Problem
After upgrading Terraform Enterprise (TFE) to version v202109-1 (565) or newer, existing requests to TFE, such as VCS webhooks or API calls from automation scripts, may fail with an HTTP 301 Moved Permanently response.
The response body will be similar to the following output.
HTTP/1.1 301 Moved Permanently Location: <tfe_hostname>
Cause
This behavior is caused by a security fix introduced in TFE release v202109-1 (565).
Mitigated a potential Host header injection vulnerability.
With this fix, TFE strictly validates that the Host header of an incoming request matches the configured TFE hostname. If the Host header does not match, TFE rejects the request and responds with an HTTP 301 redirect to the correct hostname.
Solution
To resolve this issue, you must modify the client, script, or proxy that sends requests to TFE to include the correct Host header.
The Host header value must exactly match the hostname configured for your TFE instance.
For example, when using curl to make an API call, include the header explicitly.
$ curl \ --header "Host: <tfe_hostname>" \ --header "Authorization: Bearer $TOKEN" \ https://<tfe_ip_address>/api/v2/organizations
Ensure any intermediate proxies are also configured to preserve or set the correct Host header when forwarding requests to the TFE instance.
Additional Information
For more details on TFE configuration, please refer to the official Terraform Enterprise networking documentation.