Azure CDN is throwing 421 HTTP Error on Mobile Web Browsers

Shane Kunz 30 Reputation points
2023-04-03T21:16:49.17+00:00

When accessing some Azure Storage Blob files on a mobile web browser like Safari and Chrome, some files like CSS and images throw a 421 HTTP Error when accessing them through the CDN, but when accessing them directly through the Azure Blob URL they work fine. How can we fix this?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,716 questions
Accepted answer
  1. KarishmaTiwari-MSFT 18,527 Reputation points Microsoft Employee
    2023-04-07T07:06:33.2566667+00:00

    @Shane Kunz Thanks for posting your query on Microsoft Q&A.

    As per Microsoft official documentation,

    Beginning November 8, 2022, all newly created Azure Front Door (Standard, Premium and Classic tier) or Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior. Requests where the host header in HTTP/HTTPS requests that doesn't match the original TLS SNI extension used during the TLS negotiation gets blocked.

    When Front Door blocks a request due to a mismatch:

    • The client receives an HTTP "421 Misdirected Request" error code response.
    • Azure Front Door logs the block in the diagnostic logs under the "Error Info" property with the value SSLMismatchedSNI.

    If you would like to turn off the domain fronting feature (which could be blocking your HTTP/HTTPS requests and throwing 421 error), please create a support request via Azure portal and request for the same. This has resolved the issue for customers in the past.

    If you do not have the ability to create a support request, send an email to 'AzCommunity@microsoft.com' with the Sub- Attn:Karishma and a link to this post.

    For more information about domain fronting, see Securing our approach to domain fronting within Azure.

    Reference post: https://stackoverflow.com/questions/75165055/occasionally-receiving-421-response-code-from-azure-front-door-when-using-wildca/75541805#75541805

    Thanks for bringing this to our attention. I will also share the feedback about this new feature with the Product team.

    If you have any questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

    If this helps, please 'Accept answer' so that it can help others in the community looking for help on the same topic.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more