> So presumably Iran has a reverse proxy in front of the entire internet for HTTP?

Standard DPI firewalls can do that for you. Absolutely no issue.

For the path component, in a TLS secured request?

	▲	bobmcnamara 4 hours ago \| parent [-]
		It's a CDN, not an IP router. CDNs usually terminate TCP+TLS as close to the client as possible. This used to be done right at the edge - within the NIC for a long time, but CPUs have been more than capable for the last decade+ Few guesses: 1) CDN connects to backend server over TLS, using the national I.R. Iran root CA 2) CDN connects to backend server over HTTP 3) Backend server is running a nationally blessed Linux OS For 1 & 2, the National Information Network would be implementing this DigiNotar style but they already own the root keys. For #3, the backend does so itself. These are the people who p0wned DigiNotar after all.