[squid-users] Domain fronting detection
Alex Rousskov
rousskov at measurement-factory.com
Wed Mar 16 13:34:12 UTC 2022
On 3/15/22 15:09, Jason Spashett wrote:
> I wonder if there is a set of workable acls at present that can detect
> and/or block domain fronting. By way of my understanding, that would be
> comparing the TLS SNI during a client connecting to squid and issuing a
> CONNECT method. Squid would bump that TLS request to also examine each
> and every Host header and compare it to the TLS SNI to see if there is a
> discrepancy.
Bugs notwithstanding, modern Squids should be able to do that using an
external ACL. Your external ACL helper can receive SNI information via
%ssl::>sni in the external_acl_type FORMAT field.
> On 3/16/22 07:04, Amos Jeffries wrote:
>>> Looking at the code at the moment I can only see absolute URL vs host
>>> header checks, which do not appear to look at the CONNECT TLS SNI,
>>> which I think to be found in the master xaction.
>> This was part of the original intended design of that class. But there
>> has been significant pushback against having any kind of connection
>> between two "master transactions" and work in underway now to revert the
>> class.
SNI is a client-Squid connection info shared among all master
transactions associated with that connection. The MasterXaction class
will eventually provide access to more client-Squid connection info,
including SNI. Any reasonable outcome of the ongoing dispute regarding
MasterXaction future will reflect these fundamental relationships.
HTH,
Alex.
More information about the squid-users
mailing list