ideas: TLS-aware firewall for outgoing traffic

i’d love to have linux-based strict firewall for outgoing traffic. one that can allow for traffic to specific domain name [behind CDN], rather than fixed IP addresses.

i did not find yet something that would tick all my check boxes, nevertheless – few links to related projects and discussions:

• https://serverfault.com/questions/1133064/transparent-https-proxy-with-squid-using-sni
• https://github.com/luainkernel/snihook
• https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
• https://github.com/gibbon4ik/xt_tlslist
• https://github.com/Lochnair/xt_tls