After upgrading Apache to version 2.4.65, you may encounter 421 Misdirected Requests issue. This issue arises because you use IP address instead of hostname from the CDN/Proxy configuration end.
If you use AWS ALB(Application Load Balancer), which connects to backend targets using the target's IP address, not the hostname. The ALB's TLS ClientHello therefore has no valid SNI hostname, which causes Apache to reject the request when SSLStrictSNIVHostCheck is enabled.
“ALB by design does not forward SNI to backend targets over TLS connections. Since SAP Commerce Cloud receives no SNI from the ALB, it has no SNI to pass along when connecting to the Apache backend and the request got rejected with a 421 Misdirected Request.”
To address this, you may consider configuring the HTTP protocol in the Cloud Portal endpoint or directly access Apache via port 80 specifically to avoid this issue, since HTTP has no TLS handshake and there is no SNI check. However, this change led to a 301 redirect loop automatically because the Apache server in SAP Commerce Cloud is configured to unconditionally redirect traffic on port 80 to HTTPS for security reasons. SAP Commerce Cloud enforces HTTPS to prevent plain HTTP connections, a policy driven by security considerations, which also motivated the Apache upgrade. Returning a 301 status is an expected behavior in SAP Commerce Cloud.
In the /usr/local/apache2/conf/httpd.conf:
According to the document Communication Security, traffic to and from the public internet allows the use of both HTTP and HTTPS protocols. However, every time a request would reach the port 80, Commerce automatically redirects it to the port 443. This redirect ensures that data from an insecure custom endpoint reach the Commerce database with an adequate layer of encryption and protects the sensitive information from potential attacks.
By default, port 80 remains disabled, but you can choose to enable its exposure for the environment using the “Port 80 exposed” checkbox, the HTTP link will 301 Moved Permanently. Disabling this option ensures that all incoming HTTP traffic is blocked(timeout refreshed), forcing secure communication over HTTPS. This setting applies only to public connections and does not affect VPN connectivity. In conclusion, SAP Commerce Cloud doesn't allow plain HTTP connections.
According to SAP's guidelines, rewriting in the Apache Virtual Host configuration is not permitted. Moreover, the default setting for SSLStrictSNIVHostCheck is off refer to Apache Module mod_ssl document.
Unfortunately, SAP Commerce Cloud can't provide HTTP connections or Apache rewrite features for specific situations, as these decisions are due to security.
From what we found, this issue is due to AWS configurations. Your provider need to make sure that any service which have in front of Commerce is compatible with our Apache requirements.
We don't have any configurations we can change on our end to use IP address instead of hostname.
It might be possible to add additional services in AWS which proxy the requests, so the request that goes to commerce uses a FQDN instead of IP, but that configuration is out of our scope. Below link might be useful: Amazon AWS document.
To ensure a valid SSL handshake:
- Always connect using the hostname
>, not the raw IP. - Ensure any intermediate system (e.g., WAF or monitoring tools) sends:
- Host header:
> - SNI:
> (usually automatic if the hostname is used in the request)
Once connected via https://
- The correct certificate will be presented.
- SSL validation will succeed.
- The connection will align with SAP Commerce Cloud’s SNI-based TLS configuration.
