On 16/03/22 08:09, Jason Spashett wrote:
Hello squid-users,
I wonder if there is a set of workable acls at present that can detect
and/or block domain fronting.
Unfortunately no.
By way of my understanding, that would be
comparing the TLS SNI during a client connecting to squid and issuing a
CONNECT method. Squid would bump that TLS request to also examine each
and every Host header and compare it to the TLS SNI to see if there is a
discrepancy.
Looking at the code at the moment I can only see absolute URL vs host
header checks, which do not appear to look at the CONNECT TLS SNI, which
I think to be found in the master xaction.
This was part of the original intended design of that class. But there
has been significant pushback against having any kind of connection
between two "master transactions" and work in underway now to revert the
class.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
