# Debian 12 HTTP/2 proxy templates return 421 Misdirected Request
## Summary
On a fresh upgrade or install of myVesta on Debian 12, every HTTPS site proxied by nginx to Apache returns `421 Misdirected Request` once HTTP/2 is enabled. The stock nginx SSL templates shipped with myVesta do not forward the original `Host` header or Server Name Indication (SNI) to Apache, so Apache 2.4.62 (the default in Debian 12/bookworm) rejects the traffic.
## Environment
- Debian 12.12 (bookworm)
- myVesta 0.9.9 (upgraded from 0.9.8 via `v-update-myvesta`)
- nginx 1.22 as reverse proxy
- Apache 2.4.62 serving upstream on ports 8080/8443
- myVesta upgrade script from viewtopic.php?f=28&t=877 (enables HTTP/2 in templates)
## Steps to Reproduce
1. Install myVesta on Debian 11, then run the official upgrade script above to move to Debian 12 (or install myVesta directly on Debian 12 and enable HTTP/2 for nginx SSL templates).
2. Create or rebuild any web domain that uses a proxy template (`hosting`, `force-https`, `hosting-webmail-phpmyadmin`, etc.).
3. Open the site via HTTPS.
## Observed Behaviour
- Browser shows `421 Misdirected Request` for every HTTPS vhost that goes through nginx → Apache.
- Access log on nginx shows the request, but Apache rejects it because the TLS connection is reused with the backend IP/SNI instead of the real hostname.
- No myVesta rebuild or cache purge resolves the issue.
## Root Cause
- Debian 12 ships Apache 2.4.62 with stronger HTTP/2 coalescing protections. When Apache receives a reused TLS connection whose SNI does not match the requested vhost, it responds with 421.
- The myVesta nginx SSL templates only call `proxy_pass https://%ip%:%web_ssl_port%;` and never forward `Host`, `X-Forwarded-*`, or enable `proxy_ssl_server_name` / `proxy_ssl_name`.
- The upgrade script enables `ssl http2` in all SSL templates, which makes TLS connection reuse immediate, exposing the missing headers.
## Workaround / Fix
Update every nginx SSL template that proxies to Apache and add the missing directives immediately after each `proxy_pass` statement (including nested `/webmail`, `/phpmyadmin`, and fallback blocks):
```
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_ssl_server_name on;
proxy_ssl_name $host;
```
The affected templates are:
- `hosting.stpl`
- `hosting-legacy.stpl`
- `hosting-public.stpl`
- `hosting-webmail-phpmyadmin.stpl`
- `private-hosting.stpl`
- `private-force-https.stpl`
- `force-https.stpl`
- `force-https-public.stpl`
- `force-https-webmail-phpmyadmin.stpl`
- `force-https-legacy.stpl`
- `caching.stpl`
- `default.stpl`
After applying the change, run `v-rebuild-web-domains <user> yes` (or per-domain rebuilds) and reload nginx. HTTPS starts working immediately without 421 responses.
## Additional Notes
- The same directives are already part of many reverse-proxy best practices and are required for proper HTTP/2 → HTTP/1.1 bridging on modern Apache versions.
- Users who upgraded before the fix may have patched their live vhost files manually. Without updating the templates, a subsequent rebuild will reintroduce the bug.
- No template changes are required for pure nginx+PHP-FPM templates under `nginx/php-fpm/` or the Apache PHP-FPM templates (`apache2/PHP-FPM-*`).
# Debian 12 HTTP/2 proxy templates return 421 Misdirected Request
hey,
I couldn’t find a public fix yet, but this kind of issue often comes down to permissions, corrupted configs, or version mismatches. try checking /usr/local/vesta logs and ensure file ownership and permissions are correct. If you tell me the exact error message or behavior (login failed? UI broken? services down?), I’ll help you narrow it down.
I couldn’t find a public fix yet, but this kind of issue often comes down to permissions, corrupted configs, or version mismatches. try checking /usr/local/vesta logs and ensure file ownership and permissions are correct. If you tell me the exact error message or behavior (login failed? UI broken? services down?), I’ll help you narrow it down.
I wrote a script to patch the template files and fix nginx proxy. If people would like I can provide a link so that people can download the script. I also have the commands to add to Nginx Proxy Manager (also working on a script so you can easily export all of your settings from there in case you need to migrate to another server) if you want to run that in front of multiple servers so it works correctly. If people are interested please let me know and I will provide the link.