Issue 421 Misdirected Request

[TorbHo]

For Ubuntu < 22 try disabling NGINX Reverse Proxy with

Tools and Settings -> Services Management -> Reverse Proxy Server (nginx) -> Disable

until fix is ready.

 

[MerchantMan]

Hi All,
This has hapen to us just as my web developer has gone on holiday for two weeks!
I can acsess SSH via plex but am struggling to know what to put in this part of the fix: "proxy_ssl_server_name on;\nproxy_ssl_name \$host;" >
Our host name is XXXXXXXXXXV.online-server.cloud but not sure what needs to go where.

We are running Plesk 18.0.69.3
Ubuntu 22.04 x86_64
Dedicated server through Ionos

I know my way round the web interface but am far from an expert in it. Any guidance would be greatly appriciated

P.s. Our web no longer shows the 421 error just shows as unreachable.

Thanks in advance

Have sorted now

 

[VNick]

This is an issue caused by additional security checks introduced by your OS vendor in the Apache 2 binaries, which makes it reject requests from behind nginx reverse proxy with its default settings in case a site is using SSL settings different from the default vhost (which would typically be the case).

TheHotfix does not work properly for Ubuntu <22.

this is not working in 20.04

There were no such OS updates on these OSes, AFAIK. Please post you Apache 2 versions (output of dpkg -l apache2\* | cat) and exact symptoms.

 

[andyxyz]

dpkg -l apache2\* | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============================-==================-============-=====================================================
ii apache2 2.4.41-4ubuntu3.23 amd64 Apache HTTP Server
un apache2-api-20120211 <none> <none> (no description available)
un apache2-api-20120211-openssl1.1 <none> <none> (no description available)
ii apache2-bin 2.4.41-4ubuntu3.23 amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.41-4ubuntu3.23 all Apache HTTP Server (common files)
un apache2-doc <none> <none> (no description available)
un apache2-suexec-custom <none> <none> (no description available)
un apache2-suexec-pristine <none> <none> (no description available)
ii apache2-utils 2.4.41-4ubuntu3.23 amd64 Apache HTTP Server (utility programs for web servers)
un apache2.2-bin <none> <none> (no description available)
un apache2.2-common <none> <none> (no description available)

symptoms are the same as the servers running not 20.04

The page returned an error: 421 Misdirected Request

 

[m0thman]

In the UK woke up in a panic to sites down with a 421. After an hour of fumbling around discovered this forum.
That command sorted it.

Any idea how many sites around the world were affected - who's to blame?

 

[VNick]

symptoms are the same as the servers running not 20.04

The page returned an error: 421 Misdirected Request

What's the corresponding error message in the logs (error_log)?

 

[andyxyz]

as an alternative to disabling nginx you can disable http2
plesk bin http2_pref disable

 

[andyxyz]

What's the corresponding error message in the logs (error_log)?

./error.log:[Thu Jul 17 12:14:07.140871 2025] [ssl:error] [pid 2474371:tid 140588453517056] [client 146.90.212.210:0] AH02032: Hostname www.xxx-xxx.co.uk provided via SNI and hostname webmail.xxx.org.uk provided via HTTP have no compatible SSL setup, referer: https://webmail.xxx.org.uk/

 

[VNick]

./error.log:[Thu Jul 17 12:14:07.140871 2025] [ssl:error] [pid 2474371:tid 140588453517056] [client 146.90.212.210:0] AH02032: Hostname www.xxx-xxx.co.uk provided via SNI and hostname webmail.xxx.org.uk provided via HTTP have no compatible SSL setup, referer: https://webmail.xxx.org.uk/

That's a different issue, and it would not have been broken today. If you had this issue before, you probably had it for a longer time.
Possibly you have customized reverse proxy configuration (likely nginx in your case) that supplies incorrect SNI host name to Apache.

 

[hilly]

./error.log:[Thu Jul 17 12:14:07.140871 2025] [ssl:error] [pid 2474371:tid 140588453517056] [client 146.90.212.210:0] AH02032: Hostname www.xxx-xxx.co.uk provided via SNI and hostname webmail.xxx.org.uk provided via HTTP have no compatible SSL setup, referer: https://webmail.xxx.org.uk/

happening to all websites?

 

[fasthaven]

It seems my security provider got an article out about this, it has fixed the problem on our Enhance servers (we've already manually implemented the fix on our Plesk machines) - so might be worth a shot.

The Latest Apache Update: A 421 Misdirected Request Crisis

 

[danielgc]

For Ubuntu < 22 try disabling NGINX Reverse Proxy with

Tools and Settings -> Services Management -> Reverse Proxy Server (nginx) -> Disable

until fix is ready.

I applied the hotfix and worked great on Ubuntu 22 servers, and applied this for Ubuntu 20.04 servers, thx!

 

[TorbHo]

I applied the hotfix and worked great on Ubuntu 22 servers, and applied this for Ubuntu 20.04 servers, thx!

Keep in mind that if you use the Plesk watchdog extension, nginx will be restarted soon. So first disable nginx monitoring in watchdog.

 

[EugeneKazakov]

Heads up!
To avoid mismatch of hostnames in SNI and HTTP (as described in the posts above), it is strongly recommended to add one more directive "proxy_ssl_session_reuse off"

Here’s a quick fix:

echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;\nproxy_ssl_session_reuse off;" > /etc/nginx/conf.d/fixssl.conf && service nginx restart

The article https://support.plesk.com/hc/en-us/...-recent-Apache-update-421-Misdirected-Request has been updated accordingly.
Hotfixes for Plesk 18.0.70 and 18.0.71 are on the way.

 

[TorbHo]

As already described:

There is something missing in the code, the “>” is missing:

echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;\nproxy_ssl_session_reuse off;" > /etc/nginx/conf.d/fixssl.conf && service nginx restart

 

[csouza]

Solution:

echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;" > /etc/nginx/conf.d/fixssl.conf && service nginx restart

I great thanks @PalmtreeRoundabout , the solution works, you saved my day!!!!

 

[csouza]

How was this pushed without noticing it during testing?

It's really a good question, so many businesses are affected by it, probably because of a missing test...

 

[csouza]

Everyone, the issue occurred due to the latest Apache update with the CVE-2025-23048 security fix. By default Nginx doesn’t pass server name through SNI when establishing a connection with the proxied HTTPS server, which interferes with the update. The official workaround is the one you already found in:

• https://support.plesk.com/hc/en-us/...-recent-Apache-update-421-Misdirected-Request

In the meantime, our team is working on a hotfix that will be released soon.

Thanks for the clarification @Sebahat.hadzhi , I think this is a good opportunity to Plesk improve their test process, to make sure all updates, even security fixes will not break anything, we have a lot of business affected by it. We all know that issues happen, but a better test process should avoid this one.

 

[csouza]

Hi All,
This has hapen to us just as my web developer has gone on holiday for two weeks!
I can acsess SSH via plex but am struggling to know what to put in this part of the fix: "proxy_ssl_server_name on;\nproxy_ssl_name \$host;" >
Our host name is XXXXXXXXXXV.online-server.cloud but not sure what needs to go where.

We are running Plesk 18.0.69.3
Ubuntu 22.04 x86_64
Dedicated server through Ionos

I know my way round the web interface but am far from an expert in it. Any guidance would be greatly appriciated

P.s. Our web no longer shows the 421 error just shows as unreachable.

Thanks in advance

Just copy and paste the line below, already published by @PalmtreeRoundabout in your server terminal, and hit enter, this will do all the job for you:

echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;" > /etc/nginx/conf.d/fixssl.conf && service nginx restart