Fix 421 Misdirected Request by adding proxy_ssl_server_name#688
Open
axcelx wants to merge 1 commit intoAnoopAlias:ndeploy4from
Open
Fix 421 Misdirected Request by adding proxy_ssl_server_name#688axcelx wants to merge 1 commit intoAnoopAlias:ndeploy4from
axcelx wants to merge 1 commit intoAnoopAlias:ndeploy4from
Conversation
Problem Sites intermittently return HTTP 421 "Misdirected Request" errors after failover/failback events. The error occurs on HTTPS requests and affects all clients. Root Cause When nginx proxies HTTPS requests to Apache on port 4430, it does not send the SNI (Server Name Indication) header. Apache has multiple SSL vhosts listening on port 4430 and relies on SNI to determine which vhost should handle the request. Without SNI, Apache cannot match the incoming request to the correct vhost and returns a 421 error. The error message from nginx logs: access forbidden by rule, client: x.x.x.x, server: _, request: "HEAD / HTTP/1.1", host: "example.com" The 421 response includes charset=iso-8859-1 indicating it originates from Apache, not nginx. Solution Add the following nginx directives to all SSL server blocks in conf/server.j2: nginxproxy_ssl_server_name on; proxy_ssl_name $host; These directives instruct nginx to: proxy_ssl_server_name on - Enable passing the SNI header when proxying to upstream SSL servers proxy_ssl_name $host - Use the requested hostname as the SNI value Files Changed conf/server.j2 - Added proxy SSL settings in all 5 SSL server blocks (after ssl_stapling on; directives) Testing Before fix: curl -Ik https://example.com returns HTTP 421 After fix: curl -Ik https://example.com returns HTTP 200
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Sites intermittently return HTTP 421 "Misdirected Request" errors after failover/failback events. The error occurs on HTTPS requests and affects all clients.
Root Cause
When nginx proxies HTTPS requests to Apache on port 4430, it does not send the SNI (Server Name Indication) header. Apache has multiple SSL vhosts listening on port 4430 and relies on SNI to determine which vhost should handle the request. Without SNI, Apache cannot match the incoming request to the correct vhost and returns a 421 error.
The 421 response includes charset=iso-8859-1 indicating it originates from Apache, not nginx.
Solution
Add the following nginx directives to all SSL server blocks in conf/server.j2:
nginxproxy_ssl_server_name on;
proxy_ssl_name $host;
These directives instruct nginx to:
proxy_ssl_server_name on - Enable passing the SNI header when proxying to upstream SSL servers proxy_ssl_name $host - Use the requested hostname as the SNI value
Files Changed
conf/server.j2 - Added proxy SSL settings in all 5 SSL server blocks (after ssl_stapling on; directives)
Testing
Before fix: curl -Ik https://example.com returns HTTP 421
After fix: curl -Ik https://example.com returns HTTP 200