stackoom
  简体   繁体   中英

Occasionally receiving 421 response code from Azure Front Door when using wildcard route

 原文  2023-01-18 20:39:52       azure/ wildcard-subdomain/ azure-front-door/ azure-static-website-hosting/ http-status-code-421

Question

We are using Azure Front Door to serve our white-labeled static website, which means we need our customers to be able to access it through unique subdomains (eg, cust1.domain.com and cust2.domain.com ).

We CNAME *.domain.com to our Front Door instance via DNS, map a route for *.domain.com and have bound it to a custom *.domain.com wildcard certificate (not managed, which is unsupported). The route is pointing to an origin group that in turn points to a "Storage (Static website)" origin similar to prod-storage.z14.web.core.windows.net .

Occasionally on Safari, we receive a response that looks like:

<h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>0a1LIYwAAAADIYjiE3LgzTLfw86bqHEd5Q0hHRURHRTE2MTAAYTk0OGVmNjEtMTk3NS00ZjA0LTkwMjgtOTgwY2I4YzllYzFl

When reviewing the.network tab, we're seeing that response is actually a 421 Misdirected Request . My assumption is that it has to do with this update: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-does-front-door-handle--domain-fronting--behavior--

What is the correct way to set up this flow to avoid this new issue from Front Door ? Our case is somewhat unique and not documented as far as I can tell.

I have seen solutions that include turning off HTTP/2, creating a separate cert per domain and using different IPs - none of which are effective nor will scale with our solution because we need to create new subdomains on the fly with no limitations (ie, it's not realistic to programmatically add them to AFD).

2 answers

solution1
 1  2023-01-19 19:54:19

I ended up solving this by contacting Microsoft support and asking them to turn off the domain fronting block, which appears to have completely resolved the issue on Safari based on our follow up testing. Was hoping for a better solution but this works for us for now.

solution2
 0  2023-01-19 01:58:17

Interesting that AFD is a reverse proxy, and RFC 7540 9.1.2. states proxies should NOT be generating this response. MS as of November banned domain fronting and supposedly had given warning as of I think April last year to get users to move away from it.

From other research it looks like the reason why Safari doesn't handle this correctly is that the same RFC section referenced above says the client "MAY try the request -- whether the request method is idempotent or not -- over a different connection." Safari doesn't appear to retry this TLS connection with correct SNI, whereas other browsers will.

What I'm curious about though is how this looks in a trace. For your other browsers that are working, do the Dev Tools show this 421 being returned followed by an immediate attempt to retrieve the resource again?

https://www.rfc-editor.org/rfc/rfc7540#section-9.1.2

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to activate compression for Azure Front Door routes using Bicep? Azure Active Directory B2C with Azure Front door auth response uses wrong domain Azure Front Door with Azure Signal R Synchronising in memory data between Azure Front Door back end instances Can we undelete or undo or recover the deleted Azure Front Door instance Azure Front Door Designer - Update Custom Domain - New SSL use terraform how to add custom domain to Azure front door URL Rewrite in Azure Front Door (Preview) Standard/Premium Is there a way to connect an Azure firewall to a Front Door Premium Policy with Bicep? bicep azure front door deploy what-if does not show custom domain changes
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM