Intended behavior for Host header in Proxy scenario

Maxim Dounin mdounin at
Fri Nov 23 14:11:29 UTC 2018


On Fri, Nov 23, 2018 at 09:23:01AM +0100, Jack Henschel wrote:

> Hi Maxim,
> thanks for the quick confirmation!
> > The Host header is set to what you wrote in the "proxy_pass" 
> > by  default.  That is, it will be "backend" with the above 
> > configuration.
> Wouldn't it make more sense to use the hostname from the 
> particular upstream server?
> I see two scenarios where this is required:
> 1. TLS secured upstream servers. TLS verification requires the 
> correct Host header to be set (i.e. "" instead of 
> "backend"). Though I know there is the possibility of doing this 
> (additionally) with TLS client certificates.
> 2. Upstream vhosts. Consider the scenario where multiple domains 
> point to the same IP address, where the requests are split apart 
> based on the Host header (I.e. virtual hosts)
> What do you think?

All servers listed in an upstream block are expected to be equal, 
and expected to be able to process identical requests.  You can 
think of it as multiple A records in DNS, with slightly more 
control on nginx side.

Moreover, nginx doesn't even know which particular server it will 
use when it creates a request.  And the same request can be sent 
to multiple servers, as per proxy_next_upstream.

This does not preclude you from neither using TLS, nor vhosts on 
upstream servers.  But you shouldn't expect that names as written 
within server directives in upstream blocks means anything and 
will be used for anything but resolving these names to IP addresses.

Maxim Dounin

More information about the nginx mailing list