2.0 KiB
Setup
Install
You'll need Go version 1.19 or later.
Fetch and build the program:
go install tildegit.org/nervuri/client-hello-mirror@latest
The same command can be used to update it.
The resulting binary should now be at ~/go/bin/client-hello-mirror
. Put it somewhere in $PATH, if you wish:
ln -s ~/go/bin/client-hello-mirror /usr/local/bin/
Run
Generate TLS certificate:
# CA-signed:
certbot certonly --webroot -w /var/www/example.com -d example.com
# or self-signed:
openssl req -new -subj "/CN=example.com" -x509 -days 36500 -nodes -out cert.pem -keyout privkey.pem
Run on port 1965:
~/go/bin/client-hello-mirror -c cert.pem -k privkey.pem :1965
Daemonize
In order to run the program as a daemon and auto-start it on boot, you need to manage it with your operating system's init system. Here you'll find instructions for systemd.
Sample systemd unit file:
[Unit]
Description=TLS Client Hello Mirror
After=network.target
[Service]
Type=simple
Restart=always
ExecStart=client-hello-mirror -u www-data -c /etc/letsencrypt/live/example.org/fullchain.pem -k /etc/letsencrypt/live/example.org/privkey.pem :443 2>/var/log/client-hello-mirror-error.log
[Install]
WantedBy=multi-user.target
Modify as needed, save to /etc/systemd/system/client-hello-mirror.service
and run:
systemctl enable client-hello-mirror.service
systemctl start client-hello-mirror.service
Remember, if you are using a program such as certbot
to automatically renew the TLS certificate, then you'll also want to restart client-hello-mirror
afterward, for it to use the new certificate.
Drop root privileges
A standard web-facing setup involves using a CA-signed certificate and binding to privileged port 443. For security reasons, the program will drop root privileges immediately after loading the certificate and binding to the specified port. Use the -u
option to select a user to switch to.
Redirect http:// to https://
For this you'll need to use another web server, such as nginx.