Sure.

I'm still trying to understand domain fronting, and exactly what is being disallowed now. Do all of my CDN requests have to have identical Host headers and TLS server name indicators now? What if they're mismatched? Does the TLS handshake still succeed, and the traffic just doesn't get passed through the CDN server?

Well, the current conflict is with Amazon; your CDN might or might not object to domain fronting.

Amazon is not saying that they must match, they're saying that you can't use someone else's domain for domain fronting without their permission. That is, if the domains don't match, whoever owns the domain indicated in the TLS server name must give express permission to do that.

I don't think their infrastructure can actually block it, they just ban your Cloudfront account if they happen to know this is going on. So you can probably get away with it if you keep quiet and nobody finds out.

Yeah, understood, I meant CloudFront specifically.

> I don't think their infrastructure can actually block it

If I terminate TLS at CloudFront they can certainly compare SNI with the Host header and block on any mismatches. This is silly of course, since there are legit reasons to do this.

You answered my question though. Thanks!