From 1e0cd2e32dd55a18fb2dfe28d5e462aa124da930 Mon Sep 17 00:00:00 2001 From: David Baynard Date: Mon, 10 Mar 2025 10:41:24 +0000 Subject: [PATCH] docs: clarify Host header requirements wrt TLS The previous documentation was clear on handling http->https proxying, but not the other way round. They did not cover the case of proxying to a unix socket, either. There are special considerations when proxying to caddy in either of these cases, that should be mentioned. --- src/docs/markdown/caddyfile/directives/reverse_proxy.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/docs/markdown/caddyfile/directives/reverse_proxy.md b/src/docs/markdown/caddyfile/directives/reverse_proxy.md index 36a4750..2119982 100644 --- a/src/docs/markdown/caddyfile/directives/reverse_proxy.md +++ b/src/docs/markdown/caddyfile/directives/reverse_proxy.md @@ -487,6 +487,8 @@ reverse_proxy https://example.com { The `X-Forwarded-Host` header is still passed [by default](#defaults), so the upstream may still use that if it needs to know the original `Host` header value. +The same applies when terminating TLS in caddy and proxying via HTTP, whether to a port or a unix socket. Indeed, caddy itself must receive the correct Host, when it is the target of `reverse_proxy`. In the unix socket case, the `upstream_hostport` will be the socket path, and the Host must be set explicitly. + ## Rewrites