익명 17:02

How can I deal with a “421 Misdirected Request” on a Red Hat 8 Apache (LAMP)...

How can I deal with a “421 Misdirected Request” on a Red Hat 8 Apache (LAMP) setup after a recent DNF/YUM update?

I recently (September 5, 2025) did a fairly rote/boring sudo dnf update on a couple of dozen Red Hat 8 based LAMP servers I manage. Things went well for most of them, but a couple are now showing “421 Misdirected Request” errors seemingly caused after an update to Apache HTTPD.

Misdirected Request

The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.

I’ve researched online and the general message I am getting is these errors are typically happening on servers that are interacting with reverse proxies and such.

Okay, that’s fine. We do have a reverse proxy setup in our Enterprise environment and we can adjust settings to deal with this 421/SNI error… But not on the weekend of course. I have to wait until Monday to properly address things with the team that manages at reverse proxy setup.

What can I do right now with Red Hat 8 server access to deal with these 421/SNI errors to get these handful of sites up and running until we can properly deal with the issue when people are back in the office on Monday?

P.S. Also note that all of the solutions to be found online as of the posting of this question explain how to adjust Nginx settings like proxy_ssl_server_name, proxy_ssl_name and proxy_ssl_session_reuse to fix things. But none of this seems relevant to anyone using Apache HTTPD behind a reverse proxy.



Top Answer/Comment:

There is now a SSLVHostSNIPolicy config option that should be able to deal with this stuff.

Since posting this nearly a year ago, Apache seems to now have a config option to deal with various SNI setups called SSLVHostSNIPolicy. The config options are as follows:

Policy mode Any VirtualHost mismatch Server certificate/key, or protocol/cipher restrictions Client verification/authentication settings
strict blocked blocked blocked
secure allowed blocked blocked
authonly allowed allowed blocked
insecure allowed allowed allowed

Now when you update Apache httpd it will install a configuration for this stuff in the standard conf.d directory like this:

/etc/httpd/conf.d/rhel-snipolicy.conf

And the contents are:

#
# Vendor override: Set the default SNI virtual host policy to "authonly"
# to preserve compatibility between virtual hosts which differ only in
# certificate or key configuration. This overrides the hard-coded
# mod_ssl default mode of "secure".
#
# See the directive documentation for more information:
# https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslvhostsnipolicy
#
# NOTE: if this file is removed, it will be restored on upgrades.
# To disable the override, comment-out the lines below.
#
<IfDirective SSLVHostSNIPolicy>
  SSLVHostSNIPolicy authonly
</IfDirective>

That <IfDirective SSLVHostSNIPolicy> portion can be placed in the main https.conf or whatever local config you might set in /etc/httpd/conf.d/.

In a few cases I have dealt with I had to set SSLVHostSNIPolicy insecure. In many other cases I was stymied on, these were single tenant Apache setups that still had virtual hosts set up so simply disabling ServerName and ServerAlias got things working again.

For multiple tenant setups, I set SSLVHostSNIPolicy insecure and all was working again with updated Apache!

All of the severs I managed are now happily using the latest Apache with httpd -V showing as follows:

Server version: Apache/2.4.37 (Red Hat Enterprise Linux)
Server built:   May 13 2026 14:05:58
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
상단 광고의 [X] 버튼을 누르면 내용이 보입니다