Login

I’ve been trying to set up a reverse proxy for my home server to handle a couple of subdomains, but I keep running into weird SSL certificate mismatches after the proxy passes the request to the backend service. The setup works fine over HTTP, but as soon as I enable HTTPS, the backend server throws errors about the wrong host header. I’m using Nginx, and I feel like I’m missing something simple in the proxy pass configuration.

I had this exact issue when I terminated SSL at the Nginx proxy. The backend started complaining about the wrong host header after I turned on HTTPS. The fix that worked for me was to explicitly forward the original host to the upstream and keep the backend speaking HTTP to it. In practice I added in the location block: proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; And I kept proxy_pass http://backend_server; restarted Nginx, and the TLS cert errors went away.

I tried that and for some subdomains it still complained. I experimented with setting the header to the backend's internal hostname (like backend.local) for those routes, and that made the app respond, but then other subdomains started showing the wrong site or redirects. It felt brittle, and I ended up leaving some routes as http in dev to avoid the mismatch while I sorted DNS.

Are you terminating TLS at the proxy or is it end to end? If you terminate, it can flip how redirects and virtual hosts behave and sometimes your backend needs a explicit header to match its own vhost.

I drifted into thinking maybe it’s not the header at all, and then I found a mismatch in the backend’s own vhost config, but that’s hard to pin down. I’d try validating with a quick curl from the proxy machine to the upstream to see what Host value it sends, and also check the backend logs for which host it saw. It’s easy to chase down but also easy to run in circles.

Login
Username:
Password:	Lost Password?
	Remember me