Intended behavior for Host header in Proxy scenario
mdounin at mdounin.ru
Fri Nov 23 14:11:29 UTC 2018
On Fri, Nov 23, 2018 at 09:23:01AM +0100, Jack Henschel wrote:
> Hi Maxim,
> thanks for the quick confirmation!
> > The Host header is set to what you wrote in the "proxy_pass"
> > by default. That is, it will be "backend" with the above
> > configuration.
> Wouldn't it make more sense to use the hostname from the
> particular upstream server?
> I see two scenarios where this is required:
> 1. TLS secured upstream servers. TLS verification requires the
> correct Host header to be set (i.e. "a.example.com" instead of
> "backend"). Though I know there is the possibility of doing this
> (additionally) with TLS client certificates.
> 2. Upstream vhosts. Consider the scenario where multiple domains
> point to the same IP address, where the requests are split apart
> based on the Host header (I.e. virtual hosts)
> What do you think?
All servers listed in an upstream block are expected to be equal,
and expected to be able to process identical requests. You can
think of it as multiple A records in DNS, with slightly more
control on nginx side.
Moreover, nginx doesn't even know which particular server it will
use when it creates a request. And the same request can be sent
to multiple servers, as per proxy_next_upstream.
This does not preclude you from neither using TLS, nor vhosts on
upstream servers. But you shouldn't expect that names as written
within server directives in upstream blocks means anything and
will be used for anything but resolving these names to IP addresses.
More information about the nginx