Question
How do I troubleshoot the website error code 421 in Apache 2.4.64?
Symptoms
When loading the website, the webpage loads a 421 error message. A proxy service like the following may be in use:
- Nginx (3rd-party or self-hosted)
- EA-Nginx
- Sucuri
- CloudFlare
- Imunify360 ( Webshield )
- BitNinja
- AWS
The list of proxies is not limited to the above. However, these are the most common, which can be found in use on cPanel servers.
Troubleshooting
Apache has logging settings to troubleshoot if the SNI header is missing in the request from the Proxy. The configuration will need to be modified to include these details in a log file.
Note: Please check with the server administrator to run the following command, as it requires modifying the Apache configuration.
The server administrator can run the command below to create a new custom log file with headers for requests that returned a 421 status.
bash -lc 'CONF=/etc/apache2/conf.d/includes/pre_main_global.conf; MARK="# BEGIN sni_mismatch_421"; \
grep -Fq "$MARK" "$CONF" 2>/dev/null || cat >> "$CONF" <<'"'"'EOF'"'"'
# BEGIN sni_mismatch_421
CustomLog /var/log/apache2/sni_mismatch_421.log "%t %a vhost=%v srv=%A:%p proto=%H alpn=%{SSL_ALPN_PROTOCOL}x tls=%{SSL_PROTOCOL}x cipher=%{SSL_CIPHER}x cert_cn=%{SSL_SERVER_S_DN_CN}x issuer_cn=%{SSL_SERVER_I_DN_CN}x sni=%{SSL_TLS_SNI}x host=%{Host}i referer=\"%{Referer}i\" ua=\"%{User-Agent}i\" uid=%{UNIQUE_ID}e \"%r\" %>s %b" "expr=(%{HTTPS} == \"on\" && %{SSL_TLS_SNI} != %{HTTP_HOST}) || (%{REQUEST_STATUS} == 421)"
# END sni_mismatch_421
EOF
/scripts/restartsrv_apache'This will help determine which domains are using a proxy service that does not pass the SNI header. In version 2.4.64, Apache requires the SNI header to be present; otherwise, it will return a 421 response.
Solutions
Updates are available for many of the common web proxies in use on cPanel servers. Generally, updates will resolve the issue for EA-Nginx, Apache, Imunify360, and BitNinja. If you are using a third-party software or a self-managed proxy solution, it is best to contact your provider or server administrator for additional guidance.
-
Nginx (3rd-party or self-hosted)
Configure Nginx with the settings below to ensure that Nginx passes SNI information to Apache.
proxy_ssl_server_name on; proxy_ssl_name $host; proxy_ssl_session_reuse off;
- EA-Nginx
cPanel has addressed this via EasyApache updates. Ensure EA-Nginx is updated to the following version: "ea-nginx-1.26.3-13". - Sucuri: The Sucuri team released changes to resolve this by forcing hostname over TLS back on July 30th, 2025.
- CloudFlare: CloudFlare already sends the SNI host unless a custom host needs to be defined. An additional article has been created to address this issue if it occurs on CloudFlare websites.
Apache 2.4.65 Update and Reverse Proxy 421 - Imunify360 (Webshield): Imunify360 deployed changes on July 31st, 2025, to ensure the SNI information is presented in the headers when protected by Webshield.
WebShield version 1.35.2, DEF-35398 webshield: 421 Misdirected Request issue with SNI enabled in Apache. - BitNinja: An update was released by BitNinja on July 23rd to resolve this issue. Version (3.12.4) contains the fix.
- AWS load balancer or other proxy/load balancers: Use Apache option "SSLVHostSNIPolicy authonly" in pre_main_global or pre_virtualhost_global include files. This option is available in Apache 2.4.66.
Ensure updates are installed
Ensure the system is updated. You can use the cPanel package update command to ensure updates are installed.
