diff --git a/internal/util/forwarder/sniffer_tls.go b/internal/util/forwarder/sniffer_tls.go index d1dfd96f..b0bb72fa 100644 --- a/internal/util/forwarder/sniffer_tls.go +++ b/internal/util/forwarder/sniffer_tls.go @@ -50,12 +50,16 @@ func (h *Sniffer) HandleTLS(ctx context.Context, conn net.Conn, opts ...HandleOp } host := normalizeHost(clientHello.ServerName, "443") - if host != "" { - ro.Host = host - - if ho.bypass != nil && ho.bypass.Contains(ctx, "tcp", host, bypass.WithService(ho.service)) { - return xbypass.ErrBypass + if host == "" { + if ho.log != nil { + ho.log.Debugf("no sni in clienthello from %s", conn.RemoteAddr()) } + return nil + } + ro.Host = host + + if ho.bypass != nil && ho.bypass.Contains(ctx, "tcp", host, bypass.WithService(ho.service)) { + return xbypass.ErrBypass } node, cc, err := h.dialTLS(ctx, host, &ho) diff --git a/internal/util/sniffing/sniffer_tls.go b/internal/util/sniffing/sniffer_tls.go index 7924e9ca..69c8b31e 100644 --- a/internal/util/sniffing/sniffer_tls.go +++ b/internal/util/sniffing/sniffer_tls.go @@ -48,12 +48,16 @@ func (h *Sniffer) HandleTLS(ctx context.Context, network string, conn net.Conn, } host := normalizeHost(clientHello.ServerName, "443") - if host != "" { - ro.Host = host - - if ho.bypass != nil && ho.bypass.Contains(ctx, network, host, bypass.WithService(ho.service)) { - return xbypass.ErrBypass + if host == "" { + if log != nil { + log.Debugf("no sni in clienthello from %s", conn.RemoteAddr()) } + return nil + } + ro.Host = host + + if ho.bypass != nil && ho.bypass.Contains(ctx, network, host, bypass.WithService(ho.service)) { + return xbypass.ErrBypass } dial := ho.dial