RSS

Self-Hosted JA4 to combat AI bots

ArcHound1 pts0 comments

Deploying JA4

- Miloslav Homer

Miloslav Homer

About

Archive

Deploying JA4

• Pre-Requisites, Technologies, RFCs and Shorthands

• The Outsourced Way

• The Self-Hosted Way

• JA4 in HAProxy

• The Fragile PoC Way

• Collecting PCAPs

• Parsing PCAPs

• TLS Version Extraction

• Wiring Client Hello Properties

• Validating Parsed Values

• Bot Analysis - Next Time

Deploying JA4

Miloslav Homer

#DevSecOps

#HAProxy

#JA3

#JA4

#PCAP

#Python

2026-06-07

I want to identify/block/rate-limit bots coming to my server. I want to avoid vendor lock-in and use open-source solutions. I also want to avoid PCAP Inspection (Suricata, Zeek...) as those are threatened by Encrypted Client Hello (and are fiddly/expensive to setup/maintain).<br>JA4 fits these requirements. In the previous part, I’ve covered JA3/JA4 generally:<br>Both are TLS fingerprinting methods analyzing ClientHello parameters (cipher suites, extensions, ALPN...).<br>JA3 is now obsolete since Chrome permutes their extensions, so please use JA4 which is now well supported.<br>JA4+ (the full suite of methods) has a mixed licensing model, beware.<br>In this part, let’s deploy this tech. There’s a somewhat-maintained list of tools supporting JA4 to choose from. Keeping the requirements above, I’ve found only these options:<br>Nginx plugin: made by JA4 authors but marked as work in progress,<br>Rama proxy: in rust, but still in alpha,<br>Envoy proxy: not on the list, but seems to support JA4.<br>HAProxy plugin: my pick, in this post I describe how to deploy/configure HAProxy to store JA4s and User-Agents in logs.<br>If you really want to dive deep, I’ve implemented JA4 calculation in Python using scapy to parse PCAPs captured by tcpdump as a PoC. It’s not production ready at all, but I've learned a ton about the technology. Parsing PCAPs is the hard part, calculating JA4 from the extracted data is much easier.<br>Still interested? Let’s get started with the gauntlet of standards and acronyms.

Pre-Requisites, Technologies, RFCs and Shorthands

I’m about to drown you in terminology as we need to juggle a lot of the standards to get this thing rolling. So here’s a brief explainer:<br>TLS (Transport Layer Security) RFC8446: the encryption layer for HTTP and many other protocols. There are many extensions to this.<br>SSL (Secure Socket Layer): previous version of TLS, quite compatible with TLS. Sometimes you still see references or the SSL/TLS shorthand for HTTPS.<br>Client Hello : First message from client to server to establish TLS.<br>SNI (Server Name Identification) RFC6066: the client includes this extension in the client hello to tell the server which backend to connect to.<br>ALPN (Application Layer Protocol Negotiation) RFC7443: client hello extension, it’s a hint to the server explaining what protocol to use after TLS is established.<br>GREASE (Generate Random Extensions to Sustain Extensibility) RFC8701: enables clients to troll machines with selected nonsense values at random places they have to handle correctly and not crash.<br>ECH (Encrypted Client Hello) RFC9849: new standard to encrypt that client hello to hide SNI and ALPN and others from prying eyes. My article on this.<br>PCAP (Packet Capture): format for storing packet data, de-facto standard established by libpcap implementation in the 80s. No formal RFC yet.<br>These points are really just a reference to keep as you navigate these shorthands and standards. And now let’s deploy some JA4.

The Outsourced Way

You can reach out to one of the many big service providers to do this for you. Here’s a list, pick your favorite.<br>Obviously, that’s not something I’d like to do for this blog, the whole purpose of which is to do something independent. Focusing on tech, I want to avoid vendor lock-in as much as possible.<br>For example Cloudflare gives you this only in the Enterprise plan, the best plan there is! While you can expect some price increases, if you already have these plans, it’s a no-brainer. Even upgrading the plan might be cheaper than switching providers and/or rolling your own.

The Self-Hosted Way

From the same list we can pick a few open source solutions that can support JA4.<br>A lot of these solutions capture pcaps to analyze the traffic (Suricata, Zeek, Wireshark, Arkime...). Beware if you’d like to use Encrypted Client Hello as the ClientHello properties you’d need will be... encrypted.<br>I’d rather deploy it on a reverse-proxy. There is an “official” nginx module from the JA4 creators, but from their descriptions it’s a work in progress. Since they’ve recently hidden their DB, I’m not sure what is the future of this extension.<br>There is also rama proxy, which looks amazing (new, rust, feature set) but has LLMisms all over the place. I’m not hating on the project, but I’m not using it either.<br>Speaking of rust-based proxies, pingora seems to be on its way to support JA4, so fingers crossed.<br>And Envoy seems to be already there, but it's not on the list. Go figure. If you have a favorite...

bull client hello from pcaps want

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.