Subdomain multi-tenancy in front door & Safari

Phillip H 86 Reputation points
2023-06-02T22:32:31.4833333+00:00

We are implementing multi-tenancy using subdomains (<tenant>.contoso.com), a wildcard cert *.contoso.com), and front door. We also use a couple of subdomains for shared purposes (content.contoso.com, login.contoso.com, etc.) We have a high number of tenants, so creating individual certs for them would be a pain.

Everything works fine except for on Safari on iOS & Mac - although I haven't tested it on Windows. Safari seems to stop processing on 421 errors when the browser loads two of our subdomains in a row (for example, login.contoso.com then tenant1.contoso.com). It seems like the browser is reusing the connection of the first request in the second, which then triggers front doors domain fronting block. Other browsers sometimes do this as well, but they all appear to silently retry on the 421with the updated hostname instead of just failing.

I've seen other Q&A topics where the solution is to turn off the domain fronting (example one, example two). We opened up a support ticket and that did indeed fix the problem. However, this fix is only until Novemeber of this year.

My question is: is there any suggested architectural pattern or approach that could avoid the domain fronting issue while using front door to implement subdomain multi-tenancy and a wildcard cert? From some web research, it seems like Safari has had this problem for awhile, so I don't think it's likely Apple is going to fix it in the next six months. My only solutions seem to be to either ensure one Safari user never hits two different *.contoso.com requests in a row or to change our application to implement multi-tenancy without subdomains.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
576 questions
Accepted answer
  1. KapilAnanth-MSFT 34,926 Reputation points Microsoft Employee
    2023-06-03T03:53:10.5533333+00:00

    @Phillip H

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you are facing 421 HTTP error with Azure Front Door multitenant setup while using a wild card certificate.

    The respective RFC, here mentions that the client "MAY retry the request" , thus not imposing any MUST/SHOULD condition on the client.

    I would say this is a limitation on the HTTP implementation rather than the products involved.

    Your current scenario,

    Customer1, Customer2, Common content, Authentication - *.contoso.com.

    Is it possible,

    That you create individual certificates for the Common content and Authentication and use your wildcard certificates for the customer sites?

    So, you'll be having 3 certificates,

    • Customers
      • Customer1 - *.contoso.com
      • Customer2 - *.contoso.com
    • Common content - content.contoso.com
    • Authentication - login.contoso.com

    While no one can guarantee that a single user would not successively access customerx.constoso.com and customery.contoso.com, I believe majority of the times it will be login.contoso.com ---> content.contoso.com or login.contoso.com ---> customerx.contoso.com , and as such, Domain fronting would not happen.

    We can wait for the other community members add their points.

    Meanwhile, let me know if you have any queries on this.

    Cheers,

    Kapil

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest