Problem

A recent update in Apache 2.4.64 introduced a CVE fix related to SNI (Server Name Indication), which inadvertently caused "HTTP 421 Misdirected Request" errors in many common reverse proxy configurations.

The Apache package has been fully updated in version 2.4.65 to address these issues with cPanel-provided Nginx proxies, but some changes may be needed on external proxies.

 

Solution

If you have not already, ensure that your server has been updated to the Apache 2.4.65 package by following the instructions here:

Websites Displaying "421 Misdirected Request" Error

External reverse proxies must now be configured to comply with the stricter SNI behavior introduced in the update. Cloudflare can have the following configuration added to stop this error from occurring:

  1. Access your Cloudflare account and navigate to the "Zero Trust" section in the user interface.
  2. Under "Networking", select "Add a tunnel".
  3. Select your tunnel type. In this case, "Cloudflared".
  4. Enter a name for your tunnel.
  5. Install the required Cloudflare addons using the links provided in the setup.
  6. Add a published application route for your tunnel by adding a subdomain if required, the domain name,path, and the service type for your proxy.
  7. Under the "Additional Application Settings" section, open the "TLS" subsection.
  8. Enter the domain name into the "Origin Server Name" field.
    For example, if your configured domain is "domain.tld," enter "domain.tld" into the field.
  9. Save your Tunnel.

Additional Resources

Create a tunnel (dashboard)