421 Misdirected Request: apache2 regression

it is plesk related:
https://support.plesk.com/hc/en-us/articles/33500191748887-Websites-hosted-in-Plesk-are-not-accessible-after-a-recent-Apache-update-421-Misdirected-Request

Status changed to 'Confirmed' because the bug affects multiple users.

We also just had this same "421 Misdirected Request" error on all the sites we hosted after unattended-upgrades auto updated this morning. Rolling back to previous version resolved for now.

Checking the apache error logs per site we say the following:

> [Thu Jul 17 06:45:16.091474 2025] [ssl:error] [pid 2051895:tid 139659384452800] [client X.X.X.X:0] AH02032: Hostname 000-default.site.com (default host as no SNI was provided) and hostname www.site.co.uk provided via HTTP have no compatible SSL setup

Requests to each site (e.g. www.site.co.uk used as example above) apache would appear to be using the default site's SSL instead of their per site SSL.

Ref the comment about plesk, we don't use plesk btw, no management app like that, we have apache2 installed directly on ubuntu 24.04.

Tones of forum posts about this issue today btw, a large number are plesk related however many other posts relate to this affecting nginx or other reverse proxies in front of apache.

We’re also affected by this issue after the automatic upgrade to Apache 2.4.58-1ubuntu8.7 on multiple servers running Ubuntu 24.04 with HestiaCP.

Immediately after the upgrade, all domains in my multiple server started returning:

421 Misdirected Request
The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.

No changes were made to the server or control panel. Rebuilding web domains in HestiaCP or re-issuing Let’s Encrypt certificates did not resolve the issue.

Please prioritize a fix or provide a recommended workaround.

This is triggered when Apache is behind a reverse HTTP proxy like nginx or haproxy, which don't send SNI to a backend server. To enable sending SNI for nginx, use `proxy_ssl_server_name on`; for haproxy, add 'sni req.hdr(host)' for the server line.

I'm having the same issue. The server is behind a cloudflare reverse proxy so I can't manually add the SNI to nginx/haproxy. Is there a way of just changing the Apache config file to get things working again?

We have bitninja WAF in front of apache which uses nginx.
They've resolved the issue by updating their nginx config, ref:
https://news.bitninja.com/en/ongoing-issue-with-apache-update-_-misdirected-request-dod68NJn

If anyone is using cloudflare tunnels I've found a fix for this after a lot of digging.

Login to Cloudflare > Zero Trust > Networks > Tunnels > Click the 3 dots on your tunnel > Configure
Locate the "Public hostname" you're having a problem with > Click the 3 dots on it > Edit
Click "Additional Application Settings" > TLS
Change "Origin Server Name" to match the above URL, click save

Hope this helps someone!

We use a AWS Application load Balancer to instances with Ubuntu. After the automatic upgrade we have the same issue. We don't have fix to manage the SNI over apache. But the moment we restore a backup and disable de automatic upgrade waiting a fix

Upstream seems affected too

https://lists.apache.org/thread/xb4zopfkxq0bz5xy1cb4p0ftd381gkco

I repro'd with

```
root@b5b2d2634adb:/# cat /etc/apache2/sites-enabled/000-default.conf
# /etc/apache2/sites-available/default.conf
<VirtualHost *:80>
    ServerName default.localhost
    DocumentRoot /var/www/default
</VirtualHost>

<VirtualHost *:443>
    ServerName default.localhost
    DocumentRoot /var/www/default

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/default.crt
    SSLCertificateKeyFile /etc/ssl/private/default.key
</VirtualHost>

# /etc/apache2/sites-available/service1.conf
<VirtualHost *:80>
    ServerName service1.localhost
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/service1
</VirtualHost>

<VirtualHost *:443>
    ServerName service1.localhost
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/service1

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/service1.crt
    SSLCertificateKeyFile /etc/ssl/private/service1.key
</VirtualHost>

root@b5b2d2634adb:/# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/service1.key -out /etc/ssl/certs/service1.crt
root@b5b2d2634adb:/# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/default.key -out /etc/ssl/certs/default.crt
root@b5b2d2634adb:/# mkdir -p /var/www/service1 /var/www/default
root@b5b2d2634adb:/# a2enmod ssl
root@b5b2d2634adb:/# service apache2 restart
```
and then

```
root@b5b2d2634adb:/# curl -k -H 'Host: service1.localhost' https://127.0.0.1:443
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>421 Misdirected Request</title>
</head><body>
<h1>Misdirected Request</h1>
<p>The client needs a new connection for this
request as the requested host name does not match
the Server Name Indication (SNI) in use for this
connection.</p>
<hr>
<address>Apache/2.4.58 (Ubuntu) Server at service1.localhost Port 443</address>
</body></html>
```

Here is the upstream bug tracking this issue:

https://bz.apache.org/bugzilla/show_bug.cgi?id=69743

The problem is caused by the fix for CVE-2025-23048. I do not think upstream will revert it.

https://ubuntu.com/security/CVE-2025-23048
https://www.cve.org/CVERecord?id=CVE-2025-23048
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2117112

Looks like upstream added a new config option to mitigate this:

https://github.com/apache/httpd/commit/29a575d7b6bc908bb081052afbda8099f5c1e8ba

@security, would you consider this?

Thx

This is the 2.4.x backport:

https://github.com/apache/httpd/commit/c2b061aa74c5c46c09a537a655220590eccc1ca3

We will look into releasing new security updates with this new option included.

I have built test packages for jammy to questing in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/

The packages include the above commit which adds the new "SSLVHostSNIPolicy" configuration option. The documentation on the new option is here: https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslvhostsnipolicy

Please test the packages in the PPA to see if they solve the issue in your environment and leave a comment in this bug with the results, and which option was used. Once we get confirmation the updated packages resolve this bug, we will issue them as security regression fixes.

Thanks!

I have deployed version 2.4.58-1ubuntu8.10 from the ubuntu-security-proposed PPA behind AWS Application Load Balancer. With `SSLVHostSNIPolicy insecure` it works and doesn't trigger 421.

Thanks for the test! I will be publishing these updates in January.

This bug was fixed in the package apache2 - 2.4.64-1ubuntu3.2

---------------
apache2 (2.4.64-1ubuntu3.2) questing-security; urgency=medium

  * SECURITY UPDATE: Integer overflow in the case of failed ACME
    certificate renewal
    - debian/patches/CVE-2025-55753-1.patch: update mod_md to version
      2.6.2 in modules/md/*
    - debian/patches/CVE-2025-55753-2.patch: update mod_md to version
      2.6.6 in modules/md/*
    - CVE-2025-55753
  * SECURITY UPDATE: Server Side Includes adds query string to #exec cmd=
    - debian/patches/CVE-2025-58098.patch: don't pass args for SSI request
      in modules/generators/mod_cgid.c.
    - CVE-2025-58098
  * SECURITY UPDATE: CGI environment variable override
    - debian/patches/CVE-2025-65082.patch: envvars from HTTP headers low
      precedence in server/util_script.c.
    - CVE-2025-65082
  * SECURITY UPDATE: mod_userdir+suexec bypass via AllowOverride FileInfo
    - debian/patches/CVE-2025-66200.patch: don't use request notes for
      suexec in modules/mappers/mod_userdir.c,
      modules/metadata/mod_headers.c.
    - CVE-2025-66200
  * SECURITY REGRESSION: Misdirected Request error (LP: #2117112)
    - debian/patches/CVE-2025-23048-regression.patch: add SSLVHostSNIPolicy
      directive to set the compatibility level required for VirtualHost
      matching in modules/ssl/*.
    - debian/patches/CVE-2025-23048-regression-2.patch: fix handling of
      STRICT mode in modules/ssl/ssl_engine_kernel.c.

 -- Marc Deslauriers <email address hidden> Tue, 09 Dec 2025 10:50:28 -0500

This bug was fixed in the package apache2 - 2.4.58-1ubuntu8.10

---------------
apache2 (2.4.58-1ubuntu8.10) noble-security; urgency=medium

  * SECURITY UPDATE: Integer overflow in the case of failed ACME
    certificate renewal
    - debian/patches/CVE-2025-55753.patch: update mod_md to version
      2.6.6 in modules/md/*
    - CVE-2025-55753
  * SECURITY UPDATE: Server Side Includes adds query string to #exec cmd=
    - debian/patches/CVE-2025-58098.patch: don't pass args for SSI request
      in modules/generators/mod_cgid.c.
    - CVE-2025-58098
  * SECURITY UPDATE: CGI environment variable override
    - debian/patches/CVE-2025-65082.patch: envvars from HTTP headers low
      precedence in server/util_script.c.
    - CVE-2025-65082
  * SECURITY UPDATE: mod_userdir+suexec bypass via AllowOverride FileInfo
    - debian/patches/CVE-2025-66200.patch: don't use request notes for
      suexec in modules/mappers/mod_userdir.c,
      modules/metadata/mod_headers.c.
    - CVE-2025-66200
  * SECURITY REGRESSION: Misdirected Request error (LP: #2117112)
    - debian/patches/CVE-2025-23048-regression.patch: add SSLVHostSNIPolicy
      directive to set the compatibility level required for VirtualHost
      matching in modules/ssl/*.
    - debian/patches/CVE-2025-23048-regression-2.patch: fix handling of
      STRICT mode in modules/ssl/ssl_engine_kernel.c.

 -- Marc Deslauriers <email address hidden> Tue, 09 Dec 2025 10:50:28 -0500