Implementing the Domain Fronting Detection feature on ProxySG or Advanced Secure Gateway.
SGOS version 184.108.40.206 or later.
Domain fronting is when the HTTP Host header or TCP port differs from the Host in the URL. For example:
CONNECT http://www.example.com/ HTTP/1.0
SGOS 220.127.116.11 and SGOS 18.104.22.168 introduces "http.connect.host" and "http.connect.port" policy gestures which would record and report the value of the actual "host" and "port" in the CONNECT request which would be obtained by parsing the request (first line).
These policy gestures are in the VPM Source column objects are available in the Web Access Layer:
HTTP Connect Hostname: Tests the hostname (the host value in the first line of the HTTP CONNECT request) obtained from the original HTTP CONNECT request URL.
HTTP Connect Port: Tests the port (the port value in the first line of the HTTP connect request) obtained from the original HTTP CONNECT request URL.
The http.connect.host can be used with $(url.host) substitution variable to compare the value of the url.host against the value of http.connect.host.
This policy would block any request if the HTTP CONNECT host differs from the host in the URL.
You can add the following new access log fields to an access log format to help track possible domain fronting attempts: