X-Forwarded-Host
The originating host of a client request.
Fastly reads this header from requests and writes it into requests. It is defined by an external standard.
For VCL services, Fastly will add or append X-Forwarded-Host headers on incoming requests over TLS, as follows:
- The client
Hostheader – if the request protocol is TLS. - The
Hostheader from the edge – if the origin has a TLS configuration and shielding is enabled. - Even if client connection is TLS, unless the origin connection is over TLS, nothing will be added or appended at the shield.
Examples
| Shielding | Request Protocol | Origin Protocol | Client Header | X-Forwarded-Host | Note |
|---|---|---|---|---|---|
| No | TLS | TLS | No | example.global.ssl.fastly.net | Added at edge |
| No | No TLS | TLS | No | null | |
| No | TLS | TLS | Yes | Host1, example.global.ssl.fastly.net | Appended |
| No | No TLS | TLS | Yes | Host1 | Pass-through |
| No | TLS | No TLS | No | example.global.ssl.fastly.net | Added at edge |
| No | No TLS | No TLS | No | null | |
| No | TLS | No TLS | Yes | Host1, example.global.ssl.fastly.net | Appended |
| No | No TLS | No TLS | Yes | Host1 | Pass-through |
| Yes | TLS | TLS | No | example.global.ssl.fastly.net, example.global.ssl.fastly.net | Added at edge and shield |
| Yes | No TLS | TLS | No | example.global.ssl.fastly.net | Added at shield |
| Yes | TLS | TLS | Yes | Host1, example.global.ssl.fastly.net, example.global.ssl.fastly.net | Added at edge and shield |
| Yes | No TLS | TLS | Yes | Host1, example.global.ssl.fastly.net | Added at shield |
| Yes | TLS | No TLS | No | example.global.ssl.fastly.net | Added at edge |
| Yes | No TLS | No TLS | No | null | |
| Yes | TLS | No TLS | Yes | Host1, example.global.ssl.fastly.net | Added at edge |
| Yes | No TLS | No TLS | Yes | Host1 | Pass-through |
Overriding multiple entries
To set a single value for this header, add the following to vcl_miss and vcl_pass:
set bereq.http.X-Forwarded-Host = req.http.host;