What's New
Bug Fix: HTTP/2 Stealth Mode
Fixed a critical stealth mode bug where direct visitors using HTTP/2 (the default for modern browsers and curl over TLS) received a 407 Proxy Authentication Required response instead of the expected fake nginx 404 Not Found page.
Root cause: In HTTP/2, the :authority pseudo-header is always present on every request. The proxy detection logic (is_proxy_request) used uri().authority().is_some() to identify proxy requests, which incorrectly matched all HTTP/2 traffic — including direct visitors and port scanners.
Fix: For HTTP/2, only CONNECT requests (extended CONNECT per RFC 8441) are treated as proxy requests. The absolute-URI authority check now only applies to HTTP/1.x, where it correctly distinguishes proxy requests from regular requests.
New Tests
- curl stealth tests — Verify direct requests get 404 over both HTTP/1.1 and HTTP/2 (default)
- Chrome stealth tests — Verify headless Chrome direct visits get the fake nginx 404 page, including subpath requests
Other Changes
- Updated cross-compilation docs to use Docker (
rust:latestimage) instead ofcargo-zigbuild - Added Open Graph and Twitter Card meta tags to landing page
- Renamed package references from
https-proxytohttps_proxy - Added sensitive files (config, keys, .env) to
.gitignore
Downloads
https_proxy-linux-amd64— Linux x86_64 release binary (dynamically linked, stripped, LTO)