[jeffsmith82]

Had the great firewall of china block one of the sites I was building for a customer once many years ago. It could only do it for http and not https so assuming it reads the request from the client works out its a http request to an unauthorized IP and sends the reset packet. You cant read the payload for https so didn't know to send the rst packet i'm assuming. Took a while and some playing with wireshark to work out what was going wrong.

Spoke to someone in the Datacenter we where hosting in and they got us adding to some goverment whitelist and it all started working again.

[sjtgraham]

I guess if it worked at the IP level it wouldn't matter whether or not the transport was encrypted. I'd wager how it worked was by sniffing the Host header in the request, and as this was "many years ago" most likely predated Server Name Indication in TLS so encryption was enough to thwart a host-based blocking approach. Now of course with SNI the host is in clear text in the ClientHello (unless using TLS 1.3 ESNI) so the GFC could still block using hostnames even with TLS.