sni hostname and request Host header mismatch

Francis Daly francis at
Thu Oct 11 07:07:47 UTC 2018

On Wed, Oct 10, 2018 at 05:11:40PM -0700, Frank Liu wrote:

Hi there,

> indicates the check is only done
> for the 2-way SSL virtual host.
> Has everything been added (maybe through a directive) for 1-way SSL since
> then?

$ssl_server_name is the name from SNI.

$http_host is the Host: header.

$host is the host from the request (which usually should be absent),
or the host from the Host: header (which usually should be present),
or the (first) server_name of the matched server.

I think that there is not an extra directive; but you can manipulate
and compare those variables as is appropriate for your situation.

Specifically: in an SNI-only server, if $host is not the same as
$ssl_server_name, something funny is going on.

Francis Daly        francis at

More information about the nginx mailing list