Tech Tip: Fixing 421 Misdirected Request SNI Issues Between HAProxy and Apache

August 27, 2025

Created using Perplixity AI

Tech Tip: Fixing 421 Misdirected Request SNI Issues Between HAProxy and Apache

Overview

The HTTP 421 Misdirected Request error occurs when Apache receives an HTTPS request with an SNI hostname that doesn’t match its configured virtual hosts. This often happens when HAProxy is used as a reverse proxy in front of Apache and does not properly forward or handle the Server Name Indication (SNI) during TLS negotiation.

Why It Happens

Apache requires the correct SNI hostname during the TLS handshake to serve the appropriate site.
Newer Apache versions enforce stricter SNI checks due to security improvements.
If HAProxy does not forward SNI information correctly, Apache returns a 421 error indicating the request was sent to a server that cannot handle it.

How to Fix It

HAProxy Configuration (SSL Passthrough)

frontend https-in
    bind *:443 ssl crt /etc/ssl/certs/haproxy.pem
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    default_backend apache-https-backend

backend apache-https-backend
    mode tcp
    server apache1 192.168.0.2:443 send-proxy-v2 ssl verify none sni str(1,32)

Key points:

Use mode tcp for SSL passthrough so HAProxy forwards the TLS handshake transparently.
sni str(1,32) extracts and forwards the client SNI hostname to Apache.
send-proxy-v2 enables PROXY protocol support if Apache is configured to accept it.

HAProxy Configuration (SSL Termination)

frontend https-in
    bind *:443 ssl crt /etc/ssl/certs/haproxy.pem
    mode http
    default_backend apache-backend

backend apache-backend
    mode http
    server apache1 192.168.0.2:80 check

Notes:

HAProxy terminates SSL and proxies plain HTTP to Apache.
Ensure Apache virtual hosts are correctly configured to handle the forwarded Host header.

Apache Virtual Host Example

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/example.crt
    SSLCertificateKeyFile /etc/ssl/private/example.key
</VirtualHost>

Virtual hosts should have the correct ServerName matching the SNI hostname.
Ensure SSL certificates are properly configured.

Testing & Validation

Use curl to test and confirm no 421 errors:

curl -IkH "Host: example.com" https://haproxy-ip

Summary

The 421 error is caused by an SNI mismatch between HAProxy and Apache.
Properly forward SNI from HAProxy to Apache when using SSL passthrough.
Configure Apache virtual hosts to match the SNI hostname.
Validate the setup using HTTPS clients like curl.

This tip helps avoid 421 Misdirected Request errors in modern HAProxy-Apache reverse proxy TLS setups.