I'm trying to use Nginx as a reverse proxy and the upstream server is an ASP.NET Core application where I've registered the ForwardedHeadersMiddleware, which will read three different X-Forwarded-* headers:
X-Forwarded-ForX-Forwarded-ProtoX-Forwarded-Host
Now, I understand the first two, but find the last one (X-Forwarded-Host) confusing. It seems to me that effectively this has the same effect as just having the proxy rewrite the Host header, and I've seen Nginx reverse proxy configurations doing exactly that, like so:
location / {
proxy_pass http://app;
proxy_set_header Host $host;
}
But then I've also seen the X-Forwarded-Host being used instead:
location / {
proxy_pass http://app;
proxy_set_header X-Forwarded-Host $host;
}
In some cases both are used at the same time — which makes zero sense to me:
location / {
proxy_pass http://app;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
}
I'm not sure what I should do. Why would you use both at the same time? Isn't it more idiomatic (or more "correct") to use X-Forwarded-Host (if your upstream server supports it) than rewriting Host? Changing Host feels like a hack to me. I've noticed that the result in my ASP.NET Core app will be the same regardless of whether I set Host or X-Forwarded-Host (or both), in either case, HttpContext.Request.Host is set to the expected value — provided that the forwarded headers middleware is registered, of course.
To my surprise, I couldn't find any relevant information on this issue by googling, so I had to ask this here. What is the right approach to take in this situation?
