[dns-operations] need recommendation for filtering outbound HTTPS

Paul Vixie paul at redbarn.org
Mon May 13 00:36:32 UTC 2019

On Sunday, 12 May 2019 16:26:05 UTC Grant Taylor wrote:
> On 5/12/19 1:10 AM, Paul Vixie wrote:
> > i see that squid is not the only forward proxy available for HTTPS
> > now. for example:
> > 
> > https://superuser.com/questions/604352/nginx-as-forward-proxy-for-https
> I don't see any discussion of certificates for Nginx's forward proxy
> CONNECT support.  This makes me think that it's not functioning as an
> SSL / TLS bump in the wire like Squid can.

to be clear, if there's a CONNECT verb, it's not bump-in-the-wire.

also, in TLS 1.3 w/ encrypted SNI, the only way to do bump-in-the-wire is to 
force a downgrade to TLS 1.2. this is what i expect "next-gen firewalls" and 
the chinese "great firewall" to do. clients or servers who won't tolerate the 
downgrade will fail, but that will be seen by some network operators as the 
lesser cost (compared to allowing DoH through.)

i don't want to proxy everything. but the https proxy protocol, and socks, do 
not have a way to tell the initiator, "you don't need me for this connection, 
just try again without a proxy". and TLS 1.3 w/ ESNI makes it impossible to be 
selective in what the forward proxy decrypts, it has to be everything.

our alternatives and their costs have been carefully managed for us here.


More information about the dns-operations mailing list