So, your support team is suddenly flooded with tickets about “421 Misdirected Request” errors, and you’re wondering if the internet is just having a bad day. Spoiler: it’s not. But Apache might be.
Let’s break down what’s going on, why it’s happening now, and how to fix it—whether you’re using Plesk, cPanel, or flying solo with your own Apache setup.
What Is a 421 SNI Error Anyway?
The HTTP 421 “Misdirected Request” error is Apache’s way of saying:
“Hey, I wasn’t expecting you on this connection.”
This happens when the Server Name Indication (SNI) in the TLS handshake doesn’t match the hostname Apache is expecting. In simpler terms, Apache gets confused when it receives a request without knowing which site it’s supposed to serve, especially when multiple sites are hosted on the same IP.
A Brief History of SNI
SNI was introduced to solve the problem of hosting multiple HTTPS sites on a single IP address. Before SNI, each HTTPS site needed its own IP. With SNI, the client tells the server which hostname it wants during the TLS handshake, so Apache can serve the right certificate and content.
But here’s the kicker: if the client (like nginx) doesn’t pass the hostname correctly, Apache throws a tantrum—cue the 421 error.
Why Is This Happening Now?
Recent Apache updates (notably 2.4.64) introduced stricter handling of SNI to patch several CVEs. These changes mean Apache now refuses to serve requests that don’t include a valid SNI header. This is great for security, but it’s also breaking things left and right.
CVEs Behind the Curtain
The Apache update addressed multiple CVEs, including:
- CVE-2024-38474: Improper SNI handling in reverse proxy scenarios
- CVE-2024-38475: TLS hostname confusion leading to potential MITM
- CVE-2024-38476: Misrouting of requests in multi-tenant environments
How to Confirm It’s the Host’s Fault
Here’s a quick terminal test to see if the issue is with the backend Apache server replacing the domain and host IP with your own:
curl -IkH 'host:domain.com' https://192.168.0.1If you get a 421, the server isn’t handling SNI properly. If you get a 200, the issue lies elsewhere.
Fixes for the 421 Error
✅ If You’re Using Plesk
Plesk has released hotfixes in versions 18.0.70.3 and 18.0.71.1. If you’re on an older version, you can manually patch it by adding the following to your nginx config:
proxy_ssl_server_name on; proxy_ssl_name $host; proxy_ssl_session_reuse off;
Then restart nginx:
systemctl restart nginx✅ If You’re Using cPanel
cPanel temporarily rolled back the Apache update in ea-apache24-2.4.64-3 and recommends updating via:
/scripts/upcpOr manually:
dnf update ea-* # AlmaLinux yum update ea-* # CentOS apt upgrade # Ubuntu
If You’re Not Using Plesk or cPanel
You’ll need to manually ensure that your reverse proxy (nginx, HAProxy, etc.) is passing the correct SNI headers. In nginx, that means:
proxy_ssl_server_name on; proxy_ssl_name $host; proxy_ssl_session_reuse off;
Also, double-check that your Apache virtual hosts are configured with ServerName and ServerAlias directives that match the expected hostnames.
Bonus: What We Did Internally
Our security team enabled “force hostname over TLS” on all sites using our WAF. This ensures that even if we connect directly to a misconfigured Apache server, we’re still sending the correct SNI. It’s a belt-and-suspenders approach, and it’s working well so far.
Final Thoughts
This is one of those “security update meets real-world chaos” moments. The fix is simple once you know what’s going on–but until then, it’s a head-scratcher. Hopefully, this post saves you a few hours of log diving and curl testing.
Justin Channell
Alycia Mitchell
Rianna MacLeod
Allison Bondi
Stephen Johnston
Northon Torga
Ashley Sand