My service is *********** (*************). This is a question about version #14 -> #15 of my configuration.
In Version #14 I've got it setup correctly to serve from my S3 bucket via S3's HTTPS REST API (following https://docs.fastly.com/guides/integrations/amazon-s3).
The important part of this setup is that inside the #--FASTLY RECV BEGIN section I've got the lines:
set req.http.Fastly-Orig-Host = req.http.host;
set req.http.host = “*************.s3.amazonaws.com";
I use req.http.Fastly-Orig-Host to do some regex-based path redirects within the bucket that you can see further down in the vcl_recv section. (e.g., redirect https://ltd-keeper.lsst.io/v/main/index.html to /ltd-keeper/v/main/index.html inside my S3 bucket.)
Today I tried to force TLS connections to my sites following https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site#
I tried this in version #15 of my service config.
The problem with the VCL in #15 is that I lose the req.http.Fastly-Orig-Host header setting.
The net result is that, with my config version #15, when a person visits "http://ltd-keeper.lsst.io" they are redirected to "https://ltd-keeper.lsst.io", but then all of my URL re-write rules break because req.http.Fastly-Orig-Host does not exist.
What do you think is the correct way to implement forced TLS? Is turning on custom VCL the right thing to do at this point?