HAProxy - JA4H HTTP Client-Fingerprint - Lua Plugin

WARNING: This plugin is still in early development! DO NOT USE IN PRODUCTION!

Intro

About JA4:

• HAProxy Lua Plugin (JA4)
• JA4+ Suite
• FoxIO Repository
• Cloudflare Blog
• FoxIO Blog
• FoxIO JA4 Database

About JA3:

• HAProxy Lua Plugin (JA3N)
• Salesforce Repository
• HAProxy Enterprise JA3 Fingerprint
• JA3N

---

Usage

• Add the LUA script ja4h.lua to your system. Available HTTP fetches are: HAProxy HTTP fetches

Config

• Enable SSL/TLS capture with the global setting tune.ssl.capture-buffer-size 96
• Load the LUA module with lua-load /etc/haproxy/lua/ja4h.lua
• Execute the LUA script on HTTP requests: http-request lua.fingerprint_ja4h
• Log the fingerprint: http-request capture var(txn.fingerprint_ja4h) len 36

---

Contribute

If you have:

• Found an issue/bug - please report it
• Have an idea on how to improve it - feel free to start a discussion
• PRs are welcome

Issues

• Have not yet found an option to access the request object req.

Testing

• Create snakeoil certificate:

  openssl req -x509 -newkey rsa:4096 -sha256 -nodes -subj "/CN=HAProxy JA4H Test" -addext "subjectAltName = DNS:localhost,IP:127.0.0.1" -keyout /tmp/haproxy.key.pem -out /tmp/haproxy.crt.pem -days 30
  cat /tmp/haproxy.crt.pem /tmp/haproxy.key.pem > /tmp/haproxy.pem

• Link the LUA script: ln -s $(pwd)/ja4h.lua /tmp/haproxy_ja4h.lua

• You can run the haproxy_example.cfg manually like this: haproxy -W -f haproxy_example.cfg

• Access the test website: https://localhost:6969/