Hi @dan42,
It occurred to me that you might be trying to set up a request that is routed to an IP address based on one hostname, but reports a different hostname in the Host header. This might make sense for example to reroute some requests to a test server that is configured exactly the same as the original server, so expects the same Host header.
Unfortunately, we can’t allow you to specify a Host header that is inconsistent with the routing for security reasons: Many Cloudflare customers protect their origin by whitelisting Cloudflare’s IP address, using authenticated origin pulls, or other ways, and they rely on the Host header to prove that Cloudflare executed the security settings for their site.
However, now that I think of it, the attack scenario I’m thinking requires the attacker to override a Host header to specify the victim’s zone. I believe we could safely allow you to override the Host header as long as the overridden value identifies a zone you control. Or, a different way of thinking about this is, we could allow you to override your origin’s DNS configuration for a single request. We will look into this.