diff --git a/site-modules/profile/files/varnish/early_vcl_recv.vcl b/site-modules/profile/files/varnish/early_vcl_recv.vcl
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/files/varnish/early_vcl_recv.vcl
@@ -0,0 +1,13 @@
+# 00_early_vcl_recv.vcl
+#
+# Do early manglement of the host header to simplify its future handling
+#
+# File managed by puppet. All modifications will be lost.
+
+sub vcl_recv {
+  # Keep original Host header in X-Swh-Original-Host.
+  set req.http.x-swh-original-host = req.http.host;
+
+  # Set Host header to lower case and trim trailing port number.
+  set req.http.host = regsub(req.http.host.lower(), ":[0-9]+$", "");
+}
diff --git a/site-modules/profile/manifests/varnish.pp b/site-modules/profile/manifests/varnish.pp
--- a/site-modules/profile/manifests/varnish.pp
+++ b/site-modules/profile/manifests/varnish.pp
@@ -84,6 +84,11 @@
     order   => '00',
   }
 
+  ::profile::varnish::vcl_include {'early_vcl_recv':
+    order   => '00',
+    content => file('profile/varnish/early_vcl_recv.vcl'),
+  }
+
   ::profile::varnish::vcl_include {'synth_redirect':
     order   => '10',
     content => file('profile/varnish/synth_redirect.vcl'),
diff --git a/site-modules/profile/templates/varnish/vhost.vcl.erb b/site-modules/profile/templates/varnish/vhost.vcl.erb
--- a/site-modules/profile/templates/varnish/vhost.vcl.erb
+++ b/site-modules/profile/templates/varnish/vhost.vcl.erb
@@ -7,11 +7,15 @@
 sub vcl_recv {
     if (
 <% @aliases.each do |alias_| -%>
-        req.http.host ~ "^(?i)<%= Regexp.escape(alias_) %>(:[0-9]+)?$" ||
+        req.http.host == "<%= alias_.downcase %>" ||
 <% end -%>
-        req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$"
+        req.http.host == "<%= @servername.downcase %>"
     ) {
         var.set("known-vhost", "yes");
+        var.set("current-vhost", "<%= @backend_name %>");
+    }
+
+    if (var.get("current-vhost") == "<%= @backend_name %>") {
         if (std.port(server.ip) == <%= scope['::profile::varnish::http_port'] %>) {
             set req.http.x-redir = "https://" + req.http.host + req.url;
             return(synth(850, "Moved permanently"));
@@ -42,21 +46,18 @@
 
 <% if @websocket_support -%>
 sub vcl_pipe {
-    if (req.http.upgrade) {
-        set bereq.http.upgrade = req.http.upgrade;
-        set bereq.http.connection = req.http.connection;
+    if (var.get("current-vhost") == "<%= @backend_name %>") {
+        if (req.http.upgrade) {
+            set bereq.http.upgrade = req.http.upgrade;
+            set bereq.http.connection = req.http.connection;
+        }
     }
 }
 
 <% end -%>
 <% if @hsts_max_age or @vcl_deliver_extra -%>
 sub vcl_deliver {
-    if (
-<% @aliases.each do |alias_| -%>
-        req.http.host ~ "^(?i)<%= Regexp.escape(alias_) %>(:[0-9]+)?$" ||
-<% end -%>
-        req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$"
-    ) {
+    if (var.get("current-vhost") == "<%= @backend_name %>") {
 <% if @hsts_max_age -%>
         if (std.port(server.ip) != <%= scope['::profile::varnish::http_port'] %>) {
             set resp.http.Strict-Transport-Security = "max-age=<%= @hsts_max_age %>;";
@@ -69,12 +70,7 @@
 }
 
 sub vcl_synth {
-    if (
-<% @aliases.each do |alias_| -%>
-        req.http.host ~ "^(?i)<%= Regexp.escape(alias_) %>(:[0-9]+)?$" ||
-<% end -%>
-        req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$"
-    ) {
+    if (var.get("current-vhost") == "<%= @backend_name %>") {
         if (resp.status == 401) {
             set resp.http.WWW-Authenticate = "Basic";
             return(deliver);