NGINX: "421 Misdirected Request" (bug in Apache v2.4.64)

Resolved Jul 27, 2025 9:20 AM AEST

We have successfully upgraded to the repackaged v2.4.64-3 release of Apache.

In due course, machines will upgrade to v2.4.65 automatically once released from upstream.

Thanks for your patience while we made sure a sustainable fix was deployed, without version locking.

If you have any queries or concerns, please reach out to our Helpdesk for further support. Testing has passed.

Monitoring Jul 27, 2025 9:05 AM AEST

CloudLinux have asked us to test their beta version of v2.4.64 which addresses the SNI breakage.

This appears to be the cPanel-repackaged version v2.4.64-3, which we’re rolling out now.

Our next update should be the final one, after we’ve successfully upgraded.

* Fri Jul 18 2025 - ea-apache24 - 2.4.64-3
- EA-13041: Rolling “ea-apache24” back to “35b37d6c7295199c5157c68145f220d9fa61ff02”: Apache v2.4.64 broke SNI (rando 421)

* Fri Jul 18 2025 - ea-nginx - 1.26.3-11
- EA-13040: Remove SNI fix as we've removed the offending changes in ea-apache24 for now.

Monitoring Jul 26, 2025 8:30 AM AEST

We have downgraded to v2.4.63 and are monitoring stability, which so far seems OK.

cPanel are trying to prioritise testing v2.4.65 so we can then upgrade and incorporate the CVE fixes.

At this time, if you have any continuing problems please get in touch with our Helpdesk so we can investigate.

Updated Jul 26, 2025 8:02 AM AEST

cPanel are tracking this under case EA-13040. Our ticket with them is 95754614.
CloudLinux are tracking this under EA4D-684. Our ticket with them is 257792.

cPanel repackaged into v2.4.64-3 however CloudLinux now pushes v2.4.64-1.
It seems that we will be force-downgrading and version locking very shortly.

We understand that v2.4.65 is undergoing testing before being released.

Problem Identified Jul 26, 2025 7:50 AM AEST

G’day,

We’re working through a wide-spread known bug in NGINX due to Apache v2.4.64 (which resolved various CVEs) breaking SNI. cPanel had worked around this 1 week ago, hence it’s strange that impact has started today.

Original: https://support.cpanel.net/hc/en-us/articles/33553346450455-Websites-show-421-Misdirected-Request-error-while-using-EA-Nginx-or-other-proxies

New, due to CL: https://support.cpanel.net/hc/en-us/articles/33724988525207-Websites-still-experiencing-421-Misdirected-requests-after-upgrading-to-CloudLinux-s-ea-apache24-2-4-64

Apache v2.4.64 introduced stricter SSL/TLS handling to address vulnerabilities, which leads to incompatibility with proxies that don’t include SNI in their upstream connections. The 421 error was a result of the server being unable to determine a matching virtual host due to missing SNI (Server Name Indication) data.

Apache v2.4.65 resolved the problem, however it seems that cPanel have not yet released it downstream.

We are starting with isolated machines to verify a fix, and will then roll out more broadly.

Thanks for your patience while we work through this.

Cheers,
Merlot Digital

The Network Crew Pty Ltd (TNC)