Skip to content
/ caddy-ja3 Public

A caddy plugin that gets JA3 TLS fingerprints from requests.

License

Apache-2.0 license
20 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rushiiMachine/caddy-ja3

BranchesTags

Repository files navigation

caddy-ja3

A caddy plugin to get JA3 fingerprints from requests as a header.

Building with xcaddy

xcaddy build \
  --with github.com/rushiiMachine/caddy-ja3

Sample Caddyfile

Note that this enforces HTTPS (TLS).
You can add a http_redirect to automatically redirect http -> https like shown below.

TLS ClientHellos do not exist on HTTP/3 connections. No ja3 header will be present on such requests. Unless another way is used to fingerprint HTTP/3 aka. QUIC connections, it's recommended to disable HTTP/3.

This module also disables TLS session resumption globally to always retrieve a full ClientHello. This is done through the usage of caddytls's session_tickets/disabled config option internally.

{
    # If using a different responder like reverse_proxy, change this accordingly
    order ja3 before respond
    ja3 {
        # (Optional) Sort TLS extensions to counteract randomizing on modern browsers
        # More info: https://github.com/salesforce/ja3/issues/88
        sort_extensions
    }
    servers {
        # Disable HTTP/3
        protocols h1 h2

        listener_wrappers {
            http_redirect
            ja3
            tls
        }
    }
}

localhost {
    ja3
    # Configure your TLS however you want
    tls internal
    # JA3 fingerprint is added to the request as the "JA3" header
    respond "Your JA3: {header.ja3}"
}

About

A caddy plugin that gets JA3 TLS fingerprints from requests.

Topics

go tls caddy caddy-plugin ja3 tls-fingerprint

Resources

Readme

License

Apache-2.0 license
Activity

Stars

20 stars

Watchers

1 watching

Forks

4 forks
Report repository

Contributors 3

  •  
  •  
  •  

Languages