Is there any reason that you can't route SSL/TLS traffic to Tor for all
non-SNI requests? Another thing that might work is knowing that all Tor
certificates currently end in .net. So while they're random, it's
certainly possible to know when someone explicitly wants to reach a
different server you certainly know about and isn't in your allowed
lookup table. Anything else can be routed to Tor.
This would work, but the "default fallback" is somewhat of a coveted position as there are lots of web browsers out there that don't send SNI. So in a shared environment you want to define your "favorite" web-site as the default fall-back, not Tor.
I suppose I could add a feature to Pagekite where the default is different for requests with SNI from requests without... best add that to the list, I guess. :-)
I was also approaching this from the POV of a service provider, offering front-ends to a large number of random people. Most of them would be running websites, but if some wanted to contribute to Tor via my service, I would like to let them. But without a SNI name I can use to choose between them, that doesn't really work, as picking a random tor backend would probably break the path decision logic in Tor if I understand things correctly.
Older clients without SNI will of course have issues and all be routed
to Tor but perhaps this can be documented - surely some people will
still use it?
Hopefully!