fix: modcaddy and clienthello

- Use IETF-compliant alt-svc: clear to invalidate QUIC for TLS fingerprints.
- Renamed serveHTTP to serveHTTP12 to reflect the usage of the function.
- Revised Caddyfile sample.
- Removed redundant fields in ClientHello.

clienthello.go

@@ -53,8 +53,8 @@ type ClientHello struct {
 	alpnWithLengths                 []uint8
 	lengthPrefixedCertCompressAlgos []uint8
 	keyshareGroupsWithLengths       []uint16
-	nid                             int64
-	norm_nid                        int64
+	// _nid                            int64
+	// norm_nid                        int64
 
 	// QUIC-only
 	qtp *QUICTransportParameters
@@ -271,12 +271,12 @@ func (ch *ClientHello) parseExtra() error {
 // FingerprintNID calculates fingerprint Numerical ID of ClientHello.
 // Fingerprint is defined by
 func (ch *ClientHello) FingerprintNID(normalized bool) int64 {
-	if normalized && ch.norm_nid != 0 {
-		return ch.norm_nid
+	if normalized && ch.NormNID != 0 {
+		return ch.NormNID
 	}
 
-	if !normalized && ch.nid != 0 {
-		return ch.nid
+	if !normalized && ch.NID != 0 {
+		return ch.NID
 	}
 
 	h := sha1.New() // skipcq: GO-S1025, GSC-G401,
@@ -303,10 +303,10 @@ func (ch *ClientHello) FingerprintNID(normalized bool) int64 {
 	out := int64(binary.BigEndian.Uint64(h.Sum(nil)[:8]))
 
 	if normalized {
-		ch.norm_nid = out
+		// ch.norm_nid = out
 		ch.NormNID = out
 	} else {
-		ch.nid = out
+		// ch._nid = out
 		ch.NID = out
 	}
 

modcaddy/Caddyfile

@@ -1,8 +1,8 @@
 {      
     debug
-    http_port    7080
-	https_port   7443
-    order clienthellod before file_server
+    # http_port    7080
+	# https_port   7443
+    order clienthellod before file_server # make sure handler before file_server
     clienthellod { # app (reservoir)
         validfor 20s 30s
     }
@@ -14,25 +14,28 @@
             }
             tls
         }
+        # protocols h3
     }
 }
 
-172.21.190.119, localhost, 127.0.0.1 {
+1.mydomain.com {
     tls internal
     clienthellod { # handler
+        # quic # mutually exclusive with tls
         tls # listener_wrappers.clienthellod.tcp must be set
     }
     file_server {
         root /var/www/html
     }
 }
 
-# 127.0.0.2 {
-#     tls internal
-#     clienthellod { # handler
-#         quic # listener_wrappers.clienthellod.udp must be set
-#     }
-#     file_server {
-#         root /var/www/html
-#     }
-# }
+2.mydomain.com {
+    tls internal
+    clienthellod { # handler
+        quic # listener_wrappers.clienthellod.udp must be set
+        # tls # mutually exclusive with quic
+    }
+    file_server {
+        root /var/www/html
+    }
+}

modcaddy/handler/handler.go

@@ -75,16 +75,16 @@ func (h *Handler) ServeHTTP(wr http.ResponseWriter, req *http.Request, next cadd
 	h.logger.Debug("Sering HTTP to " + req.RemoteAddr + " on Protocol " + req.Proto)
 
 	if h.TLS && req.ProtoMajor <= 2 { // HTTP/1.0, HTTP/1.1, H2
-		return h.serveHTTP(wr, req, next) // TLS ClientHello capture enabled, serve ClientHello
+		return h.serveHTTP12(wr, req, next) // TLS ClientHello capture enabled, serve ClientHello
 	} else if h.QUIC && req.ProtoMajor == 3 { // QUIC
 		return h.serveQUIC(wr, req, next)
 	}
 	return next.ServeHTTP(wr, req)
 }
 
-// serveHTTP handles HTTP/1.0, HTTP/1.1, H2 requests by looking up the
+// serveHTTP12 handles HTTP/1.0, HTTP/1.1, H2 requests by looking up the
 // ClientHello from the reservoir and writing it to the response.
-func (h *Handler) serveHTTP(wr http.ResponseWriter, req *http.Request, next caddyhttp.Handler) error { // skipcq: GO-W1029
+func (h *Handler) serveHTTP12(wr http.ResponseWriter, req *http.Request, next caddyhttp.Handler) error { // skipcq: GO-W1029
 	// get the client hello from the reservoir
 	ch := h.reservoir.WithdrawClientHello(req.RemoteAddr)
 	if ch == nil {
@@ -120,7 +120,7 @@ func (h *Handler) serveHTTP(wr http.ResponseWriter, req *http.Request, next cadd
 	h.logger.Debug("ClientHello: " + string(b))
 	wr.Header().Set("Content-Type", "application/json")
 	wr.Header().Set("Connection", "close")
-	wr.Header().Set("Alt-Svc", "")
+	wr.Header().Set("Alt-Svc", "clear") // to invalidate QUIC
 	_, err = wr.Write(b)
 	if err != nil {
 		h.logger.Error("failed to write response", zap.Error(err))