Generating a 421 status from a proxy

James Peach <> Tue, 28 April 2020 07:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 69D023A0DDC for <>; Tue, 28 Apr 2020 00:44:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tM6W7oUpXJks for <>; Tue, 28 Apr 2020 00:44:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DA4CE3A0DD9 for <>; Tue, 28 Apr 2020 00:44:40 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jTKsX-0007Yb-0K for; Tue, 28 Apr 2020 07:42:05 +0000
Resent-Date: Tue, 28 Apr 2020 07:42:05 +0000
Resent-Message-Id: <>
Received: from www-data by with local (Exim 4.92) (envelope-from <>) id 1jTKsW-0007WG-36 for; Tue, 28 Apr 2020 07:42:04 +0000
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jTGEO-00016e-62 for; Tue, 28 Apr 2020 02:44:20 +0000
Received: from ([2607:f8b0:4864:20::1033]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jTGEM-0005hg-Lp for; Tue, 28 Apr 2020 02:44:20 +0000
Received: by with SMTP id mq3so484014pjb.1 for <>; Mon, 27 Apr 2020 19:44:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=TKYvZqnM4xEgxfsPE/pU27Lw2QK0UDu4Pc9RDQSqkK8=; b=rH/OLPypIjwKpjFa7t8mI6+gD9wmggHbbg5da14p+qVSAVXiXa6GF982U0DRc1PsqK G/D7NfEd7I2rd6BZhNdkg8IkS5xbRc5agqtqi0eBAGeC63ztEc/o6lBgQhOmlVpUjD1H 4uRRtmGCEBQb9nQAqtIAWxzxvJ2SebQYEBw+BknB23dNWhPfHh9RfZx/7fuoU2Xis8w9 mC7n2UXbYCeVBb4i/uYjDFobcaK/a5g7gAQhP1312HlAHP/RSWFKidLkhBgTUzH2yc5e 6DjjzAGmAglFBiZhmFugWFzij//RNHHwUmpzWp4L2qIxiWHZ0cpjaOyLbkLCA5WbnYv8 jvmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=TKYvZqnM4xEgxfsPE/pU27Lw2QK0UDu4Pc9RDQSqkK8=; b=e3Q/4TwWia38HtpxRLl80DReWuU9GOtazk/A8qQCnTVsH0G23Qui25Q5aoDjPU9avu 9AiXRHmBOVLrLsDi27t1oNkCXS1tYMeTD1XXcqi5yZHjnijZZcS0bezARvcyr8Grr9VV zmjYEyv4Ki5qZeCoErqAHidQWpulCBuL1oVE6H1k569yUsiA0fdrwp15r0FTnF+VxrIy xfVs7zC9XcWTksTsdlgpgqNxd4u3Z9lQfZoDbdZTq8yGSZfjAlg32vDt4TCrJBVDwFS9 2kFmbdDIPQkZwT+vS1rukw+yfwfCg3Sk2nIYgU1hsriWO15NeZ+qq/ssHqtaisTsRUAs LYNw==
X-Gm-Message-State: AGi0PuaOHxSxiv2+z6MoFOrOEV5zNzWtzJnVJLbuvt2ZV15GZ1yUrN70 QBrJ0xNQcgwIp4wsEx7KGV5q34GR0HU=
X-Google-Smtp-Source: APiQypLlzgK5iNmoFYdH/SjcVxtjuOHCSBI3qwhQ80Xjc/UNVUcKPDmyRnvuHJhgPgT6z9nTV9HcSQ==
X-Received: by 2002:a17:90b:8d7:: with SMTP id ds23mr2174767pjb.39.1588041846948; Mon, 27 Apr 2020 19:44:06 -0700 (PDT)
Received: from ( [2001:44b8:414b:6000:2d94:10ca:b257:50d]) by with ESMTPSA id t188sm11739336pgb.80.2020. for <> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Apr 2020 19:44:06 -0700 (PDT)
From: James Peach <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Message-Id: <>
Date: Tue, 28 Apr 2020 12:44:02 +1000
X-Mailer: Apple Mail (2.3608.
Received-SPF: pass client-ip=2607:f8b0:4864:20::1033;;
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jTGEM-0005hg-Lp 6f95d86efef31c2a5c3690ba3f8430f4
X-caa-id: 106afbed40
Subject: Generating a 421 status from a proxy
Archived-At: <>
X-Mailing-List: <> archive/latest/37554
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Hi all,

I have an reverse proxy Envoy configuration where each SNI server name is attached to exactly one virtual host routing table. If this configuration is deployed with a wildcard certificate however, browser clients will re-use the TLS connections for server name A to send requests for origin B, due to connection reuse, In this configuration, envoy generates a 404 because the configuration for servername A doesn’t have any routes for B.

I believe that in this situation, generating a 421 response should cause the client to not re-use the connection for a different (but wildcard-matching) hostname. However, the spec also says that a proxy must not generate a 421. I wasn't able to track down any rationale for why a proxy must not generate a 421; would it be considered inappropriate in this kind of configuration? Or is it OK, since from the client’s perspective, the reverse proxy is the origin?

The example use case for 421 status in section 9.1.1 is a TLS-terminating middlebox, which matches my scenario pretty closely. To my reading, this conflicts with the "MUST NOT be generated by proxies” requirement in 9.1.2.