Issue
After upgrading to ea-apache24-2.4.64, websites running behind EA-Nginx (or other reverse proxies like Cloudflare) on cPanel servers may start displaying:
421 Misdirected Request
Environment
- CloudLinux
- ea-apache24 < 2.4.65-3
- cPanel
- Imunify360
Solution
Update ea-apache24 to version ea-apache24-2.4.65-3 and/or ea-nginx to version 1.26.3-15.el*.cloudlinux or higher
yum update ea-apache24* ea-nginx --enablerepo=cl-ea4
- For servers using Imunify360 with Hardened PHP but not using CloudLinux, use the following command instead:
yum update ea-apache24* ea-nginx --enablerepo=imunify360-ea-php-hardened
Latest ea-apache24 doesn't allow to specify different host in SNI and HTTP headers, so if apache is working behind nginx - nginx should send correct SNI and don't reuse connections (otherwise SNI will be correct for the first connection and won't be correct for another with different hostname).
Hotfix (fixssl.conf) is not needed starting from ea-nginx 1.26.3-13.
As a fix you can add the following to your nginx config:
proxy_ssl_server_name on; proxy_ssl_name $host; proxy_ssl_session_reuse off;
This config is already included in config chunks in latest ea-nginx, and we suppose that they should be added manually for other nginx vendor.
Cause
Apache 2.4.64 introduced stricter SSL/TLS handling (to address CVEs), which leads to incompatibility with proxies that don’t include SNI in their upstream connections. The 421 error occurs when the server cannot determine a matching virtual host due to missing SNI data.
Useful links
- https://support.cpanel.net/hc/en-us/articles/33553346450455-Websites-show-421-Misdirected-Request-error-while-using-EA-Nginx-or-other-proxies
- https://support.plesk.com/hc/en-us/articles/33500191748887-Websites-hosted-in-Plesk-are-not-accessible-after-a-recent-Apache-update-421-Misdirected-Request (For Plesk-based server)
Comments
0 comments
Please sign in to leave a comment.