Implementing the Domain Fronting Detection feature on ProxySG or Advanced Secure Gateway.

SGOS version 6.7.4.1 or later.

Domain Fronting Detection

Domain fronting is when the HTTP Host header or TCP port differs from the Host in the URL. For example:

CONNECT http://www.example.com/ HTTP/1.0
Host: www.different.example.com

SGOS 6.7.4.141 and SGOS 6.7.4.1  introduces "http.connect.host" and "http.connect.port" policy gestures which would record and report the value of the actual "host" and "port" in the CONNECT request which would be obtained by parsing the request (first line). 

These policy gestures are in the VPM Source column objects are available in the Web Access Layer:

HTTP Connect Hostname: Tests the hostname (the host value in the first line of the HTTP CONNECT request) obtained from the original HTTP CONNECT request URL.

HTTP Connect Port: Tests the port (the port value in the first line of the HTTP connect request) obtained from the original HTTP CONNECT request URL.

Example using Content Policy Language (CPL) to stop a domain fronting request

The http.connect.host can be used with $(url.host) substitution variable to compare the value of the url.host against the value of http.connect.host.

For example:

<proxy>
  DENY http.connect.host=!"$(url.host)"

This policy would block any request if the HTTP CONNECT host differs from the host in the URL.

New Access Log fields

You can add the following new access log fields to an access log format to help track possible domain fronting attempts:

x-http-connect-host
x-http-connect-port