ProxySG & Advanced Secure Gateway

“Reverse Proxy” HTTP error code 421- Misdirected Request

  • 1.  “Reverse Proxy” HTTP error code 421- Misdirected Request

    Posted 09-03-2019 09:41 AM

    Starting from 6.7.4.105, the proxysg supports Server name Indication (SNI) in reverse proxy mode. Previously, SNI was supported for forward proxy only

    SNI is used to indicate which hostname is being contacted by the browser at the beginning of the handshake process. This technology allows a server to serve several domains each with different SSL Certificates using the same IP address

    The user will get HTTP error code 421 “Misdirected request” when trying to connect to HTTPs page and all the below conditions occur at the same time:

    1.     Having Several vhosts on the same server/IP
    2.     Having redirection between these vhosts
    3.     Using different SSL certificate with different domain for each vhost
    4.     Using HTTP/1.1 or HTTP/2 which reuse the same SSL connection for several consequential HTTP requests
    5.     HTTP client; which is the proxy in this case; set the SNI in SSL handshake.

    Issue is mainly caused by complex configuration on server side as mentioned above, so customer must be informed to separate any vhosts that have redirection on different servers/IPs

    As a workaround this issue can be solved by:
    Disabling connection reuse on the proxy by setting http.server.persistence(no) for the vhost that response with HTTP redirection
    For example, If domain1.com redirects to domain2.com; the below CPL script will be needed to not reuse the same SSL connection after redirection
    <proxy>
      server_url.host=domain1.com http.server.persistence(no)
    Noted that this workaround may cause high CPU/Memory utilization on customer servers if there’s a lot of connections on domain1.com as each single HTTP request has its SSL handshake