Symptoms
Servers that use the CloudLinux EasyApache packages, including CloudLinux and servers that use the Imunify360 Hardened repositories, still encounter 421 Misdirected requests on hosted websites.
Description
CloudLinux recently updated their provided ea-apache24 to version 2.4.64. Apache 2.4.64 introduced stricter SSL/TLS handling to address vulnerabilities, which leads to incompatibility issues with proxies that don’t include SNI in their upstream connections. The 421 error was a result of the server being unable to determine a matching virtual host due to missing SNI data.
For additional detailed information regarding this issue, please refer to the following article:
Apache 2.4.65 Update and Reverse Proxy 421
Workaround
CloudLinux has released an updated version of ea-apache24 to the cl-ea4-testing repository to address this issue. This can be updated to using the command below:
yum update ea-apache24* ea-nginx --enablerepo=cl-ea4-testing
For servers in which the packages are updated using Imunify360 Hardened repositories, you can upgrade ea-apache24 from the beta repositories:
yum update ea-apache24* ea-nginx --enablerepo=imunify360-ea-php-hardened-beta
If version lock was used to temporarily pause updates to this package, it can be removed using the steps within the article here:
How to remove version lock packages
Additional Resources
cloudlinux.zendesk.com: 421 Misdirected Request Error After Recent ea-apache Update
Websites show "421 Misdirected Request" error while using EA-Nginx or other proxies
Comments
22 comments
I feel like a fish out of water. This is our first experience of an automatic update taking out every site we host. we followed the guide and bounced back to the previous version with a lock.
should we be doing something to catch this in the future? without the assistance of cPanel support we would have been lost. super serious, cannot reply on AI when Chat GPT has no clue about latest things occurring.
Such events deserve an email to partners and clients with a heads-up.
I simple article with correct information among others is putting our fate into probability.
this issue freaked me out checking everywhere early in this morning at 6am while customers calling me, i search cpanel, cloudflare, cloudlinux for the problem...luckily the yum downgrade fixed it all :(
cPanel has always been great with support!
I woke up in a panic after receiving a flood of messages from customers saying their websites were down. A server reboot didn’t help, so I logged in to open a support ticket—and that’s when I saw the banner linking to this article about the issue. Following the steps resolved the problem immediately. I truly appreciate the quick guidance and hope this will be fully addressed in an upcoming release to prevent such occurrences in the future.
A lot of people will not have a clue that this is happening, just see an error and never find this article because they dont see the 421 error if they dont know how to look in logs etc.
Its not really a fix just a temporary solution I suppose.
Nothing like waking up on a Saturday morning to find out every website you host is down.
@tonynyc feels good to know Im not alone LOL
btw was able to fix it with the official downgrade EA4 temp fix in case anyone wonder
Definitely not alone. Totally did not expect to see that at 5 o’clock in the morning.
Estuvimos renegando toda la mañana del sábado hasta que encontramos éste artículo y se resolvió perfecto
I want to see heads rolling at cPanel/CloudLinux/Imunify360.
Who is responsible for this Crowdstrike-level incident?
Anyone interested in going class-action, DM me on LinkedIn: https://www.linkedin.com/in/nixkolaas/
All:
Here's an updated fix:
https://support.cpanel.net/hc/en-us/articles/33553346450455-Websites-show-421-Misdirected-Request-error-while-using-EA-Nginx-or-other-proxies
Adnan Ahmed Tonmoy
I contacted CloudLinux about Imunify360 with Hardened PHP without using CloudLinux, and I received the following fix.
They should be updating the article soon at https://cloudlinux.zendesk.com/hc/en-us/articles/21282870470172-421-Misdirected-Request-Error-After-Recent-ea-apache-Update
Using Cloudflare we started to have a random 403 Forbidden - openresty/1.27.1.1 error, still happening after all fixes and downgrade.
lol so woke up to same issue again, luckily now I checked here right away and saw the updated solution and ran the update, and it did fix it again.
Que susto pero nada, ya esta todo bien.
Run the new upgrade guys and it should be fixed!
Edit: Same issue returned today August 20 and I had to downgrade AGAIN to get rid of the errors!
Why is the thread closed for new comments and every new thread has comments disabled?
The proposed "Workaround" above does not solve or workaround the issue!
Why is there no way of commenting on this issue while it is still not fixed?
Please either post a final fix or open comments again!
Since apache has released 2.4.65, would this makes the cPanel/Imunify/CL affected again?
I am facing this issue on almalinux server as well. This is unacceptable from cPanel after paying so much high charges.
We are facing this issue daily when cpanel upgrades and we need to downgrade apache
Jorge Ventura Disable Cloudflare record proxying and test again. You may need to connect to a VPN or wait some time after disabling the proxy before the site will load correctly. Also ensure to test using an incognito window.
Thanks, we are aware and it was the solution, but we have a lot of rules, WAF etc, on Cloudflare that we need to maintain active… not sure why, because we downgraded the Apache, and it only happens on some websites.
If you are using engintron or nginx as proxy then also you will face this issue.
This is a temporary solution that works for me, but every time the files are recreated I have to do it again.
I had to add a line (proxy_ssl_server_name on;) in every conf file at /etc/nginx/conf.d/users
this line has to be added before *every* "proxy_pass" line.
Example:
BEFORE:
location / {
include conf.d/includes-optional/cpanel-proxy.conf;
proxy_pass $CPANEL_APACHE_PROXY_PASS;
}
AFTER:
location / {
include conf.d/includes-optional/cpanel-proxy.conf;
proxy_ssl_server_name on;
proxy_pass $CPANEL_APACHE_PROXY_PASS;
}
I also add an "s" in every proxy_pass URL, example:
BEFORE:
proxy_pass http://127.0.0.1:2090/Microsoft-Server-ActiveSync;
AFTER:
proxy_pass https://127.0.0.1:2090/Microsoft-Server-ActiveSync;
then I restarted nginx with
"nginx -t && /scripts/restartsrv_nginx"
And worked for me with Almalinux.
I also did this script to change every conf file at once:
#!/bin/bash
# Base directory
CONF_DIR="/etc/nginx/conf.d/users"
# Verify Directory
if [ ! -d "$CONF_DIR" ]; then
echo "Directory not found: $CONF_DIR" >&2
exit 1
fi
# Find and modify all .conf files
find "$CONF_DIR" -type f -name "*.conf" | while read -r CONF_FILE; do
echo "Processing: $CONF_FILE"
# Create backup files
cp "$CONF_FILE" "$CONF_FILE.bak"
# Insert proxy_ssl_server_name before each proxy_pass
# and replace http:// with https:// in proxy_pass
sed -i '/^\s*proxy_pass /{
h
s/^\(\s*\).*/\1proxy_ssl_server_name on;/
G
}' "$CONF_FILE"
sed -i 's|\(proxy_pass\s*\)http://|\1https://|g' "$CONF_FILE"
done
echo "OK Process completed. All files modified with .bak backup."
I hope this help some of us.
Issue has been already reported 2 weeks ago.
Report:
cPanel:
Article is closed for comments.