Is it possible to add a JA3 field in CaddyServer?

[yumusb]

Is it possible to add a JA3 field in CaddyServer?

More information at https://github.com/salesforce/ja3

Thanks.

[francislavoie]

I'm not sure I understand. I tried to read the README of that repo, but it's not clear what you're asking for.

Please elaborate, we'll need an explanation of what you expect to see, how you think it should work, etc.

But I can say it's not likely that we'll spend development time on this and that it might be better done as a plugin for Caddy, unless we're convinced otherwise.

[yumusb]

JA3 can better identify the type of visitor. (Machine access or real person). So we can use this to manage access rights.

[mholt]

Sounds interesting, but that's not enough information to implement anything. We can read the page you linked and nod and say "yeah that's cool" but if you want something done about it, we'll need to know precisely what you're looking for. "field in Caddyserver" (the name is "Caddy", btw) doesn't make any sense.

[mysticaltech]

Folks, this is extremely important for bots identification. Cloudflare offers it only with its premium "Bot Management for Enterprise" plan. See https://developers.cloudflare.com/bots/concepts/ja3-fingerprint/

Now, for Go, it would be easy to implement because already done; see https://github.com/dreadl0ck/ja3/blob/master/ja3s.go, and also https://github.com/sleeyax/ja3rp.

[mysticaltech]

And this does a great job at it for nginx https://github.com/phuslu/nginx-ssl-fingerprint.

@mholt Supporting this would give caddy an unfair advantage!

[francislavoie]

Do you have a specific proposal of how it would work with Caddy? How would it be configured? What would it do to the incoming requests?

I think it's probably best to implement this as a plugin first, and if there's wirespread demand for it, we could bring it in as a standard module. But I'm pretty skeptical that there's enough demand for this right now. Seems very niche.

We have no plans to work on this right now, especially without a specific proposal of how it would work.

[mysticaltech]

For instance, I need the value returned with the requests as a header, and this seemed like the kind of special treats that only caddy gives. But yeah, if you were to consider this again in the future as a plugin would be great.

[francislavoie]

It's very unlikely we'll spend effort building a plugin for this. But anyone can write one: https://caddyserver.com/docs/extending-caddy

[yumusb]

ok, i will try to write. Thanks.

[mysticaltech]

@yumusb Look at the links I posted above. It's probably straightforward enough.

[deancn]

@mysticaltech Thanks for you like our nginx-ssl-fingerprint repo.

Can pay attention to the Golang TLS lib issue. Once the issue is processed, I think everything will be easy. :) https://github.com/golang/go/issues/32936

[mysticaltech]

Good to know, thanks @deancn and keep up the good work! 🙏

[rushiiMachine]

I made a caddy plugin for this! When go's ClientHelloInfo adds raw it should simplify it a lot though :) https://github.com/rushiiMachine/caddy-ja3

[mholt]

@rushiiMachine Very cool!!

When go's ClientHelloInfo adds raw it should simplify it a lot though

Oh yeah, I think I tracked that issue.

Feel free to share this on our forum as well :) https://caddy.community -- and you can register it on our website so it can appear on our Download page.

[yumusb]

I made a caddy plugin for this! When go's ClientHelloInfo adds raw it should simplify it a lot though :) https://github.com/rushiiMachine/caddy-ja3

cool

[mysticaltech]

@rushiiMachine Super good to hear, well done, thank you! Was thinking of using the nginx plugin just 2 days ago, what a coincidence 🙏