On 3/15/22 15:09, Jason Spashett wrote:
I wonder if there is a set of workable acls at present that can detect
and/or block domain fronting. By way of my understanding, that would be
comparing the TLS SNI during a client connecting to squid and issuing a
CONNECT method. Squid would bump that TLS request to also examine each
and every Host header and compare it to the TLS SNI to see if there is a
discrepancy.
Bugs notwithstanding, modern Squids should be able to do that using an
external ACL. Your external ACL helper can receive SNI information via
%ssl::>sni in the external_acl_type FORMAT field.
On 3/16/22 07:04, Amos Jeffries wrote:
Looking at the code at the moment I can only see absolute URL vs host
header checks, which do not appear to look at the CONNECT TLS SNI,
which I think to be found in the master xaction.
This was part of the original intended design of that class. But there
has been significant pushback against having any kind of connection
between two "master transactions" and work in underway now to revert the
class.
SNI is a client-Squid connection info shared among all master
transactions associated with that connection. The MasterXaction class
will eventually provide access to more client-Squid connection info,
including SNI. Any reasonable outcome of the ongoing dispute regarding
MasterXaction future will reflect these fundamental relationships.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
