diff --git a/Gemfile b/Gemfile
index e74bc4bbea12e759800ca51cbb583ba97f590915..5fde253e2bff276191375a51ea81723393a2a4b3 100644
--- a/Gemfile
+++ b/Gemfile
@@ -682,8 +682,9 @@ gem 'telesignenterprise', '~> 2.2' # rubocop:todo Gemfile/MissingFeatureCategory
 # BufferedIO patch
 # Updating this version will require updating scripts/allowed_warnings.txt
 gem 'net-protocol', '~> 0.1.3' # rubocop:todo Gemfile/MissingFeatureCategory
-# Lock this until we make DNS rebinding work with the updated net-http:
-# https://gitlab.com/gitlab-org/gitlab/-/issues/413528
+
+# This is locked to 0.4.1 because we patch Net::HTTP#connect in
+# gems/gitlab-http/lib/net_http/connect_patch.rb.
 gem 'net-http', '= 0.4.1', feature_category: :shared
 
 gem 'duo_api', '~> 1.3' # rubocop:todo Gemfile/MissingFeatureCategory
diff --git a/gems/gitlab-http/lib/net_http/connect_patch.rb b/gems/gitlab-http/lib/net_http/connect_patch.rb
index efbe40174b26f464f809dedc01efcc63d62020d1..e737f0fcedffef04a37d32df6f45bf8741679981 100644
--- a/gems/gitlab-http/lib/net_http/connect_patch.rb
+++ b/gems/gitlab-http/lib/net_http/connect_patch.rb
@@ -1,9 +1,36 @@
 # frozen_string_literal: true
 
+# This patches Net::HTTP#connect to handle the hostname override patch,
+# which is needed for Server Side Request Forgery (SSRF)
+# protection. This stopped working in net-http v0.2.2 due to
+# https://github.com/ruby/net-http/pull/36.
+# https://github.com/ruby/net-http/issues/141 is outstanding to make
+# this less hacky, but for now we restore the previous behavior by
+# setting the SNI hostname with the hostname override, if available.
 require 'net/http'
 
 module Net
   class HTTP < Protocol
+    # rubocop:disable Cop/LineBreakAroundConditionalBlock -- This is upstream code
+    # rubocop:disable Layout/ArgumentAlignment -- This is upstream code
+    # rubocop:disable Layout/AssignmentIndentation -- This is upstream code
+    # rubocop:disable Layout/LineEndStringConcatenationIndentation -- This is upstream code
+    # rubocop:disable Layout/MultilineOperationIndentation -- This is upstream code
+    # rubocop:disable Layout/SpaceInsideBlockBraces -- This is upstream code
+    # rubocop:disable Lint/UnusedBlockArgument -- This is upstream code
+    # rubocop:disable Metrics/AbcSize -- This is upstream code
+    # rubocop:disable Metrics/CyclomaticComplexity -- This is upstream code
+    # rubocop:disable Metrics/PerceivedComplexity -- This is upstream code
+    # rubocop:disable Naming/RescuedExceptionsVariableName -- This is upstream code
+    # rubocop:disable Style/AndOr -- This is upstream code
+    # rubocop:disable Style/BlockDelimiters -- This is upstream code
+    # rubocop:disable Style/EmptyLiteral -- This is upstream code
+    # rubocop:disable Style/IfUnlessModifier -- This is upstream code
+    # rubocop:disable Style/LineEndConcatenation -- This is upstream code
+    # rubocop:disable Style/MultilineIfThen -- This is upstream code
+    # rubocop:disable Style/Next -- This is upstream code
+    # rubocop:disable Style/RescueStandardError -- This is upstream code
+    # rubocop:disable Style/StringConcatenation -- This is upstream code
     def connect
       if use_ssl?
         # reference early to load OpenSSL before connecting,
@@ -72,8 +99,11 @@ def connect
         # to IP address
         verify_hostname = @ssl_context.verify_hostname
 
+        # This hack would not be needed with https://github.com/ruby/net-http/issues/141
+        address_to_verify = hostname_override || @address
+
         # Server Name Indication (SNI) RFC 3546/6066
-        case @address
+        case address_to_verify
         when Resolv::IPv4::Regex, Resolv::IPv6::Regex
           # don't set SNI, as IP addresses in SNI is not valid
           # per RFC 6066, section 3.
@@ -81,7 +111,7 @@ def connect
           # Avoid openssl warning
           @ssl_context.verify_hostname = false
         else
-          ssl_host_address = @address
+          ssl_host_address = address_to_verify
         end
 
         debug "starting SSL for #{conn_addr}:#{conn_port}..."
@@ -113,5 +143,25 @@ def connect
       raise
     end
     private :connect
+    # rubocop:enable Cop/LineBreakAroundConditionalBlock
+    # rubocop:enable Layout/ArgumentAlignment
+    # rubocop:enable Layout/AssignmentIndentation
+    # rubocop:enable Layout/LineEndStringConcatenationIndentation
+    # rubocop:enable Layout/MultilineOperationIndentation
+    # rubocop:enable Layout/SpaceInsideBlockBraces
+    # rubocop:enable Lint/UnusedBlockArgument
+    # rubocop:enable Metrics/AbcSize
+    # rubocop:enable Metrics/CyclomaticComplexity
+    # rubocop:enable Metrics/PerceivedComplexity
+    # rubocop:enable Naming/RescuedExceptionsVariableName
+    # rubocop:enable Style/AndOr
+    # rubocop:enable Style/BlockDelimiters
+    # rubocop:enable Style/EmptyLiteral
+    # rubocop:enable Style/IfUnlessModifier
+    # rubocop:enable Style/LineEndConcatenation
+    # rubocop:enable Style/MultilineIfThen
+    # rubocop:enable Style/Next
+    # rubocop:enable Style/RescueStandardError
+    # rubocop:enable Style/StringConcatenation
   end
 end