I was looking at extending caddy-defender to tarpit http(s) connections by supplying an indefinite succession of random headers per suggestion by skeeto at Endlessh: an SSH Tarpit (at the very bottom).
I was able to get this working for http connections using http.Hijacker, but that doesn’t work for https, because while caddy itself knows the state of a tls connection at the point the handler is launched, the handler doesn’t know the state and cannot therefore know how to properly write to the connection.
I was thinking about a way to wrap a net.Listener and would like to know if this is feasible. The idea is to have caddy serve for a host, and that if an IP address is matched as part of a list that is supplied or a predefined list (via configuration in the same way caddy-defender does it), then you would accept the connection and perform a header tarpit However, if you the IP does not match, can the connection be sent back to Caddy for normal handling?