Domain fronting to App Engine stopped working
On or about 2018-04-13 16:00:00 UTC, domain-fronted requests for *.appspot.com stopped working. It appears to affect fronting to all appspot.com domains, not only ours. This has broken Snowflake client registration and Moat (#25807 (moved)).
Requests now fail with status code 502:
$ wget -q -O - --content-on-error -S https://www.google.com/ --header 'Host: snowflake-reg.appspot.com'
HTTP/1.1 502 Bad Gateway
Date: Sun, 15 Apr 2018 04:58:49 GMT
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 209
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
<html><body><h1>502 Bad Gateway</h1>\
<p>This HTTP request has a Host header that is not covered \
by the TLS certificate used. Due to an infrastructure change, \
this request cannot be processed.</p></body></html>
This ticket is to document the issue; I'm not sure we can do anything about it directly.
Other related tickets:
- #22782 (moved), use non-Google domain fronts
- #25594 (moved), use non-fronting-based registration