Allow modification of the HTTP "Host" header

Per: Hide real URL from origin

I would like the ability to modify the host header in something like the following image:

Currently, the following error is given:
'set' is not a valid value for operation because it cannot be used on header 'Host'
'set' is not a valid value for operation because it cannot be used on header 'host'

This can be used to hide the real URL from the origin server, in order to fetch the files of a different URL without having to memorize a different subdomain name.

Given that it’s currently an Enterprise feature, I think it’s unlikely to come to Transform Rules - with it being an easily abused feature too.

You can use resolveOverride in Workers as long as the origins you’re pointing to are apart of your account.

  • Directs the request to an alternate origin server by overriding the DNS lookup. The value of resolveOverride specifies an alternate hostname which will be used when determining the origin IP address, instead of using the hostname specified in the URL. The Host header of the request will still match what is in the URL. Thus, resolveOverride allows a request to be sent to a different server than the URL / Hostheader specifies. However, resolveOverride will only take effect if both the URL host and the host specified by resolveOverride are within your zone. If either specifies a host from a different zone / domain, then the option will be ignored for security reasons. If you need to direct a request to a host outside your zone (while keeping the Hostheader pointing within your zone), first create a CNAME record within your zone pointing to the outside host, and then set resolveOverride to point at the CNAME record. Note that, for security reasons, it is not possible to set the Host header to specify a host outside of your zone unless the request is actually being sent to that host.
1 Like

Um, thanks for the explanation of how to do it, but you lost me at “overriding the DNS lookup”.

I am more of a frontend/backend person, not a server configuration and DNS person.

I don’t think resolveOverride applies here (in the original post) because both hostnames are at the same IP address.

They only need the Host header.

1 Like

So is there a different way I could go about doing this?

That is a very good point. :sweat_smile:

I think Workers are the best bet, in the absence of Host header modification. Think of Workers as code running on any other server, it can be put “on top” of example.com, fetch example.org and return the content of example.org when people request example.com.

You’d put the Worker on domain 1, have it fetch domain 2 and then you can return the website of domain 2 on domain 1.

3 Likes

As long as it’s just GET requests, that should work.

The part that always trips me up is when the source hardcodes the full URL, which does not seem to be uncommon.

1 Like

Looking into that a bit, I would not work since I need to be able to use POST requests to authenticate with the subdomain.

You can just remove the GET part if you want - Workers are insanely flexible and can act as a completely transparent reverse proxy.

i.e if you want example.com/foo to go to example.org/foo then you can just…

export default {
	async fetch(request) {
		const proxyDomain = "example.org";

		const url = new URL(request.url);
		url.hostname = proxyDomain;

		return await fetch(url.toString(), request);
	},
};
1 Like