You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/frontdoor/front-door-faq.yml
+7-5Lines changed: 7 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -184,14 +184,16 @@ sections:
184
184
- question: |
185
185
How does Front Door handle ‘domain fronting’ behavior?
186
186
answer: |
187
-
Beginning November 8, 2022, all the newly created Azure Front Door, Azure Front Door (classic) or Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior. Requests where Host header in HTTP/HTTPS requests doesn't match the original TLS SNI extension used during the TLS negotiation, will be blocked.
187
+
Beginning November 8, 2022, all newly created Azure Front Door (Standard, Premium and Classic tier) or Azure CDN Standard from Microsoft (classic) resources will block any HTTP requests that exhibits domain fronting behavior. Requests where the host header in HTTP/HTTPS requests that doesn't match the original TLS SNI extension used during the TLS negotiation, will be blocked.
188
188
189
-
If you wish to block domain fronting for any existing Azure Front Door Standard and Premium, Azure Front Door (classic) and Azure CDN Standard from Microsoft (classic) resources or for new Azure Front Door Standard and Premium, Azure Front Door (classic) and Azure CDN Standard from Microsoft (classic) resources, please create a support request and provide your subscription and
190
-
resource information. Upon enabling of blocking domain fronting behavior, Azure Front Door and Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibit this behavior.
189
+
If you wish to block domain fronting for an existing Azure Front Door or Azure CDN Standard from Microsoft (classic) resources, create a support request and provide your subscription and
190
+
resource information. Upon enabling the blocking of domain fronting, Azure Front Door and Azure CDN Standard from Microsoft (classic) resources will block any HTTP/HTTPS requests that exhibit this behavior.
191
191
192
192
When Front Door blocks a request due to this mismatch:
193
-
The client will receive a HTTP “421 Misdirected Request” error code response
194
-
Front Door will log the block in its diagnostic logs under the “Error Info” property with the value “SSLMismatchedSNI”
193
+
- The client will receive a HTTP "421 Misdirected Request" error code response.
194
+
- Azure Front Door will log the block in the diagnostic logs under the "Error Info" property with the value **SSLMismatchedSNI**.
195
+
196
+
For more information about domain fronting, see [Securing our approach to domain fronting within Azure](https://www.microsoft.com/en-us/security/blog/2021/03/26/securing-our-approach-to-domain-fronting-within-azure/).
195
197
196
198
- question: |
197
199
What TLS versions are supported by Azure Front Door?
0 commit comments