Fastly returning “Requested host does not match any Subject Alternative Names (SANs) on TLS certificate”, HTTP/421

due to $reasons we have an nginx-proxy that is a reverse proxy forwarding to Fastly CDN which, in turn, forwards back to our infrastructure.

starting from the 2024-02-27 this stopped working, for some HTTP queries. most notably those using OPTION verb. response that nginx was getting from Fastly had HTTP/421 status code and payload:

Requested host does not match any Subject Alternative Names (SANs) on TLS certificate [.........] in use with this connection.

Visit https://docs.fastly.com/en/guides/common-400-errors#error-421-misdirected-request for more information.

colleague of mine – Mateusz – has found a workaround which required re-configuration of nginx that was acting as HTTPS client towards Fastly. adding proxy_ssl_server_name on; next to the proxy_pass resolved this issue.

our config looks like:

location / {
 proxy_pass https://name.of.origin/;
 proxy_set_header Host name.of.origin;
 proxy_ssl_server_name on;
}

… i was naively thinking that curl and nginx will behave similarly when acting as client.

Leave a Reply

Your email address will not be published. Required fields are marked *

(Spamcheck Enabled)