add a note about http sig requirements,

and check that host header matches

docs/manual.txt

@@ -60,3 +60,8 @@ with other servers via https URLs.
 
 If the proxy is configured to support caching, be mindful of the fact that
 ActivityPub requests vary based on the Accept and Content-Type headers.
+
+ActivityPub in practice uses HTTP signatures to verify requests. In order for
+this to work, the backend server must receive certain header fields
+unmodified. In particular, the Host header and the message content cannot be
+altered.

zig.go

@@ -26,6 +26,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"regexp"
 	"strings"
@@ -135,6 +136,9 @@ func zag(req *http.Request, content []byte) (string, error) {
 			s = strings.ToLower(req.Method) + " " + req.URL.RequestURI()
 		case "host":
 			s = req.Host
+			if s != serverName {
+				log.Printf("caution: servername host header mismatch")
+			}
 		default:
 			s = req.Header.Get(h)
 		}