Overview
In some cases, enabling BitNinja WAF Pro may result in websites returning the following error:
400 Bad Request
The plain HTTP request was sent to HTTPS port
This issue can occur when the SSL Termination component of BitNinja does not shut down properly, leaving stale listener processes running.
In some, even rarer cases, users have reported a different symptom: instead of the 400 error, all hosted domains begin serving the default Plesk SSL certificate rather than their assigned certificates. This causes SSL certificate mismatch warnings across all websites. Although the symptoms differ, the underlying cause appears to be related, and the resolution steps in this guide can be used for both scenarios.
Root Cause
During the startup sequence of WAF Pro, the SSL Termination worker should stop gracefully before new listeners are created by the WAF Pro module.
In certain situations, the existing bitninja-ssl-termination process does not terminate successfully and remains running. As a result, stale listeners may remain bound to internal ports.
Example:
sudo lsof -i -P -n | grep LISTEN
Part of the above command output:
bitninja-ssl-termination ... TCP *:60413 (LISTEN)
bitninja-ssl-termination ... TCP *:60414 (LISTEN)
bitninja-ssl-termination ... TCP 127.0.0.1:61936 (LISTEN)
bitninja-ssl-termination ... TCP *:60415 (LISTEN)
bitninja-ssl-termination ... TCP *:60418 (LISTEN)
These leftover listeners can interfere with normal HTTPS traffic handling and trigger the HTTP-to-HTTPS port mismatch error.
How to Verify
Check the BitNinja /var/log/bitninja/main.log for SSL Termination shutdown messages.
Example:
[info] 2026-06-24 14:55:17 - Initiating graceful shutdown for process [WorkerSslTerminating:189329]
[warn] 2026-06-24 14:55:27 - Process [WorkerSslTerminating:189329] did not stop in time. Sending SIGKILL.
The warning indicates that the SSL Termination worker failed to stop gracefully within the expected timeout period.
Resolution
Option 1 – Restart BitNinja
The recommended solution is to restart BitNinja:
service bitninja restart
After the restart, verify that the websites are accessible and the error is no longer present.
Option 2 – Manually Terminate the Stuck Process
If a full BitNinja restart did not fix the issue, identify the stuck bitninja-ssl-termination process and terminate it manually:
ps aux | grep bitninja-ssl-termination
Then kill the affected process:
kill -9 <PID>
Replace <PID> with the actual process ID.
After terminating the process, verify that the stale listeners have been removed:
sudo lsof -i -P -n | grep LISTEN
Additional Notes
Since BitNinja 3.16.0 relies exclusively on the Caddy-based WAF Pro implementation, the legacy ProxyFilter and SSLTerminating services are no longer part of the supported architecture. As a result, issues related specifically to the old NGINX/HAProxy-based WAF stack are expected to disappear as environments transition fully to the new WAF Pro solution.
Why Was the Legacy WAF Removed?
The decision to retire the previous architecture was made to simplify the traffic processing chain and improve overall reliability and performance.
Benefits of the new WAF Pro architecture include:
- Improved request processing performance
- Reduced resource consumption
- Simpler and more maintainable architecture
- Fewer moving parts and service dependencies
- Better SSL/TLS handling
- Faster deployment and configuration updates
- Improved long-term maintainability and feature development
