Hello squid-users, I wonder if there is a set of workable acls at present that can detect and/or block domain fronting. By way of my understanding, that would be comparing the TLS SNI during a client connecting to squid and issuing a CONNECT method. Squid would bump that TLS request to also examine each and every Host header and compare it to the TLS SNI to see if there is a discrepancy.
Looking at the code at the moment I can only see absolute URL vs host header checks, which do not appear to look at the CONNECT TLS SNI, which I think to be found in the master xaction. Regards, Jason.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
