Xymon Mailing List Archive search

https "Misdirected request" monitoring after target ubuntu 8.7 update

6 messages in this thread

list Elizabeth Schwartz · Sat, 19 Jul 2025 01:47:21 -0400 ·

We have an https test which started erroring when the  target host auto-updated from ubuntu 8.6  to 8.7

Anyone seeing anything like this?


Apache version hasn’t changed , 2.4.58, although packages are re-installed with 8.7 versions

Searching for “Misdirected request” brings up  issues  with multi-name certs but target cert is just for the one hostname, no SAN no wildcard.


Tried the various things like httpsc, httpsm, httpsh, no joy.

If I limit to http the test is green .  I can wget the https page  from the xymon host

The SSL cert test has stayed green uninterrupted.


Ran the site past Qualys SSL test (external IP) and testssl (internal) with nothing much interesting.

Thanks for any clues.


--

Hosts.cfg line:

172.30.0.202    dokuwiki.example.com #https://dokuwiki.example.com

---


Yesterday:


Fri Jul 11 14:41:35 2025: OK

green https://dokuwiki.example.com/ - OK


HTTP/1.1 302 Found

Date: Fri, 11 Jul 2025 21:41:35 GMT

Server: Apache/2.4.58 (Ubuntu)

Vary: Cookie

Set-Cookie: DokuWiki=57e8op63npgj2ehl99rp99n1s1; path=/; secure; HttpOnly; SameSite=Lax

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Set-Cookie: DW7fa065a06cb74b536c124cfbe56ac6d3=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly; SameSite=Lax

Location: /doku.php?id=start

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8


Seconds: 0.017766000


--


--

Today (showing  http and https):


Fri Jul 18 22:42:49 2025: Misdirected Request ; OK


red https://dokuwiki.example.com/ - Misdirected Request


HTTP/1.1 421 Misdirected Request

Date: Sat, 19 Jul 2025 05:42:49 GMT

Server: Apache/2.4.58 (Ubuntu)

Content-Length: 402

Connection: close

Content-Type: text/html; charset=iso-8859-1


Seconds: 0.031074000


green http://dokuwiki.example.com/ - OK


HTTP/1.1 302 Found

Date: Sat, 19 Jul 2025 05:42:49 GMT

Server: Apache/2.4.58 (Ubuntu)

Location: https://dokuwiki.example.com/

Content-Length: 285

Connection: close

Content-Type: text/html; charset=iso-8859-1


Seconds: 0.015943000

list Jeremy Laidman · Sat, 19 Jul 2025 19:38:17 +1000 ·
Hi
This is quite possibly to do with SNI, where the webserver is unable to match a certificate to the request. Try adding "sni" to the hosts.cfg entry, or add "--sni" to the xymonnet parameters in tasks.cfg.

Apparently this is happening all over the place in the past few days, triggered by a patch by the Apache foundation for a CVE related to improper SNI handling. Could be a coincidence, given that you didn't upgrade Apache. But the symptoms appear to be the same.

Cheers
Jeremy

quoted from Elizabeth Schwartz
On Sat, 19 Jul 2025 at 15:47, <user-f098d492cd80@xymon.invalid> wrote:

We have an https test which started erroring when the  target host auto-updated from ubuntu 8.6  to 8.7

Anyone seeing anything like this?

 

Apache version hasn’t changed , 2.4.58, although packages are re-installed with 8.7 versions

Searching for “Misdirected request” brings up  issues  with multi-name certs but target cert is just for the one hostname, no SAN no wildcard.

 

Tried the various things like httpsc, httpsm, httpsh, no joy.

If I limit to http the test is green .  I can wget the https page  from the xymon host

The SSL cert test has stayed green uninterrupted.

 

Ran the site past Qualys SSL test (external IP) and testssl (internal) with nothing much interesting.

Thanks for any clues.

 

--

Hosts.cfg line:

172.30.0.202    dokuwiki.example.com #https://dokuwiki.example.com

---

 

Yesterday:

 

Fri Jul 11 14:41:35 2025: OK

green https://dokuwiki.example.com/ - OK

 

HTTP/1.1 302 Found

Date: Fri, 11 Jul 2025 21:41:35 GMT

Server: Apache/2.4.58 (Ubuntu)

Vary: Cookie

Set-Cookie: DokuWiki=57e8op63npgj2ehl99rp99n1s1; path=/; secure; HttpOnly; SameSite=Lax

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Set-Cookie: DW7fa065a06cb74b536c124cfbe56ac6d3=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly; SameSite=Lax

Location: /doku.php?id=start

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

 

Seconds: 0.017766000

 

--

 

--

Today (showing  http and https):

 

Fri Jul 18 22:42:49 2025: Misdirected Request ; OK

 

red https://dokuwiki.example.com/ - Misdirected Request

 

HTTP/1.1 421 Misdirected Request

Date: Sat, 19 Jul 2025 05:42:49 GMT

Server: Apache/2.4.58 (Ubuntu)

Content-Length: 402

Connection: close

Content-Type: text/html; charset=iso-8859-1

 

Seconds: 0.031074000

 

green http://dokuwiki.example.com/ - OK

 

HTTP/1.1 302 Found

Date: Sat, 19 Jul 2025 05:42:49 GMT

Server: Apache/2.4.58 (Ubuntu)

Location: https://dokuwiki.example.com/

Content-Length: 285

Connection: close

Content-Type: text/html; charset=iso-8859-1

 

list Adam Thorn · Sat, 19 Jul 2025 17:21:35 +0100 · 
I suspect the priginal poster did in fact upgrade apache : they meniion "8.7 update", which I suspect means moving from  2.4.58-1ubuntu8.6 to 2.4.58-1ubuntu8.7 which was released a couple of days ago for Ubuntu 24.04:

https://ubuntu.com/security/notices/USN-7639-1

That update led to me seeing 421 "misdirected request" HTTP responses in xymon until we enabled SNI.

Minor correction to Jeremy's post: note that the xymonnet docs say that the flag to add (if updaating the xymonnet entry in tasks.cfg) is --sni=on , not just --sni.

To the original poster: you need to be aware that the http/https tests in xymon, along with a range of other network-related tests, are performed by the xymonnet command line tool:

https://xymon.sourceforge.io/xymon/help/manpages/man1/xymonnet.1.html

so using tools like wget will potentially give different responses. For example, SNI (server name indication) was added to wget in 2012 https://savannah.gnu.org/forum/forum.php?forum_id=7323 , and seems to be enabled by default with no option to disable it.

To see the effect of running xymonnet with and without sni,

/usr/lib/xymon/server/bin/xymonnet  --no-update server.example.com

/usr/lib/xymon/server/bin/xymonnet  --no-update --sni=on server.example.com

where server.example.com is the name of a host in your hosts.cfg that has an https test configured. (--no-update will print the test output to stdout rather than sending the report to your xymon server)

Adam
quoted from Jeremy Laidman

On 19/07/2025 10:38, Jeremy Laidman wrote:
Hi

This is quite possibly to do with SNI, where the webserver is unable to match a certificate to the request. Try adding "sni" to the hosts.cfg entry, or add "--sni" to the xymonnet parameters in tasks.cfg.

Apparently this is happening all over the place in the past few days, triggered by a patch by the Apache foundation for a CVE related to improper SNI handling. Could be a coincidence, given that you didn't upgrade Apache. But the symptoms appear to be the same.

Cheers
Jeremy

On Sat, 19 Jul 2025 at 15:47, <user-f098d492cd80@xymon.invalid <mailto:user-f098d492cd80@xymon.invalid>> wrote:

    We have an https test which started erroring when the  target host
    auto-updated from ubuntu 8.6  to 8.7____

    Anyone seeing anything like this?____

    __ __


    Apache version hasn’t changed , 2.4.58, although packages are re-
    installed with 8.7 versions____

    Searching for “Misdirected request” brings up  issues  with multi-
    name certs but target cert is just for the one hostname, no SAN no
quoted from Jeremy Laidman
    wildcard. ____

    __ __

    Tried the various things like httpsc, httpsm, httpsh, no joy. ____

    If I limit to http the test is green .  I can wget the https page
      from the xymon host____

    The SSL cert test has stayed green uninterrupted. ____

    __ __

    Ran the site past Qualys SSL test (external IP) and testssl
    (internal) with nothing much interesting. ____

    Thanks for any clues. ____

    __ __


    Hosts.cfg line:____


    172.30.0.202 dokuwiki.example.com <https://
    eur03.safelinks.protection.outlook.com/?
    url=http%3A%2F%2Fdokuwiki.example.com%2F&data=user-354a6bce7cf6@xymon.invalid%7C86af66e17f6340211dc108ddc6a81856%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638885147590690672%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=TcXvkcWmJYON2HsT1qH2MLhGi0Q%2FDOWKGr3TGpvrMT4%3D&reserved=0> #https://dokuwiki.example.com <https://dokuwiki.example.com/>>;     ---____

    __ __

    Yesterday:____

    __ __

    Fri Jul 11 14:41:35 2025: OK____

    green https://dokuwiki.example.com/ <https://
    eur03.safelinks.protection.outlook.com/?
    url=https%3A%2F%2Fdokuwiki.example.com%2F&data=user-354a6bce7cf6@xymon.invalid%7C86af66e17f6340211dc108ddc6a81856%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638885147590725788%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=Z8rpHj2lB0Ume4CkTwWgbhKxCWbuy1c0jYS9zbgkYXw%3D&reserved=0> - OK____
quoted from Jeremy Laidman

    __ __

    HTTP/1.1 302 Found____

    Date: Fri, 11 Jul 2025 21:41:35 GMT____

    Server: Apache/2.4.58 (Ubuntu)____

    Vary: Cookie____

    Set-Cookie: DokuWiki=57e8op63npgj2ehl99rp99n1s1; path=/; secure;
    HttpOnly; SameSite=Lax____

    Expires: Thu, 19 Nov 1981 08:52:00 GMT____

    Cache-Control: no-store, no-cache, must-revalidate____

    Pragma: no-cache____

    Set-Cookie: DW7fa065a06cb74b536c124cfbe56ac6d3=deleted; expires=Thu,
    01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly;
    SameSite=Lax____

    Location: /doku.php?id=start____

    Content-Length: 0____

    Connection: close____

    Content-Type: text/html; charset=UTF-8____

    __ __

    Seconds: 0.017766000____

    __ __

    -- ____

    __ __


    Today (showing  http and https):____

    __ __

    Fri Jul 18 22:42:49 2025: Misdirected Request ; OK____

    __ __


    red https://dokuwiki.example.com/ <https://
    eur03.safelinks.protection.outlook.com/?
    url=https%3A%2F%2Fdokuwiki.example.com%2F&data=user-354a6bce7cf6@xymon.invalid%7C86af66e17f6340211dc108ddc6a81856%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638885147590738647%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=UoieKz2slmEzjyoEsgk5cKrz63YttdbWRQbG4Fz%2BrM4%3D&reserved=0> - Misdirected Request____
quoted from Jeremy Laidman

    __ __

    HTTP/1.1 421 Misdirected Request____

    Date: Sat, 19 Jul 2025 05:42:49 GMT____

    Server: Apache/2.4.58 (Ubuntu)____

    Content-Length: 402____

    Connection: close____

    Content-Type: text/html; charset=iso-8859-1____

    __ __

    Seconds: 0.031074000____

    __ __


    green http://dokuwiki.example.com/ <https://
    eur03.safelinks.protection.outlook.com/?
    url=http%3A%2F%2Fdokuwiki.example.com%2F&data=user-354a6bce7cf6@xymon.invalid%7C86af66e17f6340211dc108ddc6a81856%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638885147590752209%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=X5QR6bOUgroMGuoyS%2FCj%2Bvefn3O%2F6DOoSneb0oyfVdw%3D&reserved=0> - OK____
quoted from Jeremy Laidman

    __ __

    HTTP/1.1 302 Found____

    Date: Sat, 19 Jul 2025 05:42:49 GMT____

    Server: Apache/2.4.58 (Ubuntu)____


    Location: https://dokuwiki.example.com/ <https://
    eur03.safelinks.protection.outlook.com/?
    url=https%3A%2F%2Fdokuwiki.example.com%2F&data=user-354a6bce7cf6@xymon.invalid%7C86af66e17f6340211dc108ddc6a81856%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638885147590765144%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=NAUIfFyRXdqcmyxugQLJvRwRdacHgIkupOV8s9o9Bk4%3D&reserved=0>____

    Content-Length: 285____

    Connection: close____

    Content-Type: text/html; charset=iso-8859-1____

    __ __

    Seconds: 0.015943000____
list Jeremy Laidman · Sun, 20 Jul 2025 10:16:07 +1000 ·
Adam, thanks for the follow-up with more detail and more accuracy.

quoted from Adam Thorn
On Sun, 20 Jul 2025 at 02:21, Adam Thorn via Xymon <xymon@xymon.com> wrote:
I suspect the priginal poster did in fact upgrade apache : they meniion
"8.7 update", which I suspect means moving from  2.4.58-1ubuntu8.6 to
2.4.58-1ubuntu8.7 which was released a couple of days ago for Ubuntu 24.04:

That was my thought too, but all of their examples show the same version in the Server header:

Server: Apache/2.4.58 (Ubuntu)

*looks more closely*

Ah, I see what you mean. The update was at a patch level, not a major.minor release level, so the Server header would not have changed as a result of this update.

quoted from Adam Thorn
Minor correction to Jeremy's post: note that the xymonnet docs say that
the flag to add (if updaating the xymonnet entry in tasks.cfg) is
--sni=on , not just --sni.

Grateful for your keen eye. I was looking at the hosts.cfg(5) man page which only mentioned the "--sni" option for xymonnet and not how to use it. I should've followed through with a review of the xymonnet(1) man page, before pretending to have any degree of experience.

<snip>

Cheers
Jeremy
list Elizabeth Schwartz · Mon, 21 Jul 2025 23:23:28 -0400 ·

Thank you both, that worked


Yes, apologies if it was unclear, the upgrade to ubuntu 8.7 did replace the 2.4.58-1ubuntu8.6 package with 2.4.58-1ubuntu8.7

Annoying that a change that doesn’t change the rev number seems to have changed several behaviors, both this and the charset.


I confess I’m not entirely clear about how SNI is involved when the webserver has one hostname and the cert has one hostname and xymon is trying to connect to that hostname by name.

Is it related to the fact that the hostname is attached to a vhost and not to the overall apache instance?


Thanks again and may all your blinky lights be green.


quoted from Jeremy Laidman

From: Jeremy Laidman <user-0608abae5e7c@xymon.invalid>
Sent: Saturday, July 19, 2025 8:16 PM
To: Xymon mailinglist <xymon@xymon.com>
Cc: Adam Thorn <user-f6b877930936@xymon.invalid>
Subject: [Xymon] Re: https "Misdirected request" monitoring after target ubuntu 8.7 update


Adam, thanks for the follow-up with more detail and more accuracy.


On Sun, 20 Jul 2025 at 02:21, Adam Thorn via Xymon <xymon@xymon.com> wrote:

I suspect the priginal poster did in fact upgrade apache : they meniion
"8.7 update", which I suspect means moving from  2.4.58-1ubuntu8.6 to
2.4.58-1ubuntu8.7 which was released a couple of days ago for Ubuntu 24.04:


That was my thought too, but all of their examples show the same version in the Server header:


Server: Apache/2.4.58 (Ubuntu)


*looks more closely*


Ah, I see what you mean. The update was at a patch level, not a major.minor release level, so the Server header would not have changed as a result of this update.


Minor correction to Jeremy's post: note that the xymonnet docs say that
the flag to add (if updaating the xymonnet entry in tasks.cfg) is
--sni=on , not just --sni.


Grateful for your keen eye. I was looking at the hosts.cfg(5) man page which only mentioned the "--sni" option for xymonnet and not how to use it. I should've followed through with a review of the xymonnet(1) man page, before pretending to have any degree of experience.


<snip>


Cheers

Jeremy

list Jeremy Laidman · Tue, 22 Jul 2025 14:08:59 +1000 ·
I can't say in this instance, but some package updates are backports of security patches that are written for later releases, so when backported to an older release, the major.minor numbers don't change, and only the patch release suffix changes. Might be the case here.
The problem that SNI solves is to do with privacy. For non-TLS traffic, a webserver can have multiple hostnames (vhosts?) at the one endpoint, and it knows which vhost to use based on the hostname in the Host: header that the client sends in its web query. Without the Host: header, the server can't know which website the client is wantint to access. The DNS name is passed from client to server only in the Host: header.

Under pre-SNI SSL/TLS implementations, the secure tunnel is built with no information about either end, and then the client sends a Host header to say what website it wants to connect to. But in order to establish the tunnel, the certificate must already have been selected to authenticate the server to the client. The Host: header has the website domain name in it, but the Host: header isn't sent until AFTER the TLS tunnel is established, including certificate selection. We have a chicken-and-egg situation.

How SNI solves this is that the website domain name is sent within the TLS negotiation, so that the webserver can choose the right certificate before the Host: header is selected.

If the SNI value is missing from the TLS negotiation, the webserver doesn't know which website is required, and doesn't know which certificate to use to authenticate with. In previous versions of Apache, the behaviour where the hostname was not available through SNI was insecure. A user who is permitted to access one vhost could leverage this lax SNI handling to access a different vhost that they aren't granted access. I believe the patch locked this down, causing strict SNI behaviour by default. The end result is that in some configurations, SNI is now required.

Cheers
Jeremy

quoted from Elizabeth Schwartz
On Tue, 22 Jul 2025 at 13:23, <user-f098d492cd80@xymon.invalid> wrote:

Thank you both, that worked

Yes, apologies if it was unclear, the upgrade to ubuntu 8.7 did replace the 2.4.58-1ubuntu8.6 package with 2.4.58-1ubuntu8.7

Annoying that a change that doesn’t change the rev number seems to have changed several behaviors, both this and the charset.

 

I confess I’m not entirely clear about how SNI is involved when the webserver has one hostname and the cert has one hostname and xymon is trying to connect to that hostname by name.

Is it related to the fact that the hostname is attached to a vhost and not to the overall apache instance?

 

Thanks again and may all your blinky lights be green.

 

From: Jeremy Laidman <user-0608abae5e7c@xymon.invalid>
Sent: Saturday, July 19, 2025 8:16 PM
To: Xymon mailinglist <xymon@xymon.com>
Cc: Adam Thorn <user-f6b877930936@xymon.invalid>
Subject: [Xymon] Re: https "Misdirected request" monitoring after target ubuntu 8.7 update

 

Adam, thanks for the follow-up with more detail and more accuracy.

 

On Sun, 20 Jul 2025 at 02:21, Adam Thorn via Xymon <xymon@xymon.com> wrote:

I suspect the priginal poster did in fact upgrade apache : they meniion
"8.7 update", which I suspect means moving from  2.4.58-1ubuntu8.6 to
2.4.58-1ubuntu8.7 which was released a couple of days ago for Ubuntu 24.04:

 

That was my thought too, but all of their examples show the same version in the Server header:

 

Server: Apache/2.4.58 (Ubuntu)

 

*looks more closely*

 

Ah, I see what you mean. The update was at a patch level, not a major.minor release level, so the Server header would not have changed as a result of this update.

 

Minor correction to Jeremy's post: note that the xymonnet docs say that
the flag to add (if updaating the xymonnet entry in tasks.cfg) is
--sni=on , not just --sni.

 

Grateful for your keen eye. I was looking at the hosts.cfg(5) man page which only mentioned the "--sni" option for xymonnet and not how to use it. I should've followed through with a review of the xymonnet(1) man page, before pretending to have any degree of experience.

 

<snip>

 

Cheers