This article describes the new FortiProxy feature that blocks HTTP domain fronting, introduced in FortiProxy v7.0.1. See the release notes for more information about this new feature.

The FortiProxy Domain fronting feature blocks any website request if the HTTP CONNECT host differs from the host in the URL.

For example:

CONNECT http://www.example.com/ HTTP/1.1
Host: fortinet.com

Curl example:

curl –H "Host: fortinet.com" www.example.com --proxy 10.176.2.91:11980

The Curl command will route the request through the www.example.com domain and reach out to the host fortinet.com.

If users perform packet capture, only a host making a connection to www.example.com can be seen.

For more information about domain fronting, see the domain fronting Wikipedia article.

This behavior is desirable for security purposes, but certain sites use domain fronting to load content from another source. If issues are experienced where known, reputable sites being blocked due to domain fronting, the issue can be identified by the following message shown in both the browser and the logs:

'Traffic denied because of domain fronting'.

To allow access, allow the HTTP domain fronting by creating a new profile protocol option, and apply it in the proxy policy that allows this traffic:

config firewall profile-protocol-options
    edit <name>
      config http
        set domain-fronting disable
      end
    next
  end

The options for the set domain-fronting configuration changed from [enable|disable] to [allow|block|monitor] in versions 7.0.9 and 7.2.3.

config firewall profile-protocol-options
    edit <name>
      config http
        set domain-fronting [allow|block|monitor]
      end
    next
  end