https "Misdirected request" monitoring after target ubuntu 8.7 update
We have an https test which started erroring when the target host auto-updated from ubuntu 8.6 to 8.7
Anyone seeing anything like this?
Apache version hasn't changed , 2.4.58, although packages are re-installed with 8.7 versions
Searching for "Misdirected request" brings up issues with multi-name certs but target cert is just for the one hostname, no SAN no wildcard.
Tried the various things like httpsc, httpsm, httpsh, no joy.
If I limit to http the test is green . I can wget the https page from the xymon host
The SSL cert test has stayed green uninterrupted.
Ran the site past Qualys SSL test (external IP) and testssl (internal) with nothing much interesting.
Thanks for any clues.
--
Hosts.cfg line:
172.30.0.202 dokuwiki.example.com #https://dokuwiki.example.com
Yesterday:
Fri Jul 11 14:41:35 2025: OK
green https://dokuwiki.example.com/ - OK
HTTP/1.1 302 Found
Date: Fri, 11 Jul 2025 21:41:35 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: Cookie
Set-Cookie: DokuWiki=57e8op63npgj2ehl99rp99n1s1; path=/; secure; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: DW7fa065a06cb74b536c124cfbe56ac6d3=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly; SameSite=Lax
Location: /doku.php?id=start
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Seconds: 0.017766000
--
--
Today (showing http and https):
Fri Jul 18 22:42:49 2025: Misdirected Request ; OK
red https://dokuwiki.example.com/ - Misdirected Request
HTTP/1.1 421 Misdirected Request
Date: Sat, 19 Jul 2025 05:42:49 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 402
Connection: close
Content-Type: text/html; charset=iso-8859-1
Seconds: 0.031074000
green http://dokuwiki.example.com/ - OK
HTTP/1.1 302 Found
Date: Sat, 19 Jul 2025 05:42:49 GMT
Server: Apache/2.4.58 (Ubuntu)
Location: https://dokuwiki.example.com/
Content-Length: 285
Connection: close
Content-Type: text/html; charset=iso-8859-1
Seconds: 0.015943000
Hi
This is quite possibly to do with SNI, where the webserver is unable to match a certificate to the request. Try adding "sni" to the hosts.cfg entry, or add "--sni" to the xymonnet parameters in tasks.cfg.
Apparently this is happening all over the place in the past few days, triggered by a patch by the Apache foundation for a CVE related to improper SNI handling. Could be a coincidence, given that you didn't upgrade Apache. But the symptoms appear to be the same.
Cheers Jeremy
On Sat, 19 Jul 2025 at 15:47, <betsys@well.com> wrote:
We have an https test which started erroring when the target host auto-updated from ubuntu 8.6 to 8.7
Anyone seeing anything like this?
Apache version hasn’t changed , 2.4.58, although packages are re-installed with 8.7 versions
Searching for “Misdirected request” brings up issues with multi-name certs but target cert is just for the one hostname, no SAN no wildcard.
Tried the various things like httpsc, httpsm, httpsh, no joy.
If I limit to http the test is green . I can wget the https page from the xymon host
The SSL cert test has stayed green uninterrupted.
Ran the site past Qualys SSL test (external IP) and testssl (internal) with nothing much interesting.
Thanks for any clues.
--
Hosts.cfg line:
172.30.0.202 dokuwiki.example.com #https://dokuwiki.example.com
Yesterday:
Fri Jul 11 14:41:35 2025: OK
green https://dokuwiki.example.com/ - OK
HTTP/1.1 302 Found
Date: Fri, 11 Jul 2025 21:41:35 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: Cookie
Set-Cookie: DokuWiki=57e8op63npgj2ehl99rp99n1s1; path=/; secure; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: DW7fa065a06cb74b536c124cfbe56ac6d3=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly; SameSite=Lax
Location: /doku.php?id=start
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Seconds: 0.017766000
--
--
Today (showing http and https):
Fri Jul 18 22:42:49 2025: Misdirected Request ; OK
red https://dokuwiki.example.com/ - Misdirected Request
HTTP/1.1 421 Misdirected Request
Date: Sat, 19 Jul 2025 05:42:49 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 402
Connection: close
Content-Type: text/html; charset=iso-8859-1
Seconds: 0.031074000
green http://dokuwiki.example.com/ - OK
HTTP/1.1 302 Found
Date: Sat, 19 Jul 2025 05:42:49 GMT
Server: Apache/2.4.58 (Ubuntu)
Location: https://dokuwiki.example.com/
Content-Length: 285
Connection: close
Content-Type: text/html; charset=iso-8859-1
Seconds: 0.015943000
Xymon mailing list -- xymon@xymon.com To unsubscribe send an email to xymon-leave@xymon.com
I suspect the priginal poster did in fact upgrade apache : they meniion "8.7 update", which I suspect means moving from 2.4.58-1ubuntu8.6 to 2.4.58-1ubuntu8.7 which was released a couple of days ago for Ubuntu 24.04:
https://ubuntu.com/security/notices/USN-7639-1
That update led to me seeing 421 "misdirected request" HTTP responses in xymon until we enabled SNI.
Minor correction to Jeremy's post: note that the xymonnet docs say that the flag to add (if updaating the xymonnet entry in tasks.cfg) is --sni=on , not just --sni.
To the original poster: you need to be aware that the http/https tests in xymon, along with a range of other network-related tests, are performed by the xymonnet command line tool:
https://xymon.sourceforge.io/xymon/help/manpages/man1/xymonnet.1.html
so using tools like wget will potentially give different responses. For example, SNI (server name indication) was added to wget in 2012 https://savannah.gnu.org/forum/forum.php?forum_id=7323 , and seems to be enabled by default with no option to disable it.
To see the effect of running xymonnet with and without sni,
/usr/lib/xymon/server/bin/xymonnet --no-update server.example.com
/usr/lib/xymon/server/bin/xymonnet --no-update --sni=on server.example.com
where server.example.com is the name of a host in your hosts.cfg that has an https test configured. (--no-update will print the test output to stdout rather than sending the report to your xymon server)
Adam
On 19/07/2025 10:38, Jeremy Laidman wrote:
Hi
This is quite possibly to do with SNI, where the webserver is unable to match a certificate to the request. Try adding "sni" to the hosts.cfg entry, or add "--sni" to the xymonnet parameters in tasks.cfg.
Apparently this is happening all over the place in the past few days, triggered by a patch by the Apache foundation for a CVE related to improper SNI handling. Could be a coincidence, given that you didn't upgrade Apache. But the symptoms appear to be the same.
Cheers Jeremy
On Sat, 19 Jul 2025 at 15:47, <betsys@well.com <mailto:betsys@well.com>> wrote:
We have an https test which started erroring when the target host auto-updated from ubuntu 8.6 to 8.7____ Anyone seeing anything like this?____ __ __ Apache version hasn’t changed , 2.4.58, although packages are re- installed with 8.7 versions____ Searching for “Misdirected request” brings up issues with multi- name certs but target cert is just for the one hostname, no SAN no wildcard. ____ __ __ Tried the various things like httpsc, httpsm, httpsh, no joy. ____ If I limit to http the test is green . I can wget the https page from the xymon host____ The SSL cert test has stayed green uninterrupted. ____ __ __ Ran the site past Qualys SSL test (external IP) and testssl (internal) with nothing much interesting. ____ Thanks for any clues. ____ __ __ --____ Hosts.cfg line:____ 172.30.0.202 dokuwiki.example.com <https:// eur03.safelinks.protection.outlook.com/? url=http%3A%2F%2Fdokuwiki.example.com%2F&data=05%7C02%7Calt36%40universityofcambridgecloud.onmicrosoft.com%7C86af66e17f6340211dc108ddc6a81856%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638885147590690672%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=TcXvkcWmJYON2HsT1qH2MLhGi0Q%2FDOWKGr3TGpvrMT4%3D&reserved=0> #https://dokuwiki.example.com <https://dokuwiki.example.com/>> ---____ __ __ Yesterday:____ __ __ Fri Jul 11 14:41:35 2025: OK____ green https://dokuwiki.example.com/ <https:// eur03.safelinks.protection.outlook.com/? url=https%3A%2F%2Fdokuwiki.example.com%2F&data=05%7C02%7Calt36%40universityofcambridgecloud.onmicrosoft.com%7C86af66e17f6340211dc108ddc6a81856%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638885147590725788%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=Z8rpHj2lB0Ume4CkTwWgbhKxCWbuy1c0jYS9zbgkYXw%3D&reserved=0> - OK____ __ __ HTTP/1.1 302 Found____ Date: Fri, 11 Jul 2025 21:41:35 GMT____ Server: Apache/2.4.58 (Ubuntu)____ Vary: Cookie____ Set-Cookie: DokuWiki=57e8op63npgj2ehl99rp99n1s1; path=/; secure; HttpOnly; SameSite=Lax____ Expires: Thu, 19 Nov 1981 08:52:00 GMT____ Cache-Control: no-store, no-cache, must-revalidate____ Pragma: no-cache____ Set-Cookie: DW7fa065a06cb74b536c124cfbe56ac6d3=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly; SameSite=Lax____ Location: /doku.php?id=start____ Content-Length: 0____ Connection: close____ Content-Type: text/html; charset=UTF-8____ __ __ Seconds: 0.017766000____ __ __ -- ____ __ __ --____ Today (showing http and https):____ __ __ Fri Jul 18 22:42:49 2025: Misdirected Request ; OK____ __ __ red https://dokuwiki.example.com/ <https:// eur03.safelinks.protection.outlook.com/? url=https%3A%2F%2Fdokuwiki.example.com%2F&data=05%7C02%7Calt36%40universityofcambridgecloud.onmicrosoft.com%7C86af66e17f6340211dc108ddc6a81856%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638885147590738647%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=UoieKz2slmEzjyoEsgk5cKrz63YttdbWRQbG4Fz%2BrM4%3D&reserved=0> - Misdirected Request____ __ __ HTTP/1.1 421 Misdirected Request____ Date: Sat, 19 Jul 2025 05:42:49 GMT____ Server: Apache/2.4.58 (Ubuntu)____ Content-Length: 402____ Connection: close____ Content-Type: text/html; charset=iso-8859-1____ __ __ Seconds: 0.031074000____ __ __ green http://dokuwiki.example.com/ <https:// eur03.safelinks.protection.outlook.com/? url=http%3A%2F%2Fdokuwiki.example.com%2F&data=05%7C02%7Calt36%40universityofcambridgecloud.onmicrosoft.com%7C86af66e17f6340211dc108ddc6a81856%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638885147590752209%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=X5QR6bOUgroMGuoyS%2FCj%2Bvefn3O%2F6DOoSneb0oyfVdw%3D&reserved=0> - OK____ __ __ HTTP/1.1 302 Found____ Date: Sat, 19 Jul 2025 05:42:49 GMT____ Server: Apache/2.4.58 (Ubuntu)____ Location: https://dokuwiki.example.com/ <https:// eur03.safelinks.protection.outlook.com/? url=https%3A%2F%2Fdokuwiki.example.com%2F&data=05%7C02%7Calt36%40universityofcambridgecloud.onmicrosoft.com%7C86af66e17f6340211dc108ddc6a81856%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638885147590765144%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=NAUIfFyRXdqcmyxugQLJvRwRdacHgIkupOV8s9o9Bk4%3D&reserved=0>____ Content-Length: 285____ Connection: close____ Content-Type: text/html; charset=iso-8859-1____ __ __ Seconds: 0.015943000____ _______________________________________________ Xymon mailing list -- xymon@xymon.com <mailto:xymon@xymon.com> To unsubscribe send an email to xymon-leave@xymon.com <mailto:xymon- leave@xymon.com>
Xymon mailing list -- xymon@xymon.com To unsubscribe send an email to xymon-leave@xymon.com
Adam, thanks for the follow-up with more detail and more accuracy.
On Sun, 20 Jul 2025 at 02:21, Adam Thorn via Xymon <xymon@xymon.com> wrote:
I suspect the priginal poster did in fact upgrade apache : they meniion "8.7 update", which I suspect means moving from 2.4.58-1ubuntu8.6 to 2.4.58-1ubuntu8.7 which was released a couple of days ago for Ubuntu 24.04:
That was my thought too, but all of their examples show the same version in the Server header:
Server: Apache/2.4.58 (Ubuntu)
*looks more closely*
Ah, I see what you mean. The update was at a patch level, not a major.minor release level, so the Server header would not have changed as a result of this update.
Minor correction to Jeremy's post: note that the xymonnet docs say that
the flag to add (if updaating the xymonnet entry in tasks.cfg) is --sni=on , not just --sni.
Grateful for your keen eye. I was looking at the hosts.cfg(5) man page which only mentioned the "--sni" option for xymonnet and not how to use it. I should've followed through with a review of the xymonnet(1) man page, before pretending to have any degree of experience.
<snip>
Cheers Jeremy
Thank you both, that worked
Yes, apologies if it was unclear, the upgrade to ubuntu 8.7 did replace the 2.4.58-1ubuntu8.6 package with 2.4.58-1ubuntu8.7
Annoying that a change that doesn’t change the rev number seems to have changed several behaviors, both this and the charset.
I confess I’m not entirely clear about how SNI is involved when the webserver has one hostname and the cert has one hostname and xymon is trying to connect to that hostname by name.
Is it related to the fact that the hostname is attached to a vhost and not to the overall apache instance?
Thanks again and may all your blinky lights be green.
From: Jeremy Laidman <jeremy@laidman.org> Sent: Saturday, July 19, 2025 8:16 PM To: Xymon mailinglist <xymon@xymon.com> Cc: Adam Thorn <alt36@cam.ac.uk> Subject: [Xymon] Re: https "Misdirected request" monitoring after target ubuntu 8.7 update
Adam, thanks for the follow-up with more detail and more accuracy.
On Sun, 20 Jul 2025 at 02:21, Adam Thorn via Xymon <xymon@xymon.com <mailto:xymon@xymon.com> > wrote:
I suspect the priginal poster did in fact upgrade apache : they meniion "8.7 update", which I suspect means moving from 2.4.58-1ubuntu8.6 to 2.4.58-1ubuntu8.7 which was released a couple of days ago for Ubuntu 24.04:
That was my thought too, but all of their examples show the same version in the Server header:
Server: Apache/2.4.58 (Ubuntu)
*looks more closely*
Ah, I see what you mean. The update was at a patch level, not a major.minor release level, so the Server header would not have changed as a result of this update.
Minor correction to Jeremy's post: note that the xymonnet docs say that the flag to add (if updaating the xymonnet entry in tasks.cfg) is --sni=on , not just --sni.
Grateful for your keen eye. I was looking at the hosts.cfg(5) man page which only mentioned the "--sni" option for xymonnet and not how to use it. I should've followed through with a review of the xymonnet(1) man page, before pretending to have any degree of experience.
<snip>
Cheers
Jeremy
I can't say in this instance, but some package updates are backports of security patches that are written for later releases, so when backported to an older release, the major.minor numbers don't change, and only the patch release suffix changes. Might be the case here.
The problem that SNI solves is to do with privacy. For non-TLS traffic, a webserver can have multiple hostnames (vhosts?) at the one endpoint, and it knows which vhost to use based on the hostname in the Host: header that the client sends in its web query. Without the Host: header, the server can't know which website the client is wantint to access. The DNS name is passed from client to server only in the Host: header.
Under pre-SNI SSL/TLS implementations, the secure tunnel is built with no information about either end, and then the client sends a Host header to say what website it wants to connect to. But in order to establish the tunnel, the certificate must already have been selected to authenticate the server to the client. The Host: header has the website domain name in it, but the Host: header isn't sent until AFTER the TLS tunnel is established, including certificate selection. We have a chicken-and-egg situation.
How SNI solves this is that the website domain name is sent within the TLS negotiation, so that the webserver can choose the right certificate before the Host: header is selected.
If the SNI value is missing from the TLS negotiation, the webserver doesn't know which website is required, and doesn't know which certificate to use to authenticate with. In previous versions of Apache, the behaviour where the hostname was not available through SNI was insecure. A user who is permitted to access one vhost could leverage this lax SNI handling to access a different vhost that they aren't granted access. I believe the patch locked this down, causing strict SNI behaviour by default. The end result is that in some configurations, SNI is now required.
Cheers Jeremy
On Tue, 22 Jul 2025 at 13:23, <betsys@well.com> wrote:
Thank you both, that worked
Yes, apologies if it was unclear, the upgrade to ubuntu 8.7 did replace the 2.4.58-1ubuntu8.6 package with 2.4.58-1ubuntu8.7
Annoying that a change that doesn’t change the rev number seems to have changed several behaviors, both this and the charset.
I confess I’m not entirely clear about how SNI is involved when the webserver has one hostname and the cert has one hostname and xymon is trying to connect to that hostname by name.
Is it related to the fact that the hostname is attached to a vhost and not to the overall apache instance?
Thanks again and may all your blinky lights be green.
*From:* Jeremy Laidman <jeremy@laidman.org> *Sent:* Saturday, July 19, 2025 8:16 PM *To:* Xymon mailinglist <xymon@xymon.com> *Cc:* Adam Thorn <alt36@cam.ac.uk> *Subject:* [Xymon] Re: https "Misdirected request" monitoring after target ubuntu 8.7 update
Adam, thanks for the follow-up with more detail and more accuracy.
On Sun, 20 Jul 2025 at 02:21, Adam Thorn via Xymon <xymon@xymon.com> wrote:
I suspect the priginal poster did in fact upgrade apache : they meniion "8.7 update", which I suspect means moving from 2.4.58-1ubuntu8.6 to 2.4.58-1ubuntu8.7 which was released a couple of days ago for Ubuntu 24.04:
That was my thought too, but all of their examples show the same version in the Server header:
Server: Apache/2.4.58 (Ubuntu)
*looks more closely*
Ah, I see what you mean. The update was at a patch level, not a major.minor release level, so the Server header would not have changed as a result of this update.
Minor correction to Jeremy's post: note that the xymonnet docs say that the flag to add (if updaating the xymonnet entry in tasks.cfg) is --sni=on , not just --sni.
Grateful for your keen eye. I was looking at the hosts.cfg(5) man page which only mentioned the "--sni" option for xymonnet and not how to use it. I should've followed through with a review of the xymonnet(1) man page, before pretending to have any degree of experience.
<snip>
Cheers
Jeremy
Xymon mailing list -- xymon@xymon.com To unsubscribe send an email to xymon-leave@xymon.com
participants (3)
-
Adam Thorn
-
betsys@well.com
-
Jeremy Laidman