bind/tls: allow configuring min/max TLS version, ciphers, and curves

The string here uses a character set with path.contains, which will
not work in CEL. We need to use path.matches to use regex syntax.

.drone.jsonnet

@@ -138,12 +138,25 @@ local Publish(mirror, registry, repo, secret, go, alpine, os, arch, trigger, pla
 #
 local containerArchitectures = ["linux/amd64", "linux/arm64", "linux/riscv64"];
 
-local alpineVersion = "3.20";
-local goVersion = "1.22";
+local alpineVersion = "3.21";
+local goVersion = "1.24";
 
 local mirror = "https://mirror.gcr.io";
 
 [
-    Build(mirror, goVersion, alpineVersion, "linux", "amd64"),
-    Build(mirror, goVersion, alpineVersion, "linux", "arm64"),
+    Build(mirror, goVersion, alpineVersion, "linux", "amd64") + {"trigger": {event: ["push", "tag"], }},
+    Build(mirror, goVersion, alpineVersion, "linux", "arm64") + {"trigger": {event: ["push", "tag"], }},
+
+    # Test PRs
+    Build(mirror, goVersion, alpineVersion, "linux", "amd64") + {"name": "test-pr", "trigger": {event: ["pull_request"], }},
+
+    # latest
+    Publish(mirror, "git.gammaspectra.live", "git.gammaspectra.live/git/go-away", "git", goVersion, alpineVersion, "linux", "amd64", {event: ["push"], branch: ["master"], }, containerArchitectures, {tags: ["latest"],}) + {name: "publish-latest-git"},
+    Publish(mirror, "codeberg.org", "codeberg.org/gone/go-away", "codeberg", goVersion, alpineVersion, "linux", "amd64", {event: ["push"], branch: ["master"], }, containerArchitectures, {tags: ["latest"],}) + {name: "publish-latest-codeberg"},
+    Publish(mirror, "ghcr.io", "ghcr.io/weebdatahoarder/go-away", "github", goVersion, alpineVersion, "linux", "amd64", {event: ["push"], branch: ["master"], }, containerArchitectures, {tags: ["latest"],}) + {name: "publish-latest-github"},
+
+    # modern
+    Publish(mirror, "git.gammaspectra.live", "git.gammaspectra.live/git/go-away", "git", goVersion, alpineVersion, "linux", "amd64", {event: ["promote", "tag"], target: ["production"], }, containerArchitectures, {auto_tag: true,}),
+    Publish(mirror, "codeberg.org", "codeberg.org/gone/go-away", "codeberg", goVersion, alpineVersion, "linux", "amd64", {event: ["promote", "tag"], target: ["production"], }, containerArchitectures, {auto_tag: true,}),
+    Publish(mirror, "ghcr.io", "ghcr.io/weebdatahoarder/go-away", "github", goVersion, alpineVersion, "linux", "amd64", {event: ["promote", "tag"], target: ["production"], }, containerArchitectures, {auto_tag: true,}),
 ]

.drone.yml

@@ -5,7 +5,7 @@ environment:
   GOOS: linux
   GOTOOLCHAIN: local
 kind: pipeline
-name: build-1.22-alpine3.20-amd64
+name: build-1.24-alpine3.21-amd64
 platform:
   arch: amd64
   os: linux
@@ -16,7 +16,7 @@ steps:
   - mkdir .bin
   - go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away
   - go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime
-  image: golang:1.22-alpine3.20
+  image: golang:1.24-alpine3.21
   mirror: https://mirror.gcr.io
   name: build
 - commands:
@@ -24,7 +24,7 @@ steps:
     --policy examples/forgejo.yml --policy-snippets examples/snippets/
   depends_on:
   - build
-  image: alpine:3.20
+  image: alpine:3.21
   mirror: https://mirror.gcr.io
   name: check-policy-forgejo
 - commands:
@@ -32,7 +32,7 @@ steps:
     --policy examples/generic.yml --policy-snippets examples/snippets/
   depends_on:
   - build
-  image: alpine:3.20
+  image: alpine:3.21
   mirror: https://mirror.gcr.io
   name: check-policy-generic
 - commands:
@@ -40,7 +40,7 @@ steps:
     --policy examples/spa.yml --policy-snippets examples/snippets/
   depends_on:
   - build
-  image: alpine:3.20
+  image: alpine:3.21
   mirror: https://mirror.gcr.io
   name: check-policy-spa
 - commands:
@@ -51,7 +51,7 @@ steps:
     0
   depends_on:
   - build
-  image: alpine:3.20
+  image: alpine:3.21
   mirror: https://mirror.gcr.io
   name: test-wasm-success
 - commands:
@@ -62,9 +62,13 @@ steps:
     1
   depends_on:
   - build
-  image: alpine:3.20
+  image: alpine:3.21
   mirror: https://mirror.gcr.io
   name: test-wasm-fail
+trigger:
+  event:
+  - push
+  - tag
 type: docker
 ---
 environment:
@@ -73,7 +77,7 @@ environment:
   GOOS: linux
   GOTOOLCHAIN: local
 kind: pipeline
-name: build-1.22-alpine3.20-arm64
+name: build-1.24-alpine3.21-arm64
 platform:
   arch: arm64
   os: linux
@@ -84,7 +88,7 @@ steps:
   - mkdir .bin
   - go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away
   - go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime
-  image: golang:1.22-alpine3.20
+  image: golang:1.24-alpine3.21
   mirror: https://mirror.gcr.io
   name: build
 - commands:
@@ -92,7 +96,7 @@ steps:
     --policy examples/forgejo.yml --policy-snippets examples/snippets/
   depends_on:
   - build
-  image: alpine:3.20
+  image: alpine:3.21
   mirror: https://mirror.gcr.io
   name: check-policy-forgejo
 - commands:
@@ -100,7 +104,7 @@ steps:
     --policy examples/generic.yml --policy-snippets examples/snippets/
   depends_on:
   - build
-  image: alpine:3.20
+  image: alpine:3.21
   mirror: https://mirror.gcr.io
   name: check-policy-generic
 - commands:
@@ -108,7 +112,7 @@ steps:
     --policy examples/spa.yml --policy-snippets examples/snippets/
   depends_on:
   - build
-  image: alpine:3.20
+  image: alpine:3.21
   mirror: https://mirror.gcr.io
   name: check-policy-spa
 - commands:
@@ -119,7 +123,7 @@ steps:
     0
   depends_on:
   - build
-  image: alpine:3.20
+  image: alpine:3.21
   mirror: https://mirror.gcr.io
   name: test-wasm-success
 - commands:
@@ -130,12 +134,375 @@ steps:
     1
   depends_on:
   - build
-  image: alpine:3.20
+  image: alpine:3.21
   mirror: https://mirror.gcr.io
   name: test-wasm-fail
+trigger:
+  event:
+  - push
+  - tag
+type: docker
+---
+environment:
+  CGO_ENABLED: "0"
+  GOARCH: amd64
+  GOOS: linux
+  GOTOOLCHAIN: local
+kind: pipeline
+name: test-pr
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - apk update
+  - apk add --no-cache git
+  - mkdir .bin
+  - go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away
+  - go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime
+  image: golang:1.24-alpine3.21
+  mirror: https://mirror.gcr.io
+  name: build
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/forgejo.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: check-policy-forgejo
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/generic.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: check-policy-generic
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/spa.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: check-policy-spa
+- commands:
+  - ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
+    -make-challenge ./embed/challenge/js-pow-sha256/test/make-challenge.json -make-challenge-out
+    ./embed/challenge/js-pow-sha256/test/make-challenge-out.json -verify-challenge
+    ./embed/challenge/js-pow-sha256/test/verify-challenge.json -verify-challenge-out
+    0
+  depends_on:
+  - build
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: test-wasm-success
+- commands:
+  - ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
+    -make-challenge ./embed/challenge/js-pow-sha256/test/make-challenge.json -make-challenge-out
+    ./embed/challenge/js-pow-sha256/test/make-challenge-out.json -verify-challenge
+    ./embed/challenge/js-pow-sha256/test/verify-challenge-fail.json -verify-challenge-out
+    1
+  depends_on:
+  - build
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: test-wasm-fail
+trigger:
+  event:
+  - pull_request
+type: docker
+---
+kind: pipeline
+name: publish-latest-git
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - echo '[registry."docker.io"]' > buildkitd.toml
+  - echo '  mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: setup-buildkitd
+- environment:
+    DOCKER_BUILDKIT: "1"
+    LC_ALL: C
+    PLUGIN_BUILDER_CONFIG: buildkitd.toml
+    PLUGIN_BUILDER_DRIVER: docker-container
+    SOURCE_DATE_EPOCH: 0
+    TZ: UTC
+  image: plugins/buildx
+  name: docker
+  privileged: true
+  settings:
+    auto_tag_suffix: alpine3.21
+    build_args:
+      from: alpine:3.21
+      from_builder: golang:1.24-alpine3.21
+    compress: true
+    mirror: https://mirror.gcr.io
+    password:
+      from_secret: git_password
+    platform:
+    - linux/amd64
+    - linux/arm64
+    - linux/riscv64
+    registry: git.gammaspectra.live
+    repo: git.gammaspectra.live/git/go-away
+    tags:
+    - latest
+    username:
+      from_secret: git_username
+trigger:
+  branch:
+  - master
+  event:
+  - push
+type: docker
+---
+kind: pipeline
+name: publish-latest-codeberg
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - echo '[registry."docker.io"]' > buildkitd.toml
+  - echo '  mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: setup-buildkitd
+- environment:
+    DOCKER_BUILDKIT: "1"
+    LC_ALL: C
+    PLUGIN_BUILDER_CONFIG: buildkitd.toml
+    PLUGIN_BUILDER_DRIVER: docker-container
+    SOURCE_DATE_EPOCH: 0
+    TZ: UTC
+  image: plugins/buildx
+  name: docker
+  privileged: true
+  settings:
+    auto_tag_suffix: alpine3.21
+    build_args:
+      from: alpine:3.21
+      from_builder: golang:1.24-alpine3.21
+    compress: true
+    mirror: https://mirror.gcr.io
+    password:
+      from_secret: codeberg_password
+    platform:
+    - linux/amd64
+    - linux/arm64
+    - linux/riscv64
+    registry: codeberg.org
+    repo: codeberg.org/gone/go-away
+    tags:
+    - latest
+    username:
+      from_secret: codeberg_username
+trigger:
+  branch:
+  - master
+  event:
+  - push
+type: docker
+---
+kind: pipeline
+name: publish-latest-github
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - echo '[registry."docker.io"]' > buildkitd.toml
+  - echo '  mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: setup-buildkitd
+- environment:
+    DOCKER_BUILDKIT: "1"
+    LC_ALL: C
+    PLUGIN_BUILDER_CONFIG: buildkitd.toml
+    PLUGIN_BUILDER_DRIVER: docker-container
+    SOURCE_DATE_EPOCH: 0
+    TZ: UTC
+  image: plugins/buildx
+  name: docker
+  privileged: true
+  settings:
+    auto_tag_suffix: alpine3.21
+    build_args:
+      from: alpine:3.21
+      from_builder: golang:1.24-alpine3.21
+    compress: true
+    mirror: https://mirror.gcr.io
+    password:
+      from_secret: github_password
+    platform:
+    - linux/amd64
+    - linux/arm64
+    - linux/riscv64
+    registry: ghcr.io
+    repo: ghcr.io/weebdatahoarder/go-away
+    tags:
+    - latest
+    username:
+      from_secret: github_username
+trigger:
+  branch:
+  - master
+  event:
+  - push
+type: docker
+---
+kind: pipeline
+name: publish-1.24-alpine3.21-git
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - echo '[registry."docker.io"]' > buildkitd.toml
+  - echo '  mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: setup-buildkitd
+- environment:
+    DOCKER_BUILDKIT: "1"
+    LC_ALL: C
+    PLUGIN_BUILDER_CONFIG: buildkitd.toml
+    PLUGIN_BUILDER_DRIVER: docker-container
+    SOURCE_DATE_EPOCH: 0
+    TZ: UTC
+  image: plugins/buildx
+  name: docker
+  privileged: true
+  settings:
+    auto_tag: true
+    auto_tag_suffix: alpine3.21
+    build_args:
+      from: alpine:3.21
+      from_builder: golang:1.24-alpine3.21
+    compress: true
+    mirror: https://mirror.gcr.io
+    password:
+      from_secret: git_password
+    platform:
+    - linux/amd64
+    - linux/arm64
+    - linux/riscv64
+    registry: git.gammaspectra.live
+    repo: git.gammaspectra.live/git/go-away
+    username:
+      from_secret: git_username
+trigger:
+  event:
+  - promote
+  - tag
+  target:
+  - production
+type: docker
+---
+kind: pipeline
+name: publish-1.24-alpine3.21-codeberg
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - echo '[registry."docker.io"]' > buildkitd.toml
+  - echo '  mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: setup-buildkitd
+- environment:
+    DOCKER_BUILDKIT: "1"
+    LC_ALL: C
+    PLUGIN_BUILDER_CONFIG: buildkitd.toml
+    PLUGIN_BUILDER_DRIVER: docker-container
+    SOURCE_DATE_EPOCH: 0
+    TZ: UTC
+  image: plugins/buildx
+  name: docker
+  privileged: true
+  settings:
+    auto_tag: true
+    auto_tag_suffix: alpine3.21
+    build_args:
+      from: alpine:3.21
+      from_builder: golang:1.24-alpine3.21
+    compress: true
+    mirror: https://mirror.gcr.io
+    password:
+      from_secret: codeberg_password
+    platform:
+    - linux/amd64
+    - linux/arm64
+    - linux/riscv64
+    registry: codeberg.org
+    repo: codeberg.org/gone/go-away
+    username:
+      from_secret: codeberg_username
+trigger:
+  event:
+  - promote
+  - tag
+  target:
+  - production
+type: docker
+---
+kind: pipeline
+name: publish-1.24-alpine3.21-github
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - echo '[registry."docker.io"]' > buildkitd.toml
+  - echo '  mirrors = ["mirror.gcr.io"]' >> buildkitd.toml
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: setup-buildkitd
+- environment:
+    DOCKER_BUILDKIT: "1"
+    LC_ALL: C
+    PLUGIN_BUILDER_CONFIG: buildkitd.toml
+    PLUGIN_BUILDER_DRIVER: docker-container
+    SOURCE_DATE_EPOCH: 0
+    TZ: UTC
+  image: plugins/buildx
+  name: docker
+  privileged: true
+  settings:
+    auto_tag: true
+    auto_tag_suffix: alpine3.21
+    build_args:
+      from: alpine:3.21
+      from_builder: golang:1.24-alpine3.21
+    compress: true
+    mirror: https://mirror.gcr.io
+    password:
+      from_secret: github_password
+    platform:
+    - linux/amd64
+    - linux/arm64
+    - linux/riscv64
+    registry: ghcr.io
+    repo: ghcr.io/weebdatahoarder/go-away
+    username:
+      from_secret: github_username
+trigger:
+  event:
+  - promote
+  - tag
+  target:
+  - production
 type: docker
 ---
 kind: signature
-hmac: 00be8252a86e2c760c07c2baa6efa55d75f46fdc22299bb3feb1b199cc54af9e
+hmac: df53e4ea6f1c47df4d2a3f89b931b8513e83daa9c6c15baba2662d8112a721c8
 
 ...

cmd/go-away/main.go

@@ -210,7 +210,7 @@ func main() {
 			fatal(fmt.Errorf("backend %s: failed to make reverse proxy: %w", k, err))
 		}
 
-		backend.ErrorLog = slog.NewLogLogger(slog.With("backend", k).Handler(), slog.LevelError)
+		backend.ErrorLog = slog.NewLogLogger(slog.With("backend", k).Handler(), slog.LevelDebug)
 		createdBackends[k] = backend
 	}
 
@@ -291,7 +291,7 @@ func main() {
 		fatal(fmt.Errorf("failed to create server: %w", err))
 	}
 
-	server.ErrorLog = slog.NewLogLogger(slog.With("server", "http").Handler(), slog.LevelError)
+	server.ErrorLog = slog.NewLogLogger(slog.With("server", "http").Handler(), slog.LevelDebug)
 
 	go func() {
 		handler, err := loadPolicyState()
@@ -302,6 +302,7 @@ func main() {
 		swap(handler)
 		slog.Warn(
 			"handler configuration loaded",
+			"key_fingerprint", hex.EncodeToString(handler.PrivateKeyFingerprint()),
 		)
 
 		// allow reloading from now on
@@ -336,7 +337,7 @@ func main() {
 			debugServer := http.Server{
 				Addr:     opt.BindDebug,
 				Handler:  mux,
-				ErrorLog: slog.NewLogLogger(slog.With("server", "debug").Handler(), slog.LevelError),
+				ErrorLog: slog.NewLogLogger(slog.With("server", "debug").Handler(), slog.LevelDebug),
 			}
 
 			slog.Warn(
@@ -356,7 +357,7 @@ func main() {
 			metricsServer := http.Server{
 				Addr:     opt.BindMetrics,
 				Handler:  mux,
-				ErrorLog: slog.NewLogLogger(slog.With("server", "metrics").Handler(), slog.LevelError),
+				ErrorLog: slog.NewLogLogger(slog.With("server", "metrics").Handler(), slog.LevelDebug),
 			}
 
 			slog.Warn(

examples/config.yml

@@ -24,7 +24,7 @@ bind:
 #bind-debug: ":6060"
 
 # Bind the Prometheus metrics onto /metrics path on this port
-#bind-metrics ":9090"
+#bind-metrics: ":9090"
 
 # These links will be shown on the presented challenge or error pages
 links:

examples/forgejo.yml

@@ -104,6 +104,15 @@ rules:
       - *is-bot-yandexbot
     action: pass
 
+  # Matches private networks and localhost.
+  # Uncomment this if you want to let your own tools this way
+  #  - name: allow-private-networks
+  #    conditions:
+  #      # Allows localhost and private networks CIDR
+  #      - *is-network-localhost
+  #      - *is-network-private
+  #    action: pass
+
   - name: undesired-networks
     conditions:
       - 'remoteAddress.network("huawei-cloud") || remoteAddress.network("alibaba-cloud") || remoteAddress.network("zenlayer-inc")'
@@ -287,7 +296,7 @@ rules:
         # Map OpenGraph or similar <meta> tags back to the reply, even if denied/challenged
         proxy-meta-tags: "true"
         # proxy-safe-link-tags: "true"
-        
+
       # Set additional response headers
       #response-headers:
       # X-Clacks-Overhead:

examples/generic.yml

@@ -10,7 +10,7 @@ networks:
 
 challenges:
   # Challenges will get included from snippets
-  
+
 conditions:
   # Conditions will get replaced on rules AST when found as ($condition-name)
 
@@ -27,7 +27,7 @@ conditions:
     # Old IE browsers
     - 'userAgent.matches("MSIE ([2-9]|10|11)\\.")'
     # Old Linux browsers
-    - 'userAgent.contains("Linux i[63]86") || userAgent.contains("FreeBSD i[63]86")'
+    - 'userAgent.matches("Linux i[63]86") || userAgent.matches("FreeBSD i[63]86")'
     # Old Windows browsers
     - 'userAgent.matches("Windows (3|95|98|CE)") || userAgent.matches("Windows NT [1-5]\\.")'
     # Old mobile browsers
@@ -60,6 +60,15 @@ rules:
       - *is-bot-yandexbot
     action: pass
 
+  # Matches private networks and localhost.
+  # Uncomment this if you want to let your own tools this way
+  #  - name: allow-private-networks
+  #    conditions:
+  #      # Allows localhost and private networks CIDR
+  #      - *is-network-localhost
+  #      - *is-network-private
+  #    action: pass
+
   - name: undesired-crawlers
     conditions:
       - '($is-headless-chromium)'

examples/snippets/networks-private.yml

@@ -0,0 +1,22 @@
+networks:
+  localhost:
+    # localhost and loopback addresses
+    - prefixes:
+      - "127.0.0.0/8"
+      - "::1/128"
+  private:
+    # Private network CIDR blocks
+    - prefixes:
+        # private networks
+        - "10.0.0.0/8"
+        - "172.16.0.0/12"
+        - "192.168.0.0/16"
+        - "fc00::/7"
+        # CGNAT
+        - "100.64.0.0/10"
+
+conditions:
+  is-network-localhost:
+    - &is-network-localhost 'remoteAddress.network("localhost")'
+  is-network-private:
+    - &is-network-private 'remoteAddress.network("private")'

go.mod

@@ -1,12 +1,14 @@
 module git.gammaspectra.live/git/go-away
 
-go 1.22.12
+go 1.24.0
+
+toolchain go1.24.2
 
 require (
 	codeberg.org/gone/http-cel v1.0.0
 	codeberg.org/meta/gzipped/v2 v2.0.0-20231111234332-aa70c3194756
 	github.com/alphadose/haxmap v1.4.1
-	github.com/go-jose/go-jose/v4 v4.0.5
+	github.com/go-jose/go-jose/v4 v4.1.0
 	github.com/goccy/go-yaml v1.17.1
 	github.com/google/cel-go v0.25.0
 	github.com/itchyny/gojq v0.12.17
@@ -14,8 +16,7 @@ require (
 	github.com/prometheus/client_golang v1.22.0
 	github.com/tetratelabs/wazero v1.9.0
 	github.com/yl2chen/cidranger v1.0.2
-	golang.org/x/crypto v0.33.0
-	golang.org/x/net v0.37.0
+	golang.org/x/crypto v0.37.0
 )
 
 require (
@@ -28,26 +29,13 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.63.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
-	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 // indirect
+	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250422160041-2d3770c4ea7f // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 )
-
-// Pin latest versions to support Go 1.22 to prevent a package update from changing them
-// TODO: remove this when Go 1.22+ is supported by other downstream users
-replace (
-	github.com/go-jose/go-jose/v4 => github.com/go-jose/go-jose/v4 v4.0.5
-	github.com/prometheus/procfs => github.com/prometheus/procfs v0.15.1
-	golang.org/x/crypto => golang.org/x/crypto v0.33.0
-	golang.org/x/exp => golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
-	golang.org/x/net => golang.org/x/net v0.35.0
-	golang.org/x/sys => golang.org/x/sys v0.30.0
-	golang.org/x/text => golang.org/x/text v0.22.0
-	google.golang.org/genproto/googleapis/api => google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7
-	google.golang.org/genproto/googleapis/rpc => google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7
-)

go.sum

@@ -15,8 +15,8 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
+github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
 github.com/goccy/go-yaml v1.17.1 h1:LI34wktB2xEE3ONG/2Ar54+/HJVBriAGJ55PHls4YuY=
 github.com/goccy/go-yaml v1.17.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/google/cel-go v0.25.0 h1:jsFw9Fhn+3y2kBbltZR4VEz5xKkcIFRPDnuEzAGv5GY=
@@ -45,8 +45,8 @@ github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNw
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k=
 github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -62,20 +62,20 @@ github.com/tetratelabs/wazero v1.9.0 h1:IcZ56OuxrtaEz8UYNRHBrUa9bYeX9oVY93KspZZB
 github.com/tetratelabs/wazero v1.9.0/go.mod h1:TSbcXCfFP0L2FGkRPxHphadXPjo1T6W+CseNNY7EkjM=
 github.com/yl2chen/cidranger v1.0.2 h1:lbOWZVCG1tCRX4u24kuM1Tb4nHqWkDxwLdoS+SevawU=
 github.com/yl2chen/cidranger v1.0.2/go.mod h1:9U1yz7WPYDwf0vpNWFaeRh0bjwz5RVgRy/9UEQfHl0g=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
-golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac h1:l5+whBCLH3iH2ZNHYLbAe58bo7yrN4mVcnkHDYz5vvs=
-golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScyxUhjuVHR3HGaDPMn9rMSUUbxo=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 h1:YcyjlL1PRr2Q17/I0dPk2JmYS5CDXfcdb2Z3YRioEbw=
-google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7/go.mod h1:OCdP9MfskevB/rbYvHTsXTtKC+3bHWajPdoKgjcYkfo=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 h1:2035KHhUv+EpyB+hWgJnaWKJOdX1E95w2S8Rr4uWKTs=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
+golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f h1:tjZsroqekhC63+WMqzmWyW5Twj/ZfR5HAlpd5YQ1Vs0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f/go.mod h1:Cd8IzgPo5Akum2c9R6FsXNaZbH3Jpa2gpHlW89FqlyQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250422160041-2d3770c4ea7f h1:N/PrbTw4kdkqNRzVfWPrBekzLuarFREcbFOiOLkXon4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250422160041-2d3770c4ea7f/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

lib/action/block.go

@@ -28,7 +28,9 @@ func (a Block) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Reques
 	data := challenge.RequestDataFromContext(r.Context())
 
 	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 	w.Header().Set("Connection", "close")
+
 	data.ResponseHeaders(w)
 	w.WriteHeader(a.Code)
 	_, _ = w.Write([]byte(fmt.Errorf("access blocked: blocked by administrative rule %s/%s", data.Id.String(), a.RuleHash).Error()))

lib/action/code.go

@@ -42,7 +42,11 @@ type CodeSettings struct {
 type Code int
 
 func (a Code) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) {
-	challenge.RequestDataFromContext(r.Context()).ResponseHeaders(w)
+	data := challenge.RequestDataFromContext(r.Context())
+
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+
+	data.ResponseHeaders(w)
 
 	w.WriteHeader(int(a))
 	return false, nil

lib/action/drop.go

@@ -33,6 +33,8 @@ func (a Drop) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request
 	w.Header().Set("Content-Type", "text/plain")
 	w.Header().Set("Content-Length", "0")
 	w.Header().Set("Connection", "close")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+
 	w.WriteHeader(http.StatusForbidden)
 
 	return false, nil

lib/challenge/data.go

@@ -295,8 +295,8 @@ func (d *RequestData) EvaluateChallenges(w http.ResponseWriter, r *http.Request)
 	challengeMap, err := d.verifyChallengeState()
 	if err != nil {
 		if !errors.Is(err, http.ErrNoCookie) {
-			//clear invalid cookie and continue
-			utils.ClearCookie(d.cookieName, w, r)
+			//queue resend invalid cookie and continue
+			d.challengeMapModified = true
 		}
 		challengeMap = make(TokenChallengeMap)
 	}
@@ -329,6 +329,9 @@ func (d *RequestData) ResponseHeaders(w http.ResponseWriter) {
 	//w.Header().Set("Accept-CH", "Sec-CH-UA, Sec-CH-UA-Platform")
 	//w.Header().Set("Critical-CH", "Sec-CH-UA, Sec-CH-UA-Platform")
 
+	// send Vary header to mark that response may vary based on Cookie values and other client headers
+	w.Header().Set("Vary", "Cookie, Accept, Accept-Encoding, Accept-Language, User-Agent")
+
 	if d.State.Settings().MainName != "" {
 		w.Header().Add("Via", fmt.Sprintf("%s %s@%s", d.r.Proto, d.State.Settings().MainName, d.State.Settings().MainVersion))
 	}
@@ -433,13 +436,7 @@ func (d *RequestData) verifyChallengeStateCookie(cookie *http.Cookie) (TokenChal
 }
 
 func (d *RequestData) verifyChallengeState() (state TokenChallengeMap, err error) {
-	var cookies []*http.Cookie
-	for _, cookie := range d.r.Cookies() {
-		if cookie.Name == d.cookieName {
-			cookies = append(cookies, cookie)
-		}
-	}
-
+	cookies := d.r.CookiesNamed(d.cookieName)
 	if len(cookies) == 0 {
 		return nil, http.ErrNoCookie
 	}

lib/challenge/helper.go

@@ -8,7 +8,9 @@ import (
 	"git.gammaspectra.live/git/go-away/utils"
 	"net/http"
 	"net/url"
+	"strconv"
 	"strings"
+	"time"
 )
 
 var ErrInvalidToken = errors.New("invalid token")
@@ -47,6 +49,7 @@ const (
 	QueryArgRequestId = QueryArgPrefix + "_id"
 	QueryArgChallenge = QueryArgPrefix + "_challenge"
 	QueryArgToken     = QueryArgPrefix + "_token"
+	QueryArgBust      = QueryArgPrefix + "_bust"
 )
 
 const MakeChallengeUrlSuffix = "/make-challenge"
@@ -91,12 +94,13 @@ func VerifyUrl(r *http.Request, reg *Registration, token string) (*url.URL, erro
 	uri.Path = reg.Path + VerifyChallengeUrlSuffix
 
 	data := RequestDataFromContext(r.Context())
-	values := uri.Query()
-	values.Set(QueryArgRequestId, data.Id.String())
-	values.Set(QueryArgRedirect, redirectUrl.String())
-	values.Set(QueryArgToken, token)
-	values.Set(QueryArgChallenge, reg.Name)
-	uri.RawQuery = values.Encode()
+	values, _ := utils.ParseRawQuery(r.URL.RawQuery)
+	values.Set(QueryArgRequestId, url.QueryEscape(data.Id.String()))
+	values.Set(QueryArgRedirect, url.QueryEscape(redirectUrl.String()))
+	values.Set(QueryArgToken, url.QueryEscape(token))
+	values.Set(QueryArgChallenge, url.QueryEscape(reg.Name))
+	values.Set(QueryArgBust, url.QueryEscape(strconv.FormatInt(time.Now().UTC().UnixMilli(), 10)))
+	uri.RawQuery = utils.EncodeRawQuery(values)
 
 	return uri, nil
 }
@@ -108,13 +112,13 @@ func RedirectUrl(r *http.Request, reg *Registration) (*url.URL, error) {
 	}
 
 	data := RequestDataFromContext(r.Context())
-	values := uri.Query()
-	values.Set(QueryArgRequestId, data.Id.String())
+	values, _ := utils.ParseRawQuery(r.URL.RawQuery)
+	values.Set(QueryArgRequestId, url.QueryEscape(data.Id.String()))
 	if ref := r.Referer(); ref != "" {
-		values.Set(QueryArgReferer, r.Referer())
+		values.Set(QueryArgReferer, url.QueryEscape(r.Referer()))
 	}
-	values.Set(QueryArgChallenge, reg.Name)
-	uri.RawQuery = values.Encode()
+	values.Set(QueryArgChallenge, url.QueryEscape(reg.Name))
+	uri.RawQuery = utils.EncodeRawQuery(values)
 
 	return uri, nil
 }

lib/challenge/key.go

@@ -52,15 +52,13 @@ func GetChallengeKeyForRequest(state StateInterface, reg *Registration, until ti
 	hasher.Write([]byte{0})
 
 	// specific headers
-	for _, k := range []string{
-		"Accept-Language",
-		// General browser information
-		"User-Agent",
-		// TODO: not sent in preload
-		//"Sec-Ch-Ua",
-		//"Sec-Ch-Ua-Platform",
-	} {
-		hasher.Write([]byte(r.Header.Get(k)))
+	for _, k := range reg.KeyHeaders {
+		hasher.Write([]byte(k))
+		hasher.Write([]byte{0})
+		for _, v := range r.Header.Values(k) {
+			hasher.Write([]byte(v))
+			hasher.Write([]byte{1})
+		}
 		hasher.Write([]byte{0})
 	}
 	hasher.Write([]byte{0})

lib/challenge/preload-link/preload-link.go

@@ -44,6 +44,9 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio
 
 	reg.Class = challenge.ClassTransparent
 
+	// some of regular headers are not sent in default headers
+	reg.KeyHeaders = challenge.MinimalKeyHeaders
+
 	ob := challenge.NewAwaiter[string]()
 
 	reg.Object = ob
@@ -66,9 +69,9 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio
 		}
 
 		// remove redirect args
-		values := uri.Query()
+		values, _ := utils.ParseRawQuery(uri.RawQuery)
 		values.Del(challenge.QueryArgRedirect)
-		uri.RawQuery = values.Encode()
+		uri.RawQuery = utils.EncodeRawQuery(values)
 
 		// Redirect URI must be absolute to work
 		uri.Scheme = utils.GetRequestScheme(r)
@@ -98,6 +101,7 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio
 
 	mux.HandleFunc("GET "+reg.Path+challenge.VerifyChallengeUrlSuffix, func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "text/css; charset=utf-8")
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 		w.Header().Set("Content-Length", "0")
 
 		data := challenge.RequestDataFromContext(r.Context())

lib/challenge/register.go

@@ -35,6 +35,24 @@ var idCounter Id
 // DefaultDuration TODO: adjust
 const DefaultDuration = time.Hour * 24 * 7
 
+var DefaultKeyHeaders = []string{
+	// General browser information
+	"User-Agent",
+	// Accept headers
+	"Accept-Language",
+	"Accept-Encoding",
+
+	// NOTE: not sent in preload
+	"Sec-Ch-Ua",
+	"Sec-Ch-Ua-Platform",
+}
+
+var MinimalKeyHeaders = []string{
+	"Accept-Language",
+	// General browser information
+	"User-Agent",
+}
+
 func (r Register) Create(state StateInterface, name string, pol policy.Challenge, replacer *strings.Replacer) (*Registration, Id, error) {
 	runtime, ok := Runtimes[pol.Runtime]
 	if !ok {
@@ -42,9 +60,10 @@ func (r Register) Create(state StateInterface, name string, pol policy.Challenge
 	}
 
 	reg := &Registration{
-		Name:     name,
-		Path:     path.Join(state.UrlPath(), "challenge", name),
-		Duration: pol.Duration,
+		Name:       name,
+		Path:       path.Join(state.UrlPath(), "challenge", name),
+		Duration:   pol.Duration,
+		KeyHeaders: DefaultKeyHeaders,
 	}
 
 	if reg.Duration == 0 {
@@ -126,6 +145,9 @@ type Registration struct {
 	Verify            VerifyFunc
 	VerifyProbability float64
 
+	// KeyHeaders The client headers used in key generation, in this order
+	KeyHeaders []string
+
 	// IssueChallenge Issues a challenge to a request.
 	// If Class is ClassTransparent and VerifyResult is !VerifyResult.Ok(), continue with other challenges
 	// TODO: have this return error as well

lib/challenge/resource-load/resource-load.go

@@ -23,9 +23,13 @@ func FillRegistrationHeader(state challenge.StateInterface, reg *challenge.Regis
 			return challenge.VerifyResultFail
 		}
 
+		redirectUri, err := challenge.RedirectUrl(r, reg)
+		if err != nil {
+			return challenge.VerifyResultFail
+		}
 		// self redirect!
 		//TODO: adjust deadline
-		w.Header().Set("Refresh", "2; url="+r.URL.String())
+		w.Header().Set("Refresh", "2; url="+redirectUri.String())
 
 		state.ChallengePage(w, r, state.Settings().ChallengeResponseCode, reg, map[string]any{
 			"LinkTags": []map[string]string{
@@ -44,6 +48,7 @@ func FillRegistrationHeader(state challenge.StateInterface, reg *challenge.Regis
 	mux.HandleFunc("GET "+reg.Path+challenge.VerifyChallengeUrlSuffix, challenge.VerifyHandlerFunc(state, reg, nil, func(state challenge.StateInterface, data *challenge.RequestData, w http.ResponseWriter, r *http.Request, verifyResult challenge.VerifyResult, err error, redirect string) {
 		//TODO: add other types inside css that need to be loaded!
 		w.Header().Set("Content-Type", "text/css; charset=utf-8")
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 		w.Header().Set("Content-Length", "0")
 
 		data.ResponseHeaders(w)

lib/challenge/script.go

@@ -23,6 +23,7 @@ func ServeChallengeScript(w http.ResponseWriter, r *http.Request, reg *Registrat
 		//TODO: log
 		panic(err)
 	}
+
 	data.ResponseHeaders(w)
 	w.WriteHeader(http.StatusOK)
 
@@ -30,7 +31,7 @@ func ServeChallengeScript(w http.ResponseWriter, r *http.Request, reg *Registrat
 		"Id":              data.Id.String(),
 		"Path":            reg.Path,
 		"Parameters":      paramData,
-		"Random":          utils.CacheBust(),
+		"Random":          utils.StaticCacheBust(),
 		"Challenge":       reg.Name,
 		"ChallengeScript": script,
 		"Strings":         data.State.Strings(),

lib/challenge/wasm/registration.go

@@ -97,7 +97,7 @@ func FillJavaScriptRegistration(state challenge.StateInterface, reg *challenge.R
 	reg.IssueChallenge = func(w http.ResponseWriter, r *http.Request, key challenge.Key, expiry time.Time) challenge.VerifyResult {
 		state.ChallengePage(w, r, state.Settings().ChallengeResponseCode, reg, map[string]any{
 			"EndTags": []template.HTML{
-				template.HTML(fmt.Sprintf("<script async type=\"module\" src=\"%s?cacheBust=%s\"></script>", reg.Path+"/script.mjs", utils.CacheBust())),
+				template.HTML(fmt.Sprintf("<script async type=\"module\" src=\"%s?cacheBust=%s\"></script>", reg.Path+"/script.mjs", utils.StaticCacheBust())),
 			},
 		})
 		return challenge.VerifyResultNone
@@ -164,6 +164,9 @@ func FillJavaScriptRegistration(state challenge.StateInterface, reg *challenge.R
 				w.Header()[k] = v
 			}
 			w.Header().Set("Content-Length", fmt.Sprintf("%d", len(out.Data)))
+			w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+
+			data.ResponseHeaders(w)
 			w.WriteHeader(out.Code)
 			_, _ = w.Write(out.Data)
 			return nil

lib/http.go

@@ -246,19 +246,20 @@ func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
 		if fromChallenge {
 			r.Header.Del("Referer")
 		}
-		q := r.URL.Query()
 
+		q := r.URL.Query()
 		if ref := q.Get(challenge.QueryArgReferer); ref != "" {
 			r.Header.Set("Referer", ref)
 		}
 
+		rawQ, _ := utils.ParseRawQuery(r.URL.RawQuery)
 		// delete query parameters that were set by go-away
-		for k := range q {
+		for k := range rawQ {
 			if strings.HasPrefix(k, challenge.QueryArgPrefix) {
-				q.Del(k)
+				rawQ.Del(k)
 			}
 		}
-		r.URL.RawQuery = q.Encode()
+		r.URL.RawQuery = utils.EncodeRawQuery(rawQ)
 
 		data.ExtraHeaders.Set("X-Away-Rule", ruleName)
 		data.ExtraHeaders.Set("X-Away-Action", string(ruleAction))

lib/settings/bind.go

@@ -13,10 +13,18 @@ import (
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 	"sync/atomic"
 	"time"
 )
 
+type TLSEntry struct {
+	// Certificate Path to the certificate file
+	Certificate string `yaml:"certificate"`
+	// Key Path to the corresponding key file
+	Key string `yaml:"key"`
+}
+
 type Bind struct {
 	Address    string `yaml:"address"`
 	Network    string `yaml:"network"`
@@ -28,11 +36,35 @@ type Bind struct {
 	// TLSAcmeAutoCert URL to ACME directory, or letsencrypt
 	TLSAcmeAutoCert string `yaml:"tls-acme-autocert"`
 
-	// TLSCertificate Alternate to TLSAcmeAutoCert
+	// TLSEntries Alternate to TLSAcmeAutoCert. Allows multiple entries with matching.
+	// Entries on this list can be live-reloaded if application implements SIGHUP handling
+	TLSEntries []TLSEntry `yaml:"tls-entries"`
+
+	// TLSCertificate Alternate to TLSAcmeAutoCert. Preferred over TLSEntries if specified.
 	TLSCertificate string `yaml:"tls-certificate"`
-	// TLSPrivateKey Alternate to TLSAcmeAutoCert
+	// TLSPrivateKey Alternate to TLSAcmeAutoCert. Preferred over TLSEntries if specified.
 	TLSPrivateKey string `yaml:"tls-key"`
 
+	// General TLS config
+	// TLSMinVersion TLS Minimum supported version.
+	// Default is Golang's default, at writing time it's TLS 1.2. Lowest supported is TLS 1.0
+	TLSMinVersion string `yaml:"tls-min-version"`
+
+	// TLSMaxVersion TLS Maximum supported version.
+	// Default is Golang's default, at writing time it's TLS 1.3, and is automatically increased.
+	// Lowest supported is TLS 1.2
+	TLSMaxVersion string `yaml:"tls-max-version"`
+
+	// TLSCurves List of supported TLS curve ids from Golang internals
+	// See this list https://github.com/golang/go/blob/go1.24.0/src/crypto/tls/common.go#L138-L153 for supported values
+	// Default values are chosen by Golang. It's recommended to leave the default
+	TLSCurves []tls.CurveID `yaml:"tls-curves"`
+
+	// TLSCiphers List of supported TLS ciphers from Golang internals, case sensitive. TLS 1.3 suites are not configurable.
+	// See this list https://github.com/golang/go/blob/go1.24.0/src/crypto/tls/cipher_suites.go#L56-L73 for supported values
+	// Default values are chosen by Golang. It's recommended to leave the default
+	TLSCiphers []string `yaml:"tls-ciphers"`
+
 	// ReadTimeout is the maximum duration for reading the entire
 	// request, including the body. A zero or negative value means
 	// there will be no timeout.
@@ -104,6 +136,105 @@ func (b *Bind) Server(backends map[string]http.Handler, acmeCachePath string) (*
 			"TLS enabled",
 			"certificate", b.TLSCertificate,
 		)
+	} else if len(b.TLSEntries) > 0 {
+		tlsConfig = &tls.Config{}
+		var err error
+
+		var certificatesPtr atomic.Pointer[[]tls.Certificate]
+
+		swapTls := func() error {
+			certs := make([]tls.Certificate, 0, len(b.TLSEntries))
+			for _, entry := range b.TLSEntries {
+				cert, err := tls.LoadX509KeyPair(entry.Certificate, entry.Key)
+				if err != nil {
+					return fmt.Errorf("failed to load TLS certificate %s: %w", entry.Certificate, err)
+				}
+				certs = append(certs, cert)
+			}
+			certificatesPtr.Swap(&certs)
+			return nil
+		}
+
+		tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			certs := certificatesPtr.Load()
+
+			if certs == nil || len(*certs) == 0 {
+				panic("no certificates found")
+			}
+
+			for _, cert := range *certs {
+				if err := clientHello.SupportsCertificate(&cert); err == nil {
+					return &cert, nil
+				}
+			}
+
+			// if none match, return first
+			return &(*certs)[0], nil
+		}
+
+		err = swapTls()
+		if err != nil {
+			return nil, nil, err
+		}
+
+		slog.Warn(
+			"TLS enabled with multiple certificates",
+			"certificates", len(b.TLSEntries),
+		)
+	}
+
+	if tlsConfig != nil {
+		if b.TLSMinVersion != "" {
+			switch strings.NewReplacer("-", "", "_", "", " ", "", ".", "").Replace(strings.ToLower(b.TLSMinVersion)) {
+			case "13", "tls13":
+				tlsConfig.MinVersion = tls.VersionTLS13
+			case "12", "tls12":
+				tlsConfig.MinVersion = tls.VersionTLS12
+			case "11", "tls11":
+				tlsConfig.MinVersion = tls.VersionTLS11
+			case "10", "tls10":
+				tlsConfig.MinVersion = tls.VersionTLS10
+			default:
+				return nil, nil, fmt.Errorf("unsupported minimum TLS version: %s", b.TLSMinVersion)
+			}
+		}
+
+		if b.TLSMaxVersion != "" {
+			switch strings.NewReplacer("-", "", "_", "", " ", "", ".", "").Replace(strings.ToLower(b.TLSMaxVersion)) {
+			case "13", "tls13":
+				tlsConfig.MaxVersion = tls.VersionTLS13
+			case "12", "tls12":
+				tlsConfig.MaxVersion = tls.VersionTLS12
+			default:
+				return nil, nil, fmt.Errorf("unsupported maximum TLS version: %s", b.TLSMinVersion)
+			}
+		}
+
+		if len(b.TLSCiphers) > 0 {
+			for _, cipher := range b.TLSCiphers {
+				if c := func() *tls.CipherSuite {
+					for _, c := range tls.CipherSuites() {
+						if c.Name == cipher {
+							return c
+						}
+					}
+					for _, c := range tls.InsecureCipherSuites() {
+						if c.Name == cipher {
+							return c
+						}
+					}
+					return nil
+				}(); c != nil {
+					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, c.ID)
+				} else {
+					return nil, nil, fmt.Errorf("unsupported TLS cipher suite: %s", cipher)
+				}
+			}
+		}
+
+		if len(b.TLSCurves) > 0 {
+			tlsConfig.CurvePreferences = append(tlsConfig.CurvePreferences, b.TLSCurves...)
+		}
 	}
 
 	var serverHandler atomic.Pointer[http.Handler]

lib/state.go

@@ -114,9 +114,9 @@ func NewState(p policy.Policy, opt settings.Settings, settings policy.StateSetti
 				return nil, fmt.Errorf("error loading template %s: %w", state.opt.ChallengeTemplate, err)
 			}
 			state.opt.ChallengeTemplate = name
+		} else {
+			return nil, fmt.Errorf("no template defined for %s", state.opt.ChallengeTemplate)
 		}
-
-		return nil, fmt.Errorf("no template defined for %s", state.opt.ChallengeTemplate)
 	}
 
 	state.networks = make(map[string]func() cidranger.Ranger)

lib/template.go

@@ -78,7 +78,7 @@ func (state *State) ChallengePage(w http.ResponseWriter, r *http.Request, status
 	data := challenge.RequestDataFromContext(r.Context())
 	input := make(map[string]any)
 	input["Id"] = data.Id.String()
-	input["Random"] = utils.CacheBust()
+	input["Random"] = utils.StaticCacheBust()
 
 	input["Path"] = state.UrlPath()
 	input["Links"] = state.opt.Links
@@ -100,6 +100,7 @@ func (state *State) ChallengePage(w http.ResponseWriter, r *http.Request, status
 	state.addCachedTags(data, r, input)
 
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 
 	buf := bytes.NewBuffer(make([]byte, 0, 8192))
 
@@ -116,12 +117,13 @@ func (state *State) ChallengePage(w http.ResponseWriter, r *http.Request, status
 func (state *State) ErrorPage(w http.ResponseWriter, r *http.Request, status int, err error, redirect string) {
 	data := challenge.RequestDataFromContext(r.Context())
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 
 	buf := bytes.NewBuffer(make([]byte, 0, 8192))
 
 	input := map[string]any{
 		"Id":        data.Id.String(),
-		"Random":    utils.CacheBust(),
+		"Random":    utils.StaticCacheBust(),
 		"Error":     err.Error(),
 		"Path":      state.UrlPath(),
 		"Theme":     "",

utils/fingerprint.go

@@ -1,13 +1,48 @@
 package utils
 
 import (
+	"context"
 	"crypto/md5"
+	"crypto/sha256"
+	"crypto/tls"
 	"encoding/hex"
+	"fmt"
+	"net"
 	"net/http"
+	"slices"
+	"strconv"
 	"strings"
 	"sync/atomic"
 )
 
+func applyTLSFingerprinter(server *http.Server) {
+	if server.TLSConfig == nil {
+		return
+	}
+	server.TLSConfig = server.TLSConfig.Clone()
+
+	getConfigForClient := server.TLSConfig.GetConfigForClient
+
+	if getConfigForClient == nil {
+		getConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
+			return nil, nil
+		}
+	}
+
+	server.TLSConfig.GetConfigForClient = func(clientHello *tls.ClientHelloInfo) (*tls.Config, error) {
+		ja3n, ja4 := buildTLSFingerprint(clientHello)
+		ptr := clientHello.Context().Value(tlsFingerprintKey{})
+		if fpPtr, ok := ptr.(*TLSFingerprint); ok && ptr != nil && fpPtr != nil {
+			fpPtr.ja3n.Store(&ja3n)
+			fpPtr.ja4.Store(&ja4)
+		}
+		return getConfigForClient(clientHello)
+	}
+	server.ConnContext = func(ctx context.Context, c net.Conn) context.Context {
+		return context.WithValue(ctx, tlsFingerprintKey{}, &TLSFingerprint{})
+	}
+}
+
 type tlsFingerprintKey struct{}
 type TLSFingerprint struct {
 	ja3n atomic.Pointer[TLSFingerprintJA3N]
@@ -70,6 +105,227 @@ const (
 	extensionEncryptedClientHello    uint16 = 0xfe0d
 )
 
+func tlsFingerprintJA3(hello *tls.ClientHelloInfo, sortExtensions bool) []byte {
+	buf := make([]byte, 0, 256)
+
+	{
+		var sslVersion uint16
+		var hasGrease bool
+		for _, v := range hello.SupportedVersions {
+			if v&greaseMask != greaseValue {
+				if v > sslVersion {
+					sslVersion = v
+				}
+			} else {
+				hasGrease = true
+			}
+		}
+
+		// maximum TLS 1.2 as specified on JA3, as TLS 1.3 is put in SupportedVersions
+		if slices.Contains(hello.Extensions, extensionSupportedVersions) && hasGrease && sslVersion > tls.VersionTLS12 {
+			sslVersion = tls.VersionTLS12
+		}
+
+		buf = strconv.AppendUint(buf, uint64(sslVersion), 10)
+		buf = append(buf, ',')
+	}
+
+	n := 0
+	for _, cipher := range hello.CipherSuites {
+		//if !slices.Contains(greaseValues[:], cipher) {
+		if cipher&greaseMask != greaseValue {
+			buf = strconv.AppendUint(buf, uint64(cipher), 10)
+			buf = append(buf, '-')
+			n = 1
+		}
+	}
+
+	buf = buf[:len(buf)-n]
+	buf = append(buf, ',')
+	n = 0
+
+	extensions := hello.Extensions
+	if sortExtensions {
+		extensions = slices.Clone(extensions)
+		slices.Sort(extensions)
+	}
+
+	for _, extension := range extensions {
+		if extension&greaseMask != greaseValue {
+			buf = strconv.AppendUint(buf, uint64(extension), 10)
+			buf = append(buf, '-')
+			n = 1
+		}
+	}
+
+	buf = buf[:len(buf)-n]
+	buf = append(buf, ',')
+	n = 0
+
+	for _, curve := range hello.SupportedCurves {
+		if curve&greaseMask != greaseValue {
+			buf = strconv.AppendUint(buf, uint64(curve), 10)
+			buf = append(buf, '-')
+			n = 1
+		}
+	}
+
+	buf = buf[:len(buf)-n]
+	buf = append(buf, ',')
+	n = 0
+
+	for _, point := range hello.SupportedPoints {
+		buf = strconv.AppendUint(buf, uint64(point), 10)
+		buf = append(buf, '-')
+		n = 1
+	}
+
+	buf = buf[:len(buf)-n]
+
+	sum := md5.Sum(buf)
+	return sum[:]
+}
+
+func tlsFingerprintJA4(hello *tls.ClientHelloInfo) (ja4 TLSFingerprintJA4) {
+	buf := make([]byte, 0, 10)
+
+	// TODO: t = TLS, q = QUIC
+	buf = append(buf, 't')
+
+	{
+		var sslVersion uint16
+		for _, v := range hello.SupportedVersions {
+			if v&greaseMask != greaseValue {
+				if v > sslVersion {
+					sslVersion = v
+				}
+			}
+		}
+
+		switch sslVersion {
+		case tls.VersionSSL30:
+			buf = append(buf, 's', '3')
+		case tls.VersionTLS10:
+			buf = append(buf, '1', '0')
+		case tls.VersionTLS11:
+			buf = append(buf, '1', '1')
+		case tls.VersionTLS12:
+			buf = append(buf, '1', '2')
+		case tls.VersionTLS13:
+			buf = append(buf, '1', '3')
+		default:
+			sslVersion -= 0x0201
+			buf = strconv.AppendUint(buf, uint64(sslVersion>>8), 10)
+			buf = strconv.AppendUint(buf, uint64(sslVersion&0xff), 10)
+		}
+
+	}
+
+	if slices.Contains(hello.Extensions, extensionServerName) && hello.ServerName != "" {
+		buf = append(buf, 'd')
+	} else {
+		buf = append(buf, 'i')
+	}
+
+	ciphers := make([]uint16, 0, len(hello.CipherSuites))
+	for _, cipher := range hello.CipherSuites {
+		if cipher&greaseMask != greaseValue {
+			ciphers = append(ciphers, cipher)
+		}
+	}
+
+	extensionCount := 0
+	extensions := make([]uint16, 0, len(hello.Extensions))
+	for _, extension := range hello.Extensions {
+		if extension&greaseMask != greaseValue {
+			extensionCount++
+			if extension != extensionALPN && extension != extensionServerName {
+				extensions = append(extensions, extension)
+			}
+		}
+	}
+
+	schemes := make([]tls.SignatureScheme, 0, len(hello.SignatureSchemes))
+
+	for _, scheme := range hello.SignatureSchemes {
+		if scheme&greaseMask != greaseValue {
+			schemes = append(schemes, scheme)
+		}
+	}
+
+	//TODO: maybe little endian
+	slices.Sort(ciphers)
+	slices.Sort(extensions)
+	//slices.Sort(schemes)
+
+	if len(ciphers) < 10 {
+		buf = append(buf, '0')
+		buf = strconv.AppendUint(buf, uint64(len(ciphers)), 10)
+	} else if len(ciphers) > 99 {
+		buf = append(buf, '9', '9')
+	} else {
+		buf = strconv.AppendUint(buf, uint64(len(ciphers)), 10)
+	}
+
+	if extensionCount < 10 {
+		buf = append(buf, '0')
+		buf = strconv.AppendUint(buf, uint64(extensionCount), 10)
+	} else if extensionCount > 99 {
+		buf = append(buf, '9', '9')
+	} else {
+		buf = strconv.AppendUint(buf, uint64(extensionCount), 10)
+	}
+
+	if len(hello.SupportedProtos) > 0 && len(hello.SupportedProtos[0]) > 1 {
+		buf = append(buf, hello.SupportedProtos[0][0], hello.SupportedProtos[0][len(hello.SupportedProtos[0])-1])
+	} else {
+		buf = append(buf, '0', '0')
+	}
+
+	copy(ja4.A[:], buf)
+
+	ja4.B = ja4SHA256(uint16SliceToHex(ciphers))
+
+	extBuf := uint16SliceToHex(extensions)
+
+	if len(schemes) > 0 {
+		extBuf = append(extBuf, '_')
+		extBuf = append(extBuf, uint16SliceToHex(schemes)...)
+	}
+
+	ja4.C = ja4SHA256(extBuf)
+
+	return ja4
+}
+
+func uint16SliceToHex[T ~uint16](in []T) (out []byte) {
+	if len(in) == 0 {
+		return out
+	}
+	out = slices.Grow(out, hex.EncodedLen(len(in)*2)+len(in))
+
+	for _, n := range in {
+		out = append(out, fmt.Sprintf("%04x", uint16(n))...)
+		out = append(out, ',')
+	}
+	out = out[:len(out)-1]
+
+	return out
+}
+
+func ja4SHA256(buf []byte) [6]byte {
+	if len(buf) == 0 {
+		return [6]byte{0, 0, 0, 0, 0, 0}
+	}
+	sum := sha256.Sum256(buf)
+
+	return [6]byte(sum[:6])
+}
+
+func buildTLSFingerprint(hello *tls.ClientHelloInfo) (ja3n TLSFingerprintJA3N, ja4 TLSFingerprintJA4) {
+	return TLSFingerprintJA3N(tlsFingerprintJA3(hello, true)), tlsFingerprintJA4(hello)
+}
+
 func GetTLSFingerprint(r *http.Request) *TLSFingerprint {
 	ptr := r.Context().Value(tlsFingerprintKey{})
 	if fpPtr, ok := ptr.(*TLSFingerprint); ok && ptr != nil && fpPtr != nil {

utils/fingerprint_modern.go

@@ -1,269 +0,0 @@
-//go:build !go1.22 && !go1.23
-
-package utils
-
-import (
-	"context"
-	"crypto/md5"
-	"crypto/sha256"
-	"crypto/tls"
-	"encoding/hex"
-	"fmt"
-	"net"
-	"net/http"
-	"slices"
-	"strconv"
-)
-
-func applyTLSFingerprinter(server *http.Server) {
-	server.TLSConfig = server.TLSConfig.Clone()
-
-	getCertificate := server.TLSConfig.GetCertificate
-	if getCertificate == nil {
-		server.TLSConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			ja3n, ja4 := buildTLSFingerprint(clientHello)
-			ptr := clientHello.Context().Value(tlsFingerprintKey{})
-			if fpPtr, ok := ptr.(*TLSFingerprint); ok && ptr != nil && fpPtr != nil {
-				fpPtr.ja3n.Store(&ja3n)
-				fpPtr.ja4.Store(&ja4)
-			}
-
-			return nil, nil
-		}
-	} else {
-		server.TLSConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			ja3n, ja4 := buildTLSFingerprint(clientHello)
-			ptr := clientHello.Context().Value(tlsFingerprintKey{})
-			if fpPtr, ok := ptr.(*TLSFingerprint); ok && ptr != nil && fpPtr != nil {
-				fpPtr.ja3n.Store(&ja3n)
-				fpPtr.ja4.Store(&ja4)
-			}
-
-			return getCertificate(clientHello)
-		}
-	}
-	server.ConnContext = func(ctx context.Context, c net.Conn) context.Context {
-		return context.WithValue(ctx, tlsFingerprintKey{}, &TLSFingerprint{})
-	}
-}
-
-func tlsFingerprintJA3(hello *tls.ClientHelloInfo, sortExtensions bool) []byte {
-	buf := make([]byte, 0, 256)
-
-	{
-		var sslVersion uint16
-		var hasGrease bool
-		for _, v := range hello.SupportedVersions {
-			if v&greaseMask != greaseValue {
-				if v > sslVersion {
-					sslVersion = v
-				}
-			} else {
-				hasGrease = true
-			}
-		}
-
-		// maximum TLS 1.2 as specified on JA3, as TLS 1.3 is put in SupportedVersions
-		if slices.Contains(hello.Extensions, extensionSupportedVersions) && hasGrease && sslVersion > tls.VersionTLS12 {
-			sslVersion = tls.VersionTLS12
-		}
-
-		buf = strconv.AppendUint(buf, uint64(sslVersion), 10)
-		buf = append(buf, ',')
-	}
-
-	n := 0
-	for _, cipher := range hello.CipherSuites {
-		//if !slices.Contains(greaseValues[:], cipher) {
-		if cipher&greaseMask != greaseValue {
-			buf = strconv.AppendUint(buf, uint64(cipher), 10)
-			buf = append(buf, '-')
-			n = 1
-		}
-	}
-
-	buf = buf[:len(buf)-n]
-	buf = append(buf, ',')
-	n = 0
-
-	extensions := hello.Extensions
-	if sortExtensions {
-		extensions = slices.Clone(extensions)
-		slices.Sort(extensions)
-	}
-
-	for _, extension := range extensions {
-		if extension&greaseMask != greaseValue {
-			buf = strconv.AppendUint(buf, uint64(extension), 10)
-			buf = append(buf, '-')
-			n = 1
-		}
-	}
-
-	buf = buf[:len(buf)-n]
-	buf = append(buf, ',')
-	n = 0
-
-	for _, curve := range hello.SupportedCurves {
-		if curve&greaseMask != greaseValue {
-			buf = strconv.AppendUint(buf, uint64(curve), 10)
-			buf = append(buf, '-')
-			n = 1
-		}
-	}
-
-	buf = buf[:len(buf)-n]
-	buf = append(buf, ',')
-	n = 0
-
-	for _, point := range hello.SupportedPoints {
-		buf = strconv.AppendUint(buf, uint64(point), 10)
-		buf = append(buf, '-')
-		n = 1
-	}
-
-	buf = buf[:len(buf)-n]
-
-	sum := md5.Sum(buf)
-	return sum[:]
-}
-
-func tlsFingerprintJA4(hello *tls.ClientHelloInfo) (ja4 TLSFingerprintJA4) {
-	buf := make([]byte, 0, 10)
-
-	// TODO: t = TLS, q = QUIC
-	buf = append(buf, 't')
-
-	{
-		var sslVersion uint16
-		for _, v := range hello.SupportedVersions {
-			if v&greaseMask != greaseValue {
-				if v > sslVersion {
-					sslVersion = v
-				}
-			}
-		}
-
-		switch sslVersion {
-		case tls.VersionSSL30:
-			buf = append(buf, 's', '3')
-		case tls.VersionTLS10:
-			buf = append(buf, '1', '0')
-		case tls.VersionTLS11:
-			buf = append(buf, '1', '1')
-		case tls.VersionTLS12:
-			buf = append(buf, '1', '2')
-		case tls.VersionTLS13:
-			buf = append(buf, '1', '3')
-		default:
-			sslVersion -= 0x0201
-			buf = strconv.AppendUint(buf, uint64(sslVersion>>8), 10)
-			buf = strconv.AppendUint(buf, uint64(sslVersion&0xff), 10)
-		}
-
-	}
-
-	if slices.Contains(hello.Extensions, extensionServerName) && hello.ServerName != "" {
-		buf = append(buf, 'd')
-	} else {
-		buf = append(buf, 'i')
-	}
-
-	ciphers := make([]uint16, 0, len(hello.CipherSuites))
-	for _, cipher := range hello.CipherSuites {
-		if cipher&greaseMask != greaseValue {
-			ciphers = append(ciphers, cipher)
-		}
-	}
-
-	extensionCount := 0
-	extensions := make([]uint16, 0, len(hello.Extensions))
-	for _, extension := range hello.Extensions {
-		if extension&greaseMask != greaseValue {
-			extensionCount++
-			if extension != extensionALPN && extension != extensionServerName {
-				extensions = append(extensions, extension)
-			}
-		}
-	}
-
-	schemes := make([]tls.SignatureScheme, 0, len(hello.SignatureSchemes))
-
-	for _, scheme := range hello.SignatureSchemes {
-		if scheme&greaseMask != greaseValue {
-			schemes = append(schemes, scheme)
-		}
-	}
-
-	//TODO: maybe little endian
-	slices.Sort(ciphers)
-	slices.Sort(extensions)
-	//slices.Sort(schemes)
-
-	if len(ciphers) < 10 {
-		buf = append(buf, '0')
-		buf = strconv.AppendUint(buf, uint64(len(ciphers)), 10)
-	} else if len(ciphers) > 99 {
-		buf = append(buf, '9', '9')
-	} else {
-		buf = strconv.AppendUint(buf, uint64(len(ciphers)), 10)
-	}
-
-	if extensionCount < 10 {
-		buf = append(buf, '0')
-		buf = strconv.AppendUint(buf, uint64(extensionCount), 10)
-	} else if extensionCount > 99 {
-		buf = append(buf, '9', '9')
-	} else {
-		buf = strconv.AppendUint(buf, uint64(extensionCount), 10)
-	}
-
-	if len(hello.SupportedProtos) > 0 && len(hello.SupportedProtos[0]) > 1 {
-		buf = append(buf, hello.SupportedProtos[0][0], hello.SupportedProtos[0][len(hello.SupportedProtos[0])-1])
-	} else {
-		buf = append(buf, '0', '0')
-	}
-
-	copy(ja4.A[:], buf)
-
-	ja4.B = ja4SHA256(uint16SliceToHex(ciphers))
-
-	extBuf := uint16SliceToHex(extensions)
-
-	if len(schemes) > 0 {
-		extBuf = append(extBuf, '_')
-		extBuf = append(extBuf, uint16SliceToHex(schemes)...)
-	}
-
-	ja4.C = ja4SHA256(extBuf)
-
-	return ja4
-}
-
-func uint16SliceToHex[T ~uint16](in []T) (out []byte) {
-	if len(in) == 0 {
-		return out
-	}
-	out = slices.Grow(out, hex.EncodedLen(len(in)*2)+len(in))
-
-	for _, n := range in {
-		out = append(out, fmt.Sprintf("%04x", uint16(n))...)
-		out = append(out, ',')
-	}
-	out = out[:len(out)-1]
-
-	return out
-}
-
-func ja4SHA256(buf []byte) [6]byte {
-	if len(buf) == 0 {
-		return [6]byte{0, 0, 0, 0, 0, 0}
-	}
-	sum := sha256.Sum256(buf)
-
-	return [6]byte(sum[:6])
-}
-
-func buildTLSFingerprint(hello *tls.ClientHelloInfo) (ja3n TLSFingerprintJA3N, ja4 TLSFingerprintJA4) {
-	return TLSFingerprintJA3N(tlsFingerprintJA3(hello, true)), tlsFingerprintJA4(hello)
-}

utils/http.go

@@ -7,15 +7,38 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"maps"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/netip"
 	"net/url"
+	"slices"
 	"strings"
 	"time"
 )
 
+func NewServer(handler http.Handler, tlsConfig *tls.Config) *http.Server {
+	if tlsConfig == nil {
+		proto := new(http.Protocols)
+		proto.SetHTTP1(true)
+		proto.SetUnencryptedHTTP2(true)
+		h1s := &http.Server{
+			Handler:   handler,
+			Protocols: proto,
+		}
+
+		return h1s
+	} else {
+		server := &http.Server{
+			TLSConfig: tlsConfig,
+			Handler:   handler,
+		}
+		applyTLSFingerprinter(server)
+		return server
+	}
+}
+
 func SelectHTTPHandler(backends map[string]http.Handler, host string) http.Handler {
 	backend, ok := backends[host]
 	if !ok {
@@ -146,15 +169,51 @@ func GetRemoteAddress(ctx context.Context) *netip.AddrPort {
 	return &ip
 }
 
-func CacheBust() string {
-	return cacheBust
-}
-
-var cacheBust string
-
-func init() {
-
-	buf := make([]byte, 16)
+func RandomCacheBust(n int) string {
+	buf := make([]byte, n)
 	_, _ = rand.Read(buf)
-	cacheBust = base64.RawURLEncoding.EncodeToString(buf)
+	return base64.RawURLEncoding.EncodeToString(buf)
+}
+
+var staticCacheBust = RandomCacheBust(16)
+
+func StaticCacheBust() string {
+	return staticCacheBust
+}
+
+func ParseRawQuery(rawQuery string) (m url.Values, err error) {
+	m = make(url.Values)
+	for rawQuery != "" {
+		var key string
+		key, rawQuery, _ = strings.Cut(rawQuery, "&")
+		if strings.Contains(key, ";") {
+			err = fmt.Errorf("invalid semicolon separator in query")
+			continue
+		}
+		if key == "" {
+			continue
+		}
+		key, value, _ := strings.Cut(key, "=")
+		m[key] = append(m[key], value)
+	}
+	return m, err
+}
+
+func EncodeRawQuery(v url.Values) string {
+	if len(v) == 0 {
+		return ""
+	}
+	var buf strings.Builder
+	for _, k := range slices.Sorted(maps.Keys(v)) {
+		vs := v[k]
+		for _, v := range vs {
+			if buf.Len() > 0 {
+				buf.WriteByte('&')
+			}
+			buf.WriteString(k)
+			buf.WriteByte('=')
+			buf.WriteString(v)
+		}
+	}
+	return buf.String()
 }

utils/http_legacy.go

@@ -1,28 +0,0 @@
-//go:build go1.22 || go1.23
-
-package utils
-
-import (
-	"crypto/tls"
-	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
-	"net/http"
-)
-
-func NewServer(handler http.Handler, tlsConfig *tls.Config) *http.Server {
-	if tlsConfig == nil {
-		h2s := &http2.Server{}
-
-		h1s := &http.Server{
-			Handler: h2c.NewHandler(handler, h2s),
-		}
-
-		return h1s
-	} else {
-		server := &http.Server{
-			TLSConfig: tlsConfig,
-			Handler:   handler,
-		}
-		return server
-	}
-}

utils/http_modern.go

@@ -1,29 +0,0 @@
-//go:build !go1.22 && !go1.23
-
-package utils
-
-import (
-	"crypto/tls"
-	"net/http"
-)
-
-func NewServer(handler http.Handler, tlsConfig *tls.Config) *http.Server {
-	if tlsConfig == nil {
-		proto := new(http.Protocols)
-		proto.SetHTTP1(true)
-		proto.SetUnencryptedHTTP2(true)
-		h1s := &http.Server{
-			Handler:   handler,
-			Protocols: proto,
-		}
-
-		return h1s
-	} else {
-		server := &http.Server{
-			TLSConfig: tlsConfig,
-			Handler:   handler,
-		}
-		applyTLSFingerprinter(server)
-		return server
-	}
-}

utils/tagfetcher.go

@@ -39,7 +39,7 @@ func FetchTags(backend http.Handler, uri *url.URL, kinds ...string) (result []ht
 		return nil
 	}
 
-	descendants(node, func(n *html.Node) {
+	for n := range node.Descendants() {
 		if n.Type == html.ElementNode && slices.Contains(kinds, n.Data) {
 			result = append(result, html.Node{
 				Type:      n.Type,
@@ -49,14 +49,7 @@ func FetchTags(backend http.Handler, uri *url.URL, kinds ...string) (result []ht
 				Attr:      n.Attr,
 			})
 		}
-	})
+	}
 
 	return result
 }
-
-func descendants(n *html.Node, f func(n *html.Node)) {
-	f(n)
-	for c := n.FirstChild; c != nil; c = c.NextSibling {
-		descendants(c, f)
-	}
-}