Proxy_params by default blocks reverse proxy for HTTP/3

DorianCoding · September 12, 2025, 8:37am

Please use this template for troubleshooting questions.

My issue:

By default, proxy_params sent $http_host to proxy servers and not $host. However only HTTP/1 and HTTP/1.1 is available as proxy_pass.

How I encountered the problem:

If you use HTTP/3 in NGINX, there is no more Host: header in the request, as it is dealed during the TLS handshake. Therefore, proxies does not get Host: header which is however a requirement of HTTP/1.1 and reject with a 400 header Bad request without any logs.

Solutions I’ve tried:

The use by default of $host in proxy_params would solve or a specific param to set it only for HTTP/3.

Version of NGINX or NGINX adjacent software (e.g. NGINX Gateway Fabric): Nginx Debian 1.28.0

Deployment environment:

Minimal NGINX config to reproduce your issue (preferably running on https://tech-playground.com/playgrounds/nginx for ease of debugging, and if not as a code block):

Default nginx with a HTTP/3 enabled and HTTP/1.1 proxy_pass. Could not test on tech-playground as a certificate is compulsory.

Thank you.

alessandro · October 2, 2025, 10:25pm

Hi @DorianCoding!

Your overall assessment is correct, but I am not entirely sure what you mean by proxy_params. Is that a file contained in your NGINX installation? If so, could you share the contents of the file and let us know where did you install NGINX from? There might be nothing we can tweak on our end to solve this issue

liam · October 3, 2025, 8:35am

Two possible solutions:

Use server_name to define the $host variable
Use the hostname from TLS ($ssl_server_name)

If you need something conditional based on HTTP version then

map $http3 $hostbyver {
    "" $host;
    default $ssl_server_name; # For HTTP/3 request, obtain from TLS handshake
}

server {
    listen …;
    location / {
        proxy_pass …;
        proxy_set_header Host $hostbyver;
    }
}

DorianCoding · October 3, 2025, 9:52am

Proxy_params is the default file from Debian package:

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Changing $http_host to $host solves the problem. I think @liam solution could work as well, but maybe is more or less the same as $host. My question is also: why it is not implemented by default as nginx provides HTTP/3 on stable?

liam · October 3, 2025, 10:25am

Your complaint is with Debian. They are packaging NGINX with opinionated params.

From the docs Module ngx_http_proxy_module

An unchanged “Host” request header field can be passed like this:
proxy_set_header Host $http_host;
However, if this field is not present in a client request header then nothing will be passed. In such a case it is better to use the $host variable - its value equals the server name in the “Host” request header field or the primary server name if this field is not present:
proxy_set_header Host $host;

system · October 17, 2025, 6:44pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Nginx Proxy Pass Works on HTTP but Fails on HTTPS Until proxy_set_header Host Added NGINX reverse-proxy	6	207	December 31, 2025
HTTP type for local reverse proxy General Discussion reverse-proxy , http , http2 , http3 , best-practices	4	430	July 23, 2025
Can't set up precompressed brotli or http3 NGINX ssl , config , web-server , http3	4	90	October 12, 2025
Debian 13 Nginx 1.29.3 add_header don't show up on html page NGINX http3	7	65	January 4, 2026
Sporadic slow HTTP3 loads, connection errors with HTTP3 on subdomains NGINX web-server , reverse-proxy	0	16	February 10, 2026

Proxy_params by default blocks reverse proxy for HTTP/3

Related topics