I have seen that the common consensus around HTTPS URLFiltering seems to be run a web proxy to do the filtering of HTTPS URLs.
I imagine this is working by seeing the SNI and stopping the TLS handshake thus dropping the connection.
But as Cloudflare is pushing for encrypted SNI as an extension of TLS 1.3, how will we be filtering HTTPS URLs when/if encrypted SNI has a large uptake?
I think the web proxy will no longer be able to inspect the SNI to do the filtering right?
If an application has a proxy configured, it passes the desired FQDN to it - the proxy machine must know that in order to establish a TCP connection to the right IP address.
To my knowledge, eSNI is therefore no issue for users of applications being capable to use a HTTP proxy.
yes, this is the usual procedure. Sometimes, crappy software does things wrong (i. e. by sending a GET request for a HTTPS destination), but the majority of common browsers behaves fine here.