The Cequence Unified API Protection (UAP) platform routes traffic through Cequence Defender using the HTTP HOST header to identify the correct upstream destination. In many modern deployment environments, particularly serverless platforms, intermediate infrastructure consumes or rewrites the HOST header before traffic reaches Cequence Defender, which breaks standard upstream resolution. The same issue arises in multi-tenant environments where a single Cequence Defender instance must route requests to different backends depending on the originating application or service.
When standard HOST-header routing is not viable, the Cequence UAP platform supports three alternate upstream routing methods that enable you to direct traffic based on environment variables, custom headers, or dynamically resolved origin values. Choose the method that fits your infrastructure constraints.
Default upstream
In this configuration, Cequence Defender always forwards traffic to a single, preconfigured upstream for each protocol. Use this method in environments where all traffic for a given protocol routes to one backend regardless of request origin.
- A single upstream for each protocol (HTTP/HTTPS)
- Environment variables used:
HTTP_UPSTREAM_SERVER,HTTPS_UPSTREAM_SERVER - Optionally, the
USE_UPSTREAM_SERVER_AS_HOST_HDRvariable sends the upstream server name as the HOST header
Alternate host header
In this configuration, Cequence Defender routes traffic based on a user-specified alternate header rather than the HOST header. Use this method when your infrastructure preserves a custom header that carries the intended destination, such as X-Forwarded-Host. When an alternate header is configured and the expected header is absent from a request, Cequence Defender returns a 400 error to the client.
Configuration
Set a value for the ALTERNATE_HOST_HEADER environment variable, as in the example ALTERNATE_HOST_HEADER=X-Forwarded-Host.
Alternate origin header
In this configuration, Cequence Defender resolves the upstream destination dynamically at runtime by reading a domain value from a specified request header. Use this method in environments where the target origin varies per request and cannot be preconfigured statically. A DNS resolver must be configured for this method to operate; without one, the feature is disabled.
Configuration
ALTERNATE_ORIGIN_HEADER: Header that contains the target domainRESOLVER: DNS resolver for domain lookup
Key configuration notes
- Set
USE_ALT_ORIGIN_AS_PROXY_NAME=trueto use theALTERNATE_ORIGIN_HEADERvalue as both the Host header and SNI hostname for upstream connections. - Header values must be valid, resolvable domain names.
Error conditions
- Missing alternate host header: 400 error
- Invalid domain in alternate origin header: 5xx error
- Missing resolver configuration: Feature disabled