diff --git a/proxy/proxy.go b/proxy/proxy.go
index fd72c2b0423b436b2e4c9c250c91a20abcefbccb..ec8c2b4d2c7fb83d0c933fa98a98a47cb1e6d1af 100644
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -20,6 +20,7 @@ import (
 type Backend struct {
 	Host            string                      `yaml:"host"`
 	Upstream        []string                    `yaml:"upstream"`
+	ServerName      string                      `yaml:"tls_server_name"`
 	ClientTLSConfig *clientutil.TLSClientConfig `yaml:"client_tls"`
 
 	AllowedGroups []string `yaml:"allowed_groups"`
@@ -45,6 +46,13 @@ func (b *Backend) newHandler(ssow *httpsso.SSOWrapper) (http.Handler, error) {
 		if err != nil {
 			return nil, err
 		}
+
+		// By setting the ServerName on the tls.Config, we
+		// hope to decouple TLS certificate verification from
+		// the details of the HTTP Host header included in the
+		// request, so that the transport layer will work
+		// regardless of the HTTP request details.
+		tlsConfig.ServerName = b.ServerName
 	}
 	proxy.Transport = clientutil.NewTransport(b.Upstream, tlsConfig, nil)
 
diff --git a/proxy/proxy_test.go b/proxy/proxy_test.go
index 0c45777dd2534d4be9be3d1f0c24e603daf4fc57..1fedce4110b2d4543bae7e98b8c2aa53497f8d3c 100644
--- a/proxy/proxy_test.go
+++ b/proxy/proxy_test.go
@@ -1,7 +1,6 @@
 package proxy
 
 import (
-	"crypto/rand"
 	"crypto/tls"
 	"io"
 	"io/ioutil"
@@ -32,7 +31,7 @@ func TestProxy(t *testing.T) {
 	}
 	defer os.RemoveAll(tmpdir)
 
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	pub, priv, err := ed25519.GenerateKey(nil)
 	if err != nil {
 		t.Fatal(err)
 	}