Re: Generating a 421 status from a proxy

James Peach <> Tue, 28 April 2020 07:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C7C393A0DDD for <>; Tue, 28 Apr 2020 00:44:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aihtBWyO9Oew for <>; Tue, 28 Apr 2020 00:44:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C4E4C3A0DD6 for <>; Tue, 28 Apr 2020 00:44:40 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jTKse-0007Z7-Ub for; Tue, 28 Apr 2020 07:42:13 +0000
Resent-Date: Tue, 28 Apr 2020 07:42:12 +0000
Resent-Message-Id: <>
Received: from www-data by with local (Exim 4.92) (envelope-from <>) id 1jTKsW-0007WP-4V for; Tue, 28 Apr 2020 07:42:04 +0000
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jTGTd-0002XP-5M for; Tue, 28 Apr 2020 03:00:05 +0000
Received: from ([2607:f8b0:4864:20::433]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jTGTb-0007Td-FF for; Tue, 28 Apr 2020 03:00:05 +0000
Received: by with SMTP id x15so10000747pfa.1 for <>; Mon, 27 Apr 2020 20:00:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=5HJY0FjPEonk72CkNxCE257x2UwgUPWeGFr/Sdew/qE=; b=fOTSzyHQAIL/euZCh5ctYLPazKeB8LN0rT/X5NSGlmgt6uEpUV1XBHxc5C8m8aJlPN u302crW+YFyDr3+QxQhLGuyRUKfp3LClFFZBDAl6yEYcRIf2dqGdXRqtiQBHLw9TYPfr SBvKqhr3Rk0ECtzsbABUKud3V/igSvgO9isBg8YIxay1SyypFfqCnAxXlxm2Xrg4lxNe eWgQ85StSfci2b1XdMYyH9CApL2X4Oz9NayaYGgNtLV0CJWUGCcAM3QGztRYsI9JakLK sy2LZOy/GbIGG2lfWsS5lg6sAv/vCt8zytdATd6g0ty/voOQaJBFzqxw8cYA5r+AZEOd Hrsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=5HJY0FjPEonk72CkNxCE257x2UwgUPWeGFr/Sdew/qE=; b=soJeRYuTpmHpiLTSX0vaxuEdXoQXQSZp7rklfougGdDEOqpJ1WbSQcz2dkmNWoiF5Y BxvP+AmG1xjoXMRTKb5/g7KIypyiItWH5AUilSAf01I0o0gNtzHdDMgpIoDyBH8DGEfo 8oGqB+0cYXfAsbJju6MihjfKtpk7eBcHouQkZ98Fj94mKh5riUH3JC7n3Oxshohv51Uw hnruIWxuHSVrsOzY1/aLYtvERj17Nz1kvLOoZoursZazSvvR1HOOk8KzD1RvGtMdJ6qt K1VOxqh/iMKH2notqw+W/RTEAcz/zTq6Veo6n750hjsEZNBtNqOOHh9bpNpkEwzM8Zfz zesw==
X-Gm-Message-State: AGi0Pua0r5qZbc+31+F+pEt4U469UvYN4yiQLLaTqpq4ZsrUNW7MdFbn AWyZfiDPMfAtC42nKo0bjhoYEIVkync=
X-Google-Smtp-Source: APiQypKzkjyUYHFElLimg1OhWifShynbCkb/UFZbNIeHSJjo+L1nzLc2Unppe/l5Kp3Ljn1T9C9d6w==
X-Received: by 2002:a62:3303:: with SMTP id z3mr8921542pfz.88.1588042791699; Mon, 27 Apr 2020 19:59:51 -0700 (PDT)
Received: from ( [2001:44b8:414b:6000:2d94:10ca:b257:50d]) by with ESMTPSA id 138sm13568334pfz.31.2020. for <> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Apr 2020 19:59:51 -0700 (PDT)
From: James Peach <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Tue, 28 Apr 2020 12:59:48 +1000
References: <>
In-Reply-To: <>
Message-Id: <>
X-Mailer: Apple Mail (2.3608.
Received-SPF: pass client-ip=2607:f8b0:4864:20::433;;
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jTGTb-0007Td-FF 1578fdf40daf19ebee45d1abaf5d15b1
X-caa-id: 14aa7fcd09
Subject: Re: Generating a 421 status from a proxy
Archived-At: <>
X-Mailing-List: <> archive/latest/37555
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

> On Apr 28, 2020, at 12:44 PM, James Peach <> wrote:
> Hi all,
> I have an reverse proxy Envoy configuration where each SNI server name is attached to exactly one virtual host routing table. If this configuration is deployed with a wildcard certificate however, browser clients will re-use the TLS connections for server name A to send requests for origin B, due to connection reuse, In this configuration, envoy generates a 404 because the configuration for servername A doesn’t have any routes for B.
> I believe that in this situation, generating a 421 response should cause the client to not re-use the connection for a different (but wildcard-matching) hostname. However, the spec also says that a proxy must not generate a 421. I wasn't able to track down any rationale for why a proxy must not generate a 421; would it be considered inappropriate in this kind of configuration? Or is it OK, since from the client’s perspective, the reverse proxy is the origin?
> The example use case for 421 status in section 9.1.1 is a TLS-terminating middlebox, which matches my scenario pretty closely. To my reading, this conflicts with the "MUST NOT be generated by proxies” requirement in 9.1.2. 

To answer my own question (I think) ... the reverse proxy is a "gateway", not a “proxy”, so the MUST NOT doesn’t apply here.