Problem
Subscription endpoints behind a CDN get blocked by SNI-based DPI even when the edge IPs stay reachable. Today Anywhere fetches a subscription with TLS SNI == HTTP Host, so once the real host's SNI is blocklisted, subscription updates break.
Proposal
Support domain fronting for subscription fetching, configured inside the subscription URL via query params — no extra UI, imports cleanly through anywhere://add-proxy.
Example:
https://visa.com/<shortUuid>?resolve-address=visa.com&host=cfhosteddomain.com
| Part |
Role |
URL host (visa.com) |
TLS SNI / front domain in ClientHello |
resolve-address |
domain to DNS-resolve & connect to (becomes the connected host → also the SNI) |
host |
real HTTP Host: header — the actual CDN origin (cfhosteddomain.com) |
path (/<shortUuid>) |
sent as-is to the real origin |
Request: resolve resolve-address → TLS handshake with SNI = front domain → GET /<shortUuid> with Host: cfhosteddomain.com. Both params optional; absent ⇒ unchanged behavior.
Implementation note (this is doable with URLSession)
Fronting does not require dropping to a raw TLS stack. The proven pattern:
- Rewrite the request URL's host to the front domain so the OS sets SNI to it.
- Set the HTTP
Host: header to the real origin.
- Provide a
URLSessionDelegate that accepts the front domain's server trust for the connection.
Base64 import
The same link can be imported as a plain URL or base64-encoded — a direct URL is not required. The importer should base64-decode the input first; if it decodes to a valid http(s)://… subscription URL, use that, otherwise treat the input as a plain URL. Applies to both manual paste and anywhere://add-proxy?link=<…>, so a fronting link can travel as an opaque base64 blob.
I'm happy to implement this and send a PR — opening the issue first to confirm the approach and the param contract.
Problem
Subscription endpoints behind a CDN get blocked by SNI-based DPI even when the edge IPs stay reachable. Today
Anywherefetches a subscription with TLS SNI == HTTP Host, so once the real host's SNI is blocklisted, subscription updates break.Proposal
Support domain fronting for subscription fetching, configured inside the subscription URL via query params — no extra UI, imports cleanly through
anywhere://add-proxy.Example:
visa.com)resolve-addresshostHost:header — the actual CDN origin (cfhosteddomain.com)/<shortUuid>)Request: resolve
resolve-address→ TLS handshake with SNI = front domain →GET /<shortUuid>withHost: cfhosteddomain.com. Both params optional; absent ⇒ unchanged behavior.Implementation note (this is doable with
URLSession)Fronting does not require dropping to a raw TLS stack. The proven pattern:
Host:header to the real origin.URLSessionDelegatethat accepts the front domain's server trust for the connection.Base64 import
The same link can be imported as a plain URL or base64-encoded — a direct URL is not required. The importer should base64-decode the input first; if it decodes to a valid
http(s)://…subscription URL, use that, otherwise treat the input as a plain URL. Applies to both manual paste andanywhere://add-proxy?link=<…>, so a fronting link can travel as an opaque base64 blob.I'm happy to implement this and send a PR — opening the issue first to confirm the approach and the param contract.