Introduction

Azure Front Door sits in front of your application, but the backend origin may still make routing and TLS decisions based on the Host header it receives. If Front Door forwards a hostname the origin does not expect, the backend can return the wrong site, reject the request, redirect in a loop, or fail TLS validation. This issue is common when moving apps behind Front Door or when mixing custom domains with platform default hostnames.

Symptoms

  • The site works at the origin URL but fails or serves the wrong content through Front Door.
  • Users see redirect loops, 404 responses, or the default backend site instead of the intended application.
  • Backend logs show unexpected hostnames in incoming requests.
  • TLS handshake or certificate validation issues appear between Front Door and the origin.
  • Only one domain is broken while other Front Door routes continue to work.

Common Causes

  • Front Door is forwarding the frontend hostname while the backend expects a different origin host header.
  • The backend web server routes requests by host name and has no matching virtual host for the forwarded host.
  • The certificate installed on the origin matches a different hostname than the one used during backend validation.
  • Redirect logic on the app or reverse proxy rewrites users to a hostname that Front Door is not meant to serve.
  • A recent domain migration changed frontend hostnames, but the origin configuration was not updated.
  • Multiple apps share the same backend and the wrong host header sends traffic to the wrong site.

Step-by-Step Fix

  1. Identify the exact hostname used by clients and compare it with the origin host header configured in Azure Front Door. Do not assume they should always be the same.
  2. Check the backend application or reverse proxy configuration to see which hostnames it accepts and how it selects the correct site or route.
  3. If the origin expects its own internal or platform hostname, set the Front Door origin host header explicitly to that value instead of forwarding the frontend hostname.
  4. Verify TLS expectations at the origin. The certificate presented by the backend must match the hostname Front Door uses when connecting to it.
  5. Inspect redirect and canonical URL logic in the application, App Service, Nginx, Apache, or ingress controller. Remove rules that bounce users between the frontend and origin hostnames incorrectly.
  6. Test the origin directly with curl using the same Host header Front Door sends. This quickly shows whether the backend accepts the host and returns the intended content.
  7. Review Front Door routing rules, custom domains, and origin group assignments to confirm the right domain is mapped to the right backend.
  8. If multiple sites share one backend, ensure each site has a matching virtual host and certificate chain for the hostname it will receive.
  9. After adjusting the host header or backend config, re-test through Front Door and confirm the correct site responds without redirect loops or TLS failures.
  10. Validate logs on both Front Door and the origin so you can confirm the requested hostname, backend response, and final user-visible result all match expectations.