The Forward Host Header must match

In the Edge server to the origin connection, the Edge server checks that the origin certificate’s Subject Alternative Name (SAN) list—or the Common Name (CN) if a SAN list is not present—matches the hostname that is sent in the Host header. You use the Forward Host Header option to define the hostname that's used.



The Forward Host Header can be set in one of three ways.

  • Incoming Host Header (Default): When selected, what you've set as the Hostname in the Property hostname to Edge hostname association is used. (This is typically the end-user-facing hostname for your site or app, and it's used in the first connection in a request—the connection between the client and Akamai Edge servers.) This is a generic option that varies with the Hostname received in the request. For example, a client request for your website at www.mymedia.com sends www.mymedia.com in the Host header to the origin.
  • Origin Hostname: When selected, what's set as the Origin Server Hostname is sent in the request to the origin. Select this option if your origin has been configured to listen for this specific value. For example, assume your origin's hostname is "[1]hkeh1g76-www.mymedia.com" (and, this is what you've defined in the Origin Server Hostname field). A client request for your website at www.mymedia.com sends [1]hkeh1g76-www.mymedia.com in the Host header to the origin.
  • Custom Value: Select this option if you want a custom value sent in the Host header to the origin. Use the accompanying Custom Forward Host Header field to define the appropriate value. This applies if you've configured your origin to listen for a hostname other than what was included in the Host header in the incoming request, or what you set up as its assigned Origin Server Hostname. For example, an end-user request for www.mymedia.com could send www.mymedia.com.akamaized.net in the Host header to the origin.

The origin hostname must be in the origin certificate

Regardless of the method you use to define the Forward Host Header, the value set for it must exist as a SAN (or the CN) in the origin certificate. If it doesn't, the Edge server will not trust the origin certificate.
Note: The Custom Value option allows you to provide multiple entries. At least one of these values must exist as a SAN in the origin certificate.

You can use wildcards, but only in the origin certificate

The asterisk (*) is seen as a wildcard in the SAN list in an origin certificate. For example, if the Edge server was checking for www.mysite.com, and the SAN list included *.mysite.com in its SAN list, the certificate is trusted.

When specifying the Forward Host Header hostname in your property, you can include asterisk (*) characters, but they are treated as literal characters, and not wildcards. Below are some examples.

  • The origin server certificate is trusted: If you configure the Forward Host Header to use *.mysite.com, and you've included *.mysite.com in the SAN list in the origin certificate.
  • The origin server certificate is not trusted: If you configured the Forward Host Header to use *.mysite.com, and the SAN list in the origin certificate only includes www.mysite.com.