Introduction
As privacy concerns continue to grow in the digital landscape, Encrypted Client Hello (ECH) emerges as a critical technology for protecting user privacy during TLS handshakes. ECH encrypts the Server Name Indication (SNI) field, preventing network observers from seeing which specific website a client is attempting to connect to, even when using HTTPS.
In this comprehensive tutorial, you’ll learn how to implement ECH on an Ubuntu 24.04 VPS using Cloudflare as your DNS provider and either Caddy or Nginx as your web server. By the end of this guide, you’ll have a fully functional setup that protects your visitors’ privacy while maintaining optimal performance.
Prerequisites
Before proceeding with this ECH implementation, ensure you have the following:
- VPS Requirements: Ubuntu 24.04 LTS with at least 2GB RAM and 1 vCPU
- Domain Management: A domain registered and managed through Cloudflare
- Server Access: Root or sudo privileges on your Ubuntu 24.04 server
- Software Versions: Caddy v2.7+ or Nginx 1.25+ with OpenSSL 3.2+
- Network Configuration: Ports 80 and 443 open for HTTP/HTTPS traffic
Note: ECH support requires modern TLS implementations and is still evolving. Ensure your target browsers support ECH for optimal functionality.
Step-by-Step Tutorial
Step 1: Configure Cloudflare ECH Support
First, enable ECH support in your Cloudflare dashboard:
- Log into your Cloudflare dashboard and select your domain
- Navigate to SSL/TLS → Edge Certificates
- Enable Encrypted Client Hello (ECH) if available in your plan
- Set SSL/TLS encryption mode to Full (strict) for end-to-end encryption
Step 2: Update Ubuntu 24.04 System
Update your system to ensure you have the latest security patches and software versions:
sudo apt update && sudo apt upgrade -y
sudo apt install curl wget gnupg2 software-properties-common -yStep 3 (Option A): Caddy ECH Setup
Caddy offers superior ECH support with automatic configuration. Install Caddy with ECH capabilities:
# Install Caddy
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy -yCreate your Caddyfile with ECH configuration:
# /etc/caddy/Caddyfile
your-domain.com {
# Enable ECH
tls {
protocols tls1.3
curves x25519 secp384r1
ech
}
# Your web content
root * /var/www/html
file_server
# Security headers
header Strict-Transport-Security max-age=31536000
header X-Content-Type-Options nosniff
header X-Frame-Options DENY
}Step 4 (Option B): Nginx ECH Setup
For Nginx users, you’ll need a version compiled with ECH support. Install Nginx with OpenSSL 3.2+:
# Install Nginx
sudo apt install nginx openssl -y
# Verify OpenSSL version supports ECH
openssl versionConfigure Nginx with ECH support:
# /etc/nginx/sites-available/your-domain.com
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name your-domain.com;
# SSL Configuration with ECH
ssl_certificate /path/to/your/cert.pem;
ssl_certificate_key /path/to/your/key.pem;
ssl_protocols TLSv1.3;
ssl_ciphers ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:!aNULL:!SHA1:!DSS;
ssl_ech on;
# Security headers
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
root /var/www/html;
index index.html;
}Step 5: Enable and Start Services
For Caddy users:
sudo systemctl enable caddy
sudo systemctl start caddy
sudo systemctl status caddyFor Nginx users:
sudo nginx -t
sudo systemctl enable nginx
sudo systemctl restart nginx
sudo systemctl status nginxStep 6: Verify ECH Functionality
Test your ECH implementation using multiple methods:
# Test with curl (if ECH-enabled)
curl -v --ech hard https://your-domain.com
# Check SSL Labs for ECH support
# Visit: https://www.ssllabs.com/ssltest/Use browser developer tools to verify ECH is working:
- Open Firefox or Chrome with ECH support enabled
- Navigate to your domain
- Check the security tab in developer tools for ECH status
Best Practices
Security Considerations
- TLS 1.3 Only: ECH requires TLS 1.3, so disable older protocols for maximum security
- Certificate Management: Use automated certificate renewal with Let’s Encrypt or Cloudflare Origin certificates
- Monitoring: Implement CrowdSec monitoring to detect potential ECH bypass attempts
- Backup Strategy: Ensure your VPS backup strategy includes ECH configuration files
Performance Optimization
- HTTP/3 Integration: Enable HTTP/3 alongside ECH for optimal performance
- CDN Configuration: Leverage Cloudflare’s global network for ECH-enabled content delivery
- Resource Monitoring: Monitor CPU usage as ECH adds computational overhead
- Caching Strategy: Implement effective caching to offset ECH processing costs
Troubleshooting Tips
- Browser Compatibility: Test across multiple browsers as ECH support varies
- Log Analysis: Monitor server logs for ECH-related errors
- Fallback Configuration: Ensure graceful degradation for non-ECH clients
Conclusion
Successfully implementing Encrypted Client Hello on your Ubuntu 24.04 VPS significantly enhances user privacy by encrypting the SNI field during TLS handshakes. Whether you choose Caddy for its automatic ECH configuration or Nginx for fine-grained control, this implementation protects your visitors from network-level surveillance while maintaining excellent performance.
The combination of ECH with Cloudflare’s global infrastructure provides enterprise-grade privacy protection for websites of any scale. As ECH adoption grows, early implementation positions your infrastructure at the forefront of web privacy technology.
Ready to deploy ECH-enabled infrastructure? Explore our high-performance VPS solutions in Singapore, Sydney, and Amsterdam – all featuring AMD EPYC Milan processors and NVMe storage optimized for modern TLS implementations and privacy-focused deployments.
