Skip to content

Login() proxy blocked by AH WAF (403 Access Denied) — needs browser-impersonating TLS #26

Description

@beninhos

As of ~June 2026, Client.Login() (the local reverse-proxy to login.ah.nl) no
longer works: AH's bot protection returns 403 Access Denied to requests from
Go's default net/http client, so the login page never loads through the proxy
and the OAuth code is never obtained.

Reproduce

Proxying GET https://login.ah.nl/secure/oauth/authorize?client_id=appie&redirect_uri=appie://login-exit&response_type=code
through the httputil.ReverseProxy in login.go returns:

HTTP/1.1 403
<HTML><HEAD><TITLE>Access Denied</TITLE></HEAD>
<BODY><H1>Access Denied</H1><P>Reference #0.xxxxxxxx.xxxxxxxxxx.xxxxxxx</P></BODY></HTML>

(WAF block page.)

Root cause

Go's default TLS ClientHello + header ordering is fingerprintable and AH's WAF now
blocks it. httputil.ReverseProxy uses http.DefaultTransport, so every proxied
request is denied before the user ever sees the login form.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions