fix(rustproxy-http): remove Host header from HTTP/2 upstream requests while preserving it for HTTP/1 retries

changelog.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 2026-03-12 - 25.10.7 - fix(rustproxy-http)
+remove Host header from HTTP/2 upstream requests while preserving it for HTTP/1 retries
+
+- strips the Host header before sending HTTP/2 upstream requests so :authority from the URI is used instead
+- avoids 400 responses from nginx caused by sending both Host and :authority headers
+- keeps a cloned header set for bodyless request retries so HTTP/1 fallback still retains the Host header
+
 ## 2026-03-12 - 25.10.6 - fix(rustproxy-http)
 use the requested domain as HTTP/2 authority instead of the backend host and port
 

rust/crates/rustproxy-http/src/proxy_service.rs

@@ -1091,6 +1091,10 @@ impl HttpProxyService {
             .method(method)
             .uri(&h2_uri);
 
+        // Remove Host header for H2 — :authority pseudo-header (from URI) is sufficient
+        let mut upstream_headers = upstream_headers;
+        upstream_headers.remove("host");
+
         if let Some(headers) = upstream_req.headers_mut() {
             *headers = upstream_headers;
         }
@@ -1131,7 +1135,7 @@ impl HttpProxyService {
         io: TokioIo<BackendStream>,
         parts: hyper::http::request::Parts,
         body: Incoming,
-        upstream_headers: hyper::HeaderMap,
+        mut upstream_headers: hyper::HeaderMap,
         upstream_path: &str,
         upstream: &crate::upstream_selector::UpstreamSelection,
         route: &rustproxy_config::RouteConfig,
@@ -1202,12 +1206,16 @@ impl HttpProxyService {
                 });
 
                 // Save retry state before consuming parts/body (for bodyless requests like GET)
+                // Clone BEFORE removing Host — H1 fallback needs Host header
                 let retry_state = if body.is_end_stream() {
                     Some((parts.method.clone(), upstream_headers.clone()))
                 } else {
                     None
                 };
 
+                // Remove Host header for H2 — :authority pseudo-header (from URI) is sufficient
+                upstream_headers.remove("host");
+
                 // Build and send the h2 request inline (don't register in pool yet —
                 // we need to verify the request actually succeeds first, because some
                 // backends advertise h2 via ALPN but don't speak the h2 binary protocol).
@@ -1474,6 +1482,11 @@ impl HttpProxyService {
             .method(parts.method)
             .uri(&h2_uri);
 
+        // Remove Host header for H2 — :authority pseudo-header (from URI) is sufficient
+        // Having both Host and :authority causes nginx to return 400
+        let mut upstream_headers = upstream_headers;
+        upstream_headers.remove("host");
+
         if let Some(headers) = upstream_req.headers_mut() {
             *headers = upstream_headers;
         }

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '25.10.6',
+  version: '25.10.7',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }