keyout privkey.pem
Run on port 1965:
~/go/bin/client-hello-mirror -c cert.pem -k privkey.pem :1965
Daemonize
In order to run the program as a daemon and auto-start it on boot, you need to manage it with your operating system's init system. Here you'll find instructions for systemd.
Sample systemd unit file:
[Unit]
Description=TLS Client Hello Mirror
After=network.target
[Service]
Type=simple
Restart=always
ExecStart=client-hello-mirror -u www-data -c /etc/letsencrypt/live/example.org/fullchain.pem -k /etc/letsencrypt/live/example.org/privkey.pem :443 2>/var/log/client-hello-mirror-error.log
[Install]
WantedBy=multi-user.target
Modify as needed, save to /etc/systemd/system/client-hello-mirror.service
and run:
systemctl enable client-hello-mirror.service
systemctl start client-hello-mirror.service
Drop root
A standard web-facing setup involves using a CA-signed certificate and binding to privileged port 443. For security reasons, the program will drop root privileges imediately after loading the certificate and binding to the specified port. Use the -u
option to select a user to switch to; the default is www-data
.
Redirect http:// to https://
For this you'll need to use another web server, such as nginx.