Before I merge this I need to check if we should delete it or overwrite it, but seems like you found the root cause. I'll do that a bit later and once I'm confident that the right solution I'll release 0.9.2.
Would be also nice to add some tests before we merge a fix.
Thanks!

From https://golang.org/src/net/http/request.go#L133:

	// For incoming requests, the Host header is promoted to the
	// Request.Host field and removed from the Header map.

So I do think that we should drop Host header, but for completes we might also set req.Host

req.Host = upstreamURL.Host
req.Header.Del("Host")

Just to be sure - @svenmueller can you verify if it's still working for you with those 2 lines?
Without enforcing req.Host I'm able to proxy a request with custom (bogus) Host header and it's being send upstream, which shouldn't be allowed, so I'd like to add that.

I just did build a new Docker image with the changes in this PR but i still see that the wrong hostname is used when doing proxied request (access log in alertmanager shows wrong hostname). Not sure if i miss something. Needs more investigation.

if i dump the whole request, it looks like this. The host header is still set.

POST /proxy/alertmanager/test/api/v1/silences HTTP/1.1
Host: unsee.mydomain.com
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Connection: Keep-Alive
Content-Length: 421
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: optimizelySegments=...; optimizelyEndUserId=...; _ga=...; amplitude_idmydomain.com=...; GCP_IAAP_XSRF_NONCE=...
Referer: https://unsee.mydomain.com/?q=
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0
Via: 1.1 google
X-Cloud-Trace-Context: ...
X-Forwarded-For: xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx
X-Forwarded-Proto: https
X-Goog-Authenticated-User-Email: ...
X-Goog-Authenticated-User-Id: ...
X-Goog-Iap-Jwt-Assertion: ...
X-Requested-With: XMLHttpRequest

{...}

Ok, overwriting the host value seems to work. I can see that the correct hostname is logged in the logs of the target Alertmanager. Only problem is that the Basic Auth information is not passed to the proxied target, which results in a 401.

Ensuring we pass the correct Host header is needed, but I need to setup proper test coverage for this. I'll follow up this PR with more changes.

I've added more tests and confirmed that basic auth is missing for proxied requests - see #256