Symptoms
Websites display a "421 Misdirected Request" error when using EA-Nginx or other proxies, such as Cloudflare. Servers using CloudLinux-provided EasyApache packages, including those running CloudLinux OS or utilizing Imunify360 Hardened repositories, may also encounter "421 Misdirected Request" errors on hosted websites.
Description
Apache was recently updated to version 2.4.64 to address numerous CVEs. The updated Apache was found to cause 421 errors when combined with EA-Nginx or other proxies. This behavior is also observed in servers using CloudLinux-provided EasyApache packages, including those running CloudLinux OS or utilizing Imunify360 Hardened repositories.
For additional detailed information regarding this issue, please refer to the following article:
Apache 2.4.65 Update and Reverse Proxy 421
We've opened an internal case for our development team to investigate this further. For reference, the case number is EA-13040. Follow this article to receive an email notification when a solution is published in the product.
Workaround
The updated package for Apache 2.4.65 has been released to production to address the 421 Misdirected request errors introduced by the updates to SNI. We recommend updating as soon as possible to address the errors. Servers with automatic updates enabled will be updated during the nightly updates.
If version lock was used to temporarily pause updates to the ea-apache24 package, it must be removed using the steps within the article here:
How to remove version lock packages
If you've followed previous guidance and installed the file "/etc/nginx/conf.d/fixssl.conf," be sure to remove it before applying updates, as it can interfere with the solution.
/bin/rm /etc/nginx/conf.d/fixssl.conf
Otherwise, you can update all packages by doing a cPanel update, or update the ea-apache24 package using your operating system's package manager:
/scripts/upcp
Technical Information
In order to resolve this, some changes were required to be made to the method in which proxies are configured. The following changes were made:
- Use HTTP/1.0 as the proxy protocol instead of HTTP/1.1.
- Some HTTP/1.1 features may be affected. These impacts should be transparent, and not result in any errors.
- Disable SSL session reuse for proxying.
- Performance may be slightly degraded due to the lack of SSL session reuse. This will be less noticeable on servers hosting multiple virtual hosts on the same IP address, as SNI is used and thus session reuse is less relevant.
- Alternative approaches exist, but they have so far introduced greater performance drawbacks and security vulnerabilities.
This issue was previously addressed in package updates by temporarily rolling back the internal Apache version to Apache 2.4.63 until further development could be done to fully resolve this issue.
* Fri Jul 18 2025 - ea-apache24 - 2.4.64-3
- EA-13041: Rolling “ea-apache24” back to “35b37d6c7295199c5157c68145f220d9fa61ff02”: Apache v2.4.64 broke SNI (rando 421)
* Fri Jul 18 2025 - ea-nginx - 1.26.3-11
- EA-13040: Remove SNI fix as we've removed the offending changes in ea-apache24 for now.
Additional Resources
cloudlinux.zendesk.com: 421 Misdirected Request Error After Recent ea-apache Update
