SGOS 184.108.40.206 and SGOS 220.127.116.11 introduces "http.connect.host" and "http.connect.port" policy gestures which would record and report the value of the actual "host" and "port" in the CONNECT request which would be obtained by parsing the request (first line).
These policy gestures are in the VPM Source column objects are available in the Web Access Layer:
HTTP Connect Hostname: Tests the hostname (the host value in the first line of the HTTP CONNECT request) obtained from the original HTTP CONNECT request URL.
HTTP Connect Port: Tests the port (the port value in the first line of the HTTP connect request) obtained from the original HTTP CONNECT request URL.
Example using Content Policy Language (CPL) to stop a domain fronting request
The http.connect.host can be used with $(url.host) substitution variable to compare the value of the url.host against the value of http.connect.host.
<proxy> http.connect.host =! "$(url.host)" Deny
This policy would block any request if the HTTP CONNECT host differs from the host in the URL.
New Access Log fields
You can add the following new access log fields to an access log format to help track possible domain fronting attempts:
Subscribing will provide email updates when this Article is updated. Login is required.