• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Issue 421 Misdirected Request

For Ubuntu < 22 try disabling NGINX Reverse Proxy with
Code: 
Tools and Settings -> Services Management -> Reverse Proxy Server (nginx) -> Disable

until fix is ready.
 
MerchantMan said:
Hi All,
This has hapen to us just as my web developer has gone on holiday for two weeks!
I can acsess SSH via plex but am struggling to know what to put in this part of the fix: "proxy_ssl_server_name on;\nproxy_ssl_name \$host;" >
Our host name is XXXXXXXXXXV.online-server.cloud but not sure what needs to go where.

We are running Plesk 18.0.69.3
Ubuntu 22.04 x86_64
Dedicated server through Ionos

I know my way round the web interface but am far from an expert in it. Any guidance would be greatly appriciated

P.s. Our web no longer shows the 421 error just shows as unreachable.

Thanks in advance
Click to expand...

Have sorted now
 
This is an issue caused by additional security checks introduced by your OS vendor in the Apache 2 binaries, which makes it reject requests from behind nginx reverse proxy with its default settings in case a site is using SSL settings different from the default vhost (which would typically be the case).

Janko1000 said:
TheHotfix does not work properly for Ubuntu <22.
Click to expand...

andyxyz said:
this is not working in 20.04
Click to expand...

There were no such OS updates on these OSes, AFAIK. Please post you Apache 2 versions (output of dpkg -l apache2\* | cat) and exact symptoms.
 
dpkg -l apache2\* | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============================-==================-============-=====================================================
ii apache2 2.4.41-4ubuntu3.23 amd64 Apache HTTP Server
un apache2-api-20120211 <none> <none> (no description available)
un apache2-api-20120211-openssl1.1 <none> <none> (no description available)
ii apache2-bin 2.4.41-4ubuntu3.23 amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.41-4ubuntu3.23 all Apache HTTP Server (common files)
un apache2-doc <none> <none> (no description available)
un apache2-suexec-custom <none> <none> (no description available)
un apache2-suexec-pristine <none> <none> (no description available)
ii apache2-utils 2.4.41-4ubuntu3.23 amd64 Apache HTTP Server (utility programs for web servers)
un apache2.2-bin <none> <none> (no description available)
un apache2.2-common <none> <none> (no description available)
Click to expand...
symptoms are the same as the servers running not 20.04

The page returned an error: 421 Misdirected Request
 
In the UK woke up in a panic to sites down with a 421. After an hour of fumbling around discovered this forum.
That command sorted it.

Any idea how many sites around the world were affected - who's to blame?
 
andyxyz said:
./error.log:[Thu Jul 17 12:14:07.140871 2025] [ssl:error] [pid 2474371:tid 140588453517056] [client 146.90.212.210:0] AH02032: Hostname www.xxx-xxx.co.uk provided via SNI and hostname webmail.xxx.org.uk provided via HTTP have no compatible SSL setup, referer: https://webmail.xxx.org.uk/
Click to expand...
That's a different issue, and it would not have been broken today. If you had this issue before, you probably had it for a longer time.
Possibly you have customized reverse proxy configuration (likely nginx in your case) that supplies incorrect SNI host name to Apache.
 
TorbHo said:
For Ubuntu < 22 try disabling NGINX Reverse Proxy with
Code: 
Tools and Settings -> Services Management -> Reverse Proxy Server (nginx) -> Disable

until fix is ready.
Click to expand...
I applied the hotfix and worked great on Ubuntu 22 servers, and applied this for Ubuntu 20.04 servers, thx!
 
Heads up!
To avoid mismatch of hostnames in SNI and HTTP (as described in the posts above), it is strongly recommended to add one more directive "proxy_ssl_session_reuse off"

Here’s a quick fix:
Bash: 
echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;\nproxy_ssl_session_reuse off;" > /etc/nginx/conf.d/fixssl.conf && service nginx restart

The article https://support.plesk.com/hc/en-us/...-recent-Apache-update-421-Misdirected-Request has been updated accordingly.
Hotfixes for Plesk 18.0.70 and 18.0.71 are on the way.
 
Last edited:
As already described:

There is something missing in the code, the “>” is missing:

echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;\nproxy_ssl_session_reuse off;" > /etc/nginx/conf.d/fixssl.conf && service nginx restart
 
Sebahat.hadzhi said:
Everyone, the issue occurred due to the latest Apache update with the CVE-2025-23048 security fix. By default Nginx doesn’t pass server name through SNI when establishing a connection with the proxied HTTPS server, which interferes with the update. The official workaround is the one you already found in:

In the meantime, our team is working on a hotfix that will be released soon.
Click to expand...
Thanks for the clarification @Sebahat.hadzhi , I think this is a good opportunity to Plesk improve their test process, to make sure all updates, even security fixes will not break anything, we have a lot of business affected by it. We all know that issues happen, but a better test process should avoid this one.
 
MerchantMan said:
Hi All,
This has hapen to us just as my web developer has gone on holiday for two weeks!
I can acsess SSH via plex but am struggling to know what to put in this part of the fix: "proxy_ssl_server_name on;\nproxy_ssl_name \$host;" >
Our host name is XXXXXXXXXXV.online-server.cloud but not sure what needs to go where.

We are running Plesk 18.0.69.3
Ubuntu 22.04 x86_64
Dedicated server through Ionos

I know my way round the web interface but am far from an expert in it. Any guidance would be greatly appriciated

P.s. Our web no longer shows the 421 error just shows as unreachable.

Thanks in advance
Click to expand...
Just copy and paste the line below, already published by @PalmtreeRoundabout in your server terminal, and hit enter, this will do all the job for you:

Code: 
echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;" > /etc/nginx/conf.d/fixssl.conf && service nginx restart
 
csouza said:
Just copy and paste the line below, already published by @PalmtreeRoundabout in your server terminal, and hit enter, this will do all the job for you:

Code: 
echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;" > /etc/nginx/conf.d/fixssl.conf && service nginx restart
Click to expand...
Note that this command is incomplete, instead it's recommend to use the command posted by @EugeneKazakov, which also contains the proxy_ssl_session_reuse directive.

EugeneKazakov said:
To avoid mismatch of hostnames in SNI and HTTP (as described in the posts above), it is strongly recommended to add one more directive "proxy_ssl_session_reuse off"
Bash: 
echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;\nproxy_ssl_session_reuse off;" > /etc/nginx/conf.d/fixssl.conf && service nginx restart
[...]
Click to expand...
 
You must log in or register to reply here.

Similar threads

M
Issue Cloudflare 1005 wp-toolkit Promlem screen
Replies
5
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
K
Resolved After backup restore no web nor SSL
Replies
1
Views
795
kankamuso
K
C
Question How can I secure my Mail with Letsencrypt next to Cloudflares Origin Certificate in Plesk?
Replies
4
Views
2K
cpulove
C
M
Issue Nothing work fine
Replies
0
Views
1K
mvasilia
M
C
Issue Cloudflare Origin SSL Zertifikate does work and protect
Replies
1
Views
2K
cpulove
C
Back
Top