Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
576 questions
Domain Fronting Blocking vs SNI/Host-Header mismatch on the way to the origin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 74%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
metalheart
361
Reputation points
As Microsoft has announced block domain fronting behavior on newly created Azure Front Door (AFD) profiles (and in 11/2023 also on existing ones) is going to be blocked I'd like to verify whether anything changes in below scenario:
Setup:
We have 10s of AFD routes with custom domains that have AFD-managed certificates. The routes point to an origin which is a Windows VM where the sites are hosted in IIS. Since the TLS tunnel is terminated at AFD, we want to make sure that the communication path from AFD to the origin is also secured. Because AFD-managed certificates are not exportable and we want to make the setup possibly simple, we want to use the wildcard certificate for our domain (CN=*.contoso.com) at the origin.
To do so, we set the hostname for the origin resource in AFD (which is used for selecting the certificate) to a fake hostname under the contoso.com domain and add a binding for the fake hostname to the IIS website.
Leaving the Origin host header blank creates a similar situation than in domain fronting, namely that one identifier (Origin host name) is used for selecting the certificate and a different one (the original host header from the client request) is used for selecting the IIS webroot on the origin server, i.e. overall the connection looks like this:
Now, as long as the incoming client request doesn't use domain fronting, is the scenario on the back-end going to work?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 22,776 Reputation points Microsoft Employee2022-11-11T03:31:03.727+00:00 @metalheart ,
Thank you for reaching out. I am reaching out to the team internally regarding this issue and will provide an update as soon as I get a response. -
metalheart 361 Reputation points
2022-11-14T05:45:32.95+00:00 Hi @ChaitanyaNaykodi-MSFT is there any update on this?
-
ChaitanyaNaykodi-MSFT 22,776 Reputation points Microsoft Employee
2022-11-16T00:29:30.803+00:00 @metalheart , apologies for the delay I am still following up on this issue and will make an update as soon as I get a response. Thank you!
-
ChaitanyaNaykodi-MSFT 22,776 Reputation points Microsoft Employee
2022-11-19T02:13:44.96+00:00 @metalheart , apologies for the delay,
Can you please take a look at my private comment below. Thank you!
Sign in to comment