What do I want?

It's currently possible to add headers after the response has been generated, and it looks like this:

"action": {
    "share": "/www/static/$uri",
    "response_headers": {
        "Cache-Control": "max-age=60, s-maxage=120"
        "CDN-Cache-Control": "max-age=600"
    }
}

I want to add request headers, such as Host and X-Forwarded-Proto that would be passed to my application. I imagine that could look like this:

"action": {
  "pass": "applications/django",
  "request_headers": {
    "Host": "aiarena-test.net",
    "X-Forwarded-Proto": "https"
  }
}

Why do I want that? What's my actual use-case?

In an open-source project I'm helping maintain we're hosting our infrastructure behind an AWS load balancer. Our application code runs inside a docker container, and before the docker container can receive any traffic it must pass a load-balancer health-check.

The problem is that the health checker uses the container's IP address to access the container, and it also uses HTTP instead of HTTPS. So by default I'm just getting a 400 error because my application is configured to only work on a white-list of allowed hosts.

What I want to do is to trick the container into thinking it's being called from behind the load balancer, and that HTTPS was handled properly (as it is for all the production traffic it's going to recceive).

Possible solutions for my problem without request header support

Here are the options I have considered. While they will solve my problem, I don't think those are optimal.

Allow traffic from any hostname, and disable the HTTPS redirect.

This would allow the healthcheck to proceed, but it sacrifices important security features.

Put Unit behind regular nginx

This would allow me to do something like this:

location ~ ^/health-check/?$ {
    include                 /etc/nginx/uwsgi_params;
    uwsgi_param             HTTP_HOST aiarena-test.net;
    uwsgi_param             HTTP_X_FORWARDED_PROTO https;
    uwsgi_pass              aiarena-uwsgi:8311;
}

This solves the problem without creating security flaws, but it forces us to have multiple containers (1 nginx, 1 unit with django app). This is actually the setup I have on my work projects, and it's the one I'm trying to migrate from.

Modify the healthcheck to expect a 301 or a 400

While it's possible to do in AWS, and technically the healthcheck would pass, it would only check that the ALLOWED_HOSTS setting is working, and skip checking that the application itself is functional.

Summary

It would be very neat to modify the request headers before they're passed to the application, and that would allow me to migrate both my hoppy project and my work projects to Nginx Unit.