Crikey. I'd never heard of the CONNECT method, and had to look it up.

The CONNECT method establishes a tunnel to the server identified by the target resource.

As far as I can tell
:: delving here into newly archived logs ::
the number of times the method has been attempted on any site under my control can be counted on my fingers. (In fact it took so long to find the first one, I wondered if my host simply cuts them off beforehand so they never even show up in logs.)

Four in 2020, two in 2021. One

CONNECT example.com:443

with humanoid user-agent involving Firefox/27 (ha!) and the other five all

CONNECT leakix.net:443

with go/http as advertised.

But wait, the plot thickens. All of those five requests--on dates ranging from July 2020 to February 2021 on two different sites, neither of them my primary site, both with IPv6 addresses--came as part of a set of nine, like this:

[IPv6] - - [time] "CONNECT leakix.net:443 HTTP/1.1" 403 2965 "-" "Go-http-client/1.1" 
[IPv6] - - [time] "GET / HTTP/1.1" 400 0 "-" "TBI-HttpOpenPlugin/0.1.0 (+https://leakix.net/)" 
[IPv6] - - [time] "GET /.env HTTP/1.1" 400 0 "-" "TBI-WebScanner/0.0.1 (+https://leakix.net/)" 
[IPv6] - - [time] "GET /.git/config HTTP/1.1" 400 0 "-" "TBI-WebScanner/0.0.1 (+https://leakix.net/)" 
[IPv6] - - [time] "GET /composer.json HTTP/1.1" 400 0 "-" "TBI-WebScanner/0.0.1 (+https://leakix.net/)" 
[IPv6] - - [time] "GET /composer.lock HTTP/1.1" 400 0 "-" "TBI-WebScanner/0.0.1 (+https://leakix.net/)" 
[IPv6] - - [time] "GET / HTTP/1.1" 400 0 "-" "TBI-WebScanner/0.0.1 (+https://leakix.net/)" 
[IPv6] - - [time] "GET /frontend_dev.php/$ HTTP/1.1" 400 0 "-" "TBI-WebScanner/0.0.1 (+https://leakix.net/)" 
[IPv6] - - [time] "GET /debug/default/view?panel=config HTTP/1.1" 400 0 "-" "TBI-WebScanner/0.0.1 (+https://leakix.net/)" 

The last five, starting with /composer, always came in the same order and always from the identical IP; some days got a 400 as shown here, others a 403. The first four came in various orders except that .env always preceded .git and both used the same IP as the final five, while GET / and CONNECT came from random different IPs, each different. If it weren't for the consistent grouping--and the nasty slimy recurring leakix--you would never know that the CONNECT had anything to do with the others.

Gosh. Such a lot of effort, all to be hit with a 403. And I never even knew they were trying.

Haven't seen that nasty-looking UA, Lucy. But I did see the following overnight. courtesy of a Bulgarian/Ionian cloud courtesy of Neterra, etc.:

84.54.51.xx
- [17/Jul/2023:20:38:17] "CONNECT google.com:443 HTTP/1.1" 403 1007 "-" "Go-http-client/1.1"
- [18/Jul/2023:05:14:17] "CONNECT google.com:443 HTTP/1.1" 403 1007 "-" "Go-http-client/1.1”

Once is too much but to rehit after 10+ hours is router killfile-worthy (as is seemingly most of Neterra-Bulgaria nowadays). Anyway, if CONNECT is catching on with the "Go-http-client/1.1” crowd and people aren't already blocking either, they might want to now.

:: detour to apache ::

Yup, one possible Require directive is

Require method blabhlah

in case it gets vexatious and isn't blocked by other means such as headers or IP. (I don't archive logged headers, so I can't say exactly what caused the 403s I found.)

I just block |client| and haven't seen any client 403s that I wished were not.

(I'd allow Client, the blooper-prone favicon-hitting UA that travels with later MacOS versions, if its creator would fix it.)

[webmasterworld.com...]

Another odd wrinkle, this time two same-second hits with one a WordPress exploit. (This UA is increasingly looking like a roll-your-own.) Note the also-wrong double-slash in the second URI:

"GET / HTTP/1.1" 403 1007 "-" "Go-http-client/1.1"
"GET //wp-includes/css/buttons.css HTTP/1.1" 403 1007 "-" "Go-http-client/1.1"

The 4.150.18.2xx IP? Microsoft...

the blooper-prone favicon-hitting UA

Option B is to have separate access controls for the favicon. I do block a few situations, but generally leave it open to allow for things like inadvertently blocked humans. User-agents like "okhttp/2.5.0" certainly don’t need it.