• Only port 80 and 443 are allowed for HTTP/HTTPS connections.

HTTP

• Firewall checks for the host header.
• If the domain is allowed, it shall pass under any IP addresses.
• If you try to connect without a header (IP only) firewall blocks it (except some of the IP addresses like google.com's will work fine).

HTTPS

• Firewall checks for SNI.
• If the domain is allowed, it shall pass under any IP addresses.
• Having a blocked domain on the host header works as long as there’s an allowed domain on the SNI.

HTTP/2 HTTPS

• Any connection over HTTP/2 won’t work because TLS inspection forces the traffic to use HTTP/1.1.
• Therefore, only websockets can be used on domains that are subject to TLS inspection.
• Since there’s no TLS inspection on YouTube, HTTP/2 can be used over www.youtube.com.
  • 23/12/2021 Update: Today’s test indicate that they got the wiser and enabled back youtube.com for TLS inspection. The domain is still not blocked.

HTTP request without a domain on the host header

• Firewall allows connecting to some IP addresses without a host header:

Works:

• google 216.58.206.206
• yandex 5.255.255.80
• youtube 172.217.169.142

Won't work