diff --git a/includes/xh-proxy.conf b/includes/xh-proxy.conf
index 9e4b345..a79174d 100644
--- a/includes/xh-proxy.conf
+++ b/includes/xh-proxy.conf
@@ -7,8 +7,9 @@ proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
-# Required for NTLM SSO when using Jespa
-proxy_set_header Jespa-Connection-Id $remote_addr:$remote_port;
+# Required for NTLM SSO when using Jespa - should contain client remote_addr:remote_port to uniquely
+# ID client connection across multi-step NTLM handshake. Var is set in xh.conf, see notes there.
+proxy_set_header Jespa-Connection-Id $xh_jespa_connection_id;
 
 # Additional SSL support
 proxy_set_header X-Forwarded-Proto $scheme;
diff --git a/xh.conf b/xh.conf
index 61823fa..19496d4 100644
--- a/xh.conf
+++ b/xh.conf
@@ -6,6 +6,12 @@ gzip_min_length 1000;
 gzip_proxied any;
 gzip_types application/json application/javascript text/css text/javascript;
 
+# Increase client max body size to allow for larger uploads
+client_max_body_size 20m;
+
+# Increase proxy headers hash size due to our use of proxy_set_header - as per nginx msg in log.
+proxy_headers_hash_max_size 1024;
+
 # Convenience map to specify caching expiry by request type (use in expires directive as below)
 map $sent_http_content_type $expires {
     default                 off;
@@ -16,9 +22,6 @@ map $sent_http_content_type $expires {
     text/html               epoch;
 }
 
-# Increase client max body size to allow for larger uploads
-client_max_body_size 20m;
-
 # Set $is_desktop and $is_mobile variables for simple UA-based sniffing.
 # This was snagged from https://gist.github.com/perusio/1326701 and is not guaranteed by any means
 # to be perfect or exhaustive. Apps should use with care - we can tune if we have real-world cases
@@ -35,6 +38,19 @@ map $is_desktop $is_mobile {
     0 1;
 }
 
+# Set new $xh_jespa_connection_id for use in xh-proxy include, where the resulting value is
+# used to add/replace a Jespa-Connection-Id header. If request arrives with a Jespa-Connection-Id
+# header already set, this map will re-use that same value: the incoming header is assumed to
+# have been set by an upstream proxy or k8s ingress and to contain the actual client addr and port.
+# Otherwise, we create the ID with the addr and port we know about here.
+map $http_jespa_connection_id $xh_jespa_connection_id {
+    volatile;
+    default $http_jespa_connection_id;
+
+    ""      $remote_addr:$remote_port;
+}
+
+
 # App-level Dockerfiles must copy in an appropriate conf with server directives such as the below.
 
 #server {