Azure CDN is throwing 421 HTTP Error on Mobile Web Browsers

Andris 0 Reputation points
2023-05-02T14:34:00.6566667+00:00

When accessing some Azure Storage Blob files on a mobile web browser like Safari and Chrome, some files like CSS and images throw a 421 HTTP Error when accessing them through the CDN, but when accessing them directly through the Azure Blob URL they work fine. How can we fix this?

I know there was another issue, and in the comment there was a suggestion to write an email. I did it. And I got the answer to start a new thread to solve the problem. Could you please turn off the domain fronting feature for us?
User's image

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,716 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. KarishmaTiwari-MSFT 18,527 Reputation points Microsoft Employee
    2023-05-02T16:18:52.56+00:00

    @Andris Thanks for posting your query on Microsoft Q&A.

    As per Microsoft official documentation,

    Beginning November 8, 2022, all newly created Azure Front Door (Standard, Premium and Classic tier) or Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior. Requests where the host header in HTTP/HTTPS requests that doesn't match the original TLS SNI extension used during the TLS negotiation gets blocked.

    When Front Door blocks a request due to a mismatch:

    • The client receives an HTTP "421 Misdirected Request" error code response.
    • Azure Front Door logs the block in the diagnostic logs under the "Error Info" property with the value SSLMismatchedSNI.

    If you would like to turn off the domain fronting feature (which could be blocking your HTTP/HTTPS requests and throwing 421 error), please create a support request via Azure portal and request for the same. This has resolved the issue for customers in the past.

    If you do not have the ability to create a support request, send an email to 'AzCommunity@microsoft.com' with the Sub- Attn:Karishma and a link to this post.

    For more information about domain fronting, see Securing our approach to domain fronting within Azure.

    Reference post: https://stackoverflow.com/questions/75165055/occasionally-receiving-421-response-code-from-azure-front-door-when-using-wildca/75541805#75541805

    If you have any questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

    If this helps, please 'Accept answer' so that it can help others in the community looking for help on the same topic.

    0 comments
  2. VasimTamboli 4,415 Reputation points
    2023-05-02T18:06:56.7766667+00:00

    421 HTTP Error typically occurs when a client's request has been rejected by the server due to a misconfiguration or a security policy violation. In this case, it may be related to the CDN's domain fronting feature that you mentioned.

    Here are some steps you can try to resolve the issue:

    Disable domain fronting feature: As you mentioned, turning off the domain fronting feature for your CDN might resolve the issue. You can do this by accessing your Azure CDN profile settings and looking for the "Domain Fronting" option.

    Clear browser cache: Clearing the cache and cookies in the affected mobile web browsers can sometimes resolve issues related to CDN caching.

    Check CDN endpoint configuration: Verify that your Azure CDN endpoint configuration is correctly set up to point to the correct Azure Storage Blob container that contains the files you are trying to access.

    Verify that the CDN is enabled: Ensure that your Azure CDN profile is enabled and properly configured.

    Check CORS settings: Ensure that the Cross-Origin Resource Sharing (CORS) settings on your Azure Storage Blob container are configured correctly to allow the web browsers to access the files.