[squid-users] Domain fronting detection

Amos Jeffries squid3 at treenet.co.nz
Wed Mar 16 11:04:39 UTC 2022


On 16/03/22 08:09, Jason Spashett wrote:
> Hello squid-users,
> 
> I wonder if there is a set of workable acls at present that can detect 
> and/or block domain fronting.

Unfortunately no.


> By way of my understanding, that would be 
> comparing the TLS SNI during a client connecting to squid and issuing a 
> CONNECT method. Squid would bump that TLS request to also examine each 
> and every Host header and compare it to the TLS SNI to see if there is a 
> discrepancy.
> 
> Looking at the code at the moment I can only see absolute URL vs host 
> header checks, which do not appear to look at the CONNECT TLS SNI, which 
> I think to be found in the master xaction.
> 

This was part of the original intended design of that class. But there 
has been significant pushback against having any kind of connection 
between two "master transactions" and work in underway now to revert the 
class.


Amos


More information about the squid-users mailing list