What's Changed
Features
- Added hot-reloadable TLS fingerprint configuration via
-fingerprint-config.- Supports loading
clientandversionfrom a JSON file. - New HTTPS
CONNECTconnections use the latest loaded fingerprint. - Existing tunnels continue using the fingerprint they were opened with.
- Supports loading
- Fixed
CONNECTresponse handling for clients such asffprobe. - Aligned ALPN behavior between client-side and upstream TLS connections.
- Avoided mutating Go's default HTTP transport.
- Passed HTTP transport traffic through the configured upstream dialer.
Improvements
- Added SOCKS5 upstream proxy handling improvements.
- Moved CLI source into
cmd/ja3proxy. - Changed default generated CA paths to:
credentials/cert.pemcredentials/key.pem
- Updated Docker runtime paths and Docker context ignores.
- Updated Makefile output paths so release binaries are written under
bin/. - Expanded README with usage, Docker, certificate, fingerprint, and development docs.
Testing
- Added end-to-end proxy tests.
- Added JA3 fingerprint verification coverage.
- Added unit tests for proxy handlers, MITM CONNECT flow, upstream dialer construction, custom TLS wrapping, certificate handling, debug writer behavior, and
edge cases.
Dependencies and CI
- Updated
github.com/refraction-networking/utlsfromv1.6.7tov1.8.2. - Updated
github.com/cloudflare/cfsslfromv1.6.4tov1.6.5. - Updated
golang.org/x/netfromv0.23.0tov0.38.0. - Updated GitHub Actions dependencies:
actions/checkouttov6actions/setup-gotov6docker-build-pushaction tov7
- Added Dependabot configuration for Go modules and GitHub Actions.
Upgrade Notes
The default certificate files are now stored under credentials/ instead of the repository root. If you previously relied on cert.pem and key.pem in the
current directory, either move them to credentials/cert.pem and credentials/key.pem, or pass explicit paths with -cert and -key.