May 17, 2018

Web Servers and the Host Header

We see how the Host header is used by our web servers to decide which configured site to serve.

Since our web servers can be configured to serve multiple sites, one question we need to ask is "How does the web server know which site to serve?

Host Header

On the surface, all we see are:

  1. I put into my browser
  2. I setup a web server configuration with something like server_name (Nginx) or ServerName (Apache).

What might be less obvious is that the web server is actually using the Host header to grab the hostname and match against the configured Server Name.

In our browsers, the Host header is set automatically by using whatever we put into the URL bar.

In a curl request, no Host header is set unless we manually define one:

# Will serve the default site
curl localhost

# Will serve site with server name ""
curl -H "Host:" localhost

Default Sites

When an HTTP request has no Host header set, the web server needs to decide which site to server.

When there's no Host header, Nginx and Apache have slightly different behaviors when deciding which site to server.

In Apache, the first virtualhost configured will be the one that gets served. This is why we often see virtualhost configuration files numbered - so they're loaded into Apache in a specific order. The first one loaded (the first one we see on the file system in alphabetical order) will be the one used.

In Nginx, it will use which ever is marked as the default_server for the port being used (typically either port 80 or 443). If there is no default_server, then Nginx uses the first configuration that is loaded.

All Topics