Fastly and Fronting

Domain fronting has been around for some time now. It has its legitimate use cases for bypassing censorship along with use by pen testers, red teams, and attackers. This post isn’t designed to explain what domain fronting is, there are many posts out there which have been written on this topic. But what we do want to discuss is to show how Fastly can be used to front through reputable domains. So let's get started!

The first thing you are going to do is create a "service" within Fastly. If you want, edit the name of the service in the top left corner. Otherwise, what you'll see standing out right in the middle of the service creation is the domain that you want to use. This is going to be the domain that will eventually point to your teamserver, handler, etc. Provide the domain, and then hit "Add".

Add Domain Pointing to Your Teamserver

You should then see the name of your domain within the "Domains" page.

Now that the domain is added, you will want to create the necessary DNS record (CNAME) so that your traffic goes to Fastly. You'll want to create a wildcard CNAME record which points to <yourdomainname>.global.prod.fastly.net. Your record should look similar to the following image.

CNAME Record

With that done, it's time to turn back to your Fastly configuration. The next step is to create a "Host" within your service. To start, just type the subdomain that points to your team server and hit add.

Add Subdomain Pointing to Teamserver

Once you've done that, you should see your domain listed along with extra information. You can further edit the host information. To see what you can change, click on the pencil next to your host domain record.

Host Information Displayed

The interesting option that Fastly allows you to configure, is whether or not it will verify the TLS certificate.

Disabling TLS Certificate Verification

Now, do you want to do this? Likely not, we're security professionals, we can secure our comms. But it is interesting and we wanted to point it out because (as of yet) we don't know of any other CDN which would let you use a self-signed certificate.

Next up, you'll want to click on the "Settings" section on the side navigation. Once you've done that, scroll down near the bottom and you'll see a section for "Request settings". Click on the button that says "Create Your First Request Setting". You can provide a name for this, but the big setting you need to set is for "Action". Make sure that it is set to "Pass (do not cache)" so that all requests are forwarded to your teamserver and not cached by the CDN.

Action - Pass

Once you've saved this, you're going to follow a similar process within the "Settings" section by selecting "Create Your First Cache Setting". Within this page, provide the setting a name, change the TTL to , and change the "Action" to "Pass (do not cache)" and hit "Create".

Once you've set that, you're good! Hit "Activate" at the top to activate your service, then test out your front! Assuming you have a listener/handler active (with a valid SSL certificate), try out the following curl command and verify that you received in incoming request.

curl -v --header "Host: <yourdomain.com>.global.prod.fastly.net" https://<fastly_frontable_domain>/FortyNorth.txt

Working Front

We hope you found this post informative. Feel free to explore our past blog posts and if you ever have any feedback, contact us!