The latest Apache update (2.4.64) has introduced stricter requirements for Server Name Indication (SNI) during SSL/TLS handshakes. This change has led to a 421 Misdirected Request error for many websites


 If you’ve ever added a new site to your server only to have it display the "Default" site or throw a cryptic SSL/SNI
 error, you aren't alone. This is a common hurdle when using Cloudflare Tunnels (`cloudflared`) with an Apache backend.


 The Problem: The SNI Handshake Trap
 By default, many administrators try to point their Cloudflare Tunnel to Apache’s secure port:
 service: https://localhost:443


 When cloudflared attempts to connect via HTTPS, it initiates a TLS handshake with Apache. If Apache isn't perfectly
 configured to handle the specific Server Name Indication (SNI) for that local connection, or if there is a certificate
 mismatch, the handshake fails. Apache often falls back to the "Default" virtual host (the first one loaded), leading
 to users seeing the wrong website.


 The Solution: Terminate SSL at the Edge
 The most robust way to fix this is to let Cloudflare handle the SSL termination at the "Edge" and route the internal
 tunnel traffic to Apache via HTTP (Port 80).


 1. Update Cloudflare config.yml
 Instead of routing to 443, point your ingress rules to the local HTTP port. This eliminates the need for a complex TLS
 handshake between the tunnel and your server.


  1 ingress:
  2   - hostname: yoursite.com
  3     service: http://localhost:80
  4   - hostname: www.yoursite.com
  5     service: http://localhost:80

 2. Configure Apache VirtualHosts
 Ensure your Apache site configuration has a standard port 80 block. Since the traffic is coming through a secure
 tunnel from Cloudflare to your machine, this "internal" HTTP jump is secure.


  1 <VirtualHost *:80>
  2     ServerName yoursite.com
  3     ServerAlias www.yoursite.com
  4     DocumentRoot /var/www/yoursite.com/public_html
  5 </VirtualHost>


 Why This Works
  1. Encryption is Maintained: Your users still connect to Cloudflare via HTTPS. The "Tunnel" itself is a highly
     secure, encrypted connection to your server.
  2. No More SNI Mismatches: By hitting Port 80, Apache uses the Host header to immediately identify the correct
     VirtualHost without the overhead or potential failure of a local SSL handshake.
  3. Simplified Certificate Management: You no longer need to worry about Apache’s local certificates matching
     Cloudflare’s expectations for the tunnel to stay alive.


 Pro Tip: After making these changes, always remember to restart both services:
 sudo systemctl restart apache2
 sudo systemctl restart cloudflared

 ---


 Originally posted on Phlaxion.com — Simplifying Cloud Infrastructure.