diff --git a/docs/prod-install.md b/docs/prod-install.md
index b54ccc6fcf..2bcd8bd517 100644
--- a/docs/prod-install.md
+++ b/docs/prod-install.md
@@ -69,9 +69,9 @@ These settings include:
 
 - `EXTERNAL_HOST`: the user-accessible Zulip domain name for your
   Zulip installation (aka what users will type in their web
-  browser). This will be the domain for which you have DNS A records
-  pointing to this server and for which you configured SSL
-  certificates.  If you plan to use multiple domains, also set
+  browser). This should of course match the DNS name you configured to
+  point to your server and for which you configured SSL certificates.
+  If you plan to use multiple domains, add the others to
   `ALLOWED_HOSTS`.
 
 - `ZULIP_ADMINISTRATOR`: the email address of the person or team
diff --git a/zproject/prod_settings_template.py b/zproject/prod_settings_template.py
index 89713cf198..ade5c21fa1 100644
--- a/zproject/prod_settings_template.py
+++ b/zproject/prod_settings_template.py
@@ -9,9 +9,25 @@
 # sensible default values will be used.
 
 # The user-accessible Zulip hostname for this installation, e.g.
-# zulip.example.com
+# zulip.example.com.  This should match what users will put in their
+# web browser.  If you want to allow multiple hostnames, add the rest
+# to ALLOWED_HOSTS.
 EXTERNAL_HOST = 'zulip.example.com'
 
+# A comma-separated list of strings representing the host/domain names
+# that your users will enter in their browsers to access your Zulip
+# server. This is a security measure to prevent an attacker from
+# poisoning caches and triggering password reset emails with links to
+# malicious hosts by submitting requests with a fake HTTP Host
+# header. See Django's documentation here:
+# <https://docs.djangoproject.com/en/1.9/ref/settings/#allowed-hosts>.
+# Zulip adds 'localhost' and '127.0.0.1' to the list automatically.
+#
+# The default should work unless you are using multiple hostnames or
+# connecting directly to your server's IP address.  If this is set
+# wrong, all requests will get a "Bad Request" error.
+ALLOWED_HOSTS = [EXTERNAL_HOST]
+
 # The email address for the person or team who maintain the Zulip
 # Voyager installation. Will also get support emails. (e.g. zulip-admin@example.com)
 ZULIP_ADMINISTRATOR = 'zulip-admin@example.com'
@@ -106,16 +122,6 @@ DEFAULT_FROM_EMAIL = "Zulip <zulip@example.com>"
 # Messages sent to this address should not be delivered anywhere.
 NOREPLY_EMAIL_ADDRESS = "noreply@example.com"
 
-# A comma-separated list of strings representing the host/domain names
-# that your users will enter in their browsers to access your Zulip
-# server. This is a security measure to prevent an attacker from
-# poisoning caches and triggering password reset emails with links to
-# malicious hosts by submitting requests with a fake HTTP Host
-# header. See Django's documentation here:
-# <https://docs.djangoproject.com/en/1.9/ref/settings/#allowed-hosts>.
-# Zulip adds 'localhost' to the list automatically.
-ALLOWED_HOSTS = [EXTERNAL_HOST]
-
 ### OPTIONAL SETTINGS
 
 # Controls whether session cookies expire when the browser closes