Should server IP address be in ALLOWED_HOSTS django setting?

后端 未结 3 1553
栀梦
栀梦 2021-02-05 00:21

Since upgrading to django 1.5 my logs show several SuspiciousOperation exceptions with the text:

Invalid HTTP_HOST header (you may need to set ALLOW         


        
相关标签:
3条回答
  • 2021-02-05 00:49

    No, it shouldn't

    By default, there are no reasons why IP address should be accepted as a valid HOST header. This message is a sign of a misconfigured production environment: such requests shouldn't reach the back-end.

    Here's a post on security.stackexchange.com on Host header poisoning & ALLOWED_HOSTS.

    What to do

    Filter out all requests with an invalid HOST header before they reach django back-end.

    How to

    Most likely you're using nginx as a reverse proxy in front of django. If you don't use any reverse proxy at all (or you're using runserver), you have to (otherwise you're risking your security).

    Add a default server block returning 444 at the top of your configuration. It should be the first server block in the configuration:

    # File: /etc/nginx/sites-available/domain.com
    
    upstream django_server {
        server 127.0.0.1:8000;
    }
    
    # Catch all requests with an invalid HOST header
    server {
        server_name "";
        listen      80;
        return      444;
    }
    
    # Your config goes there
    server {
        server_name  domain.com;
        listen       80;
    
        location / {
            proxy_pass http://django_server;
        }
    }
    
    0 讨论(0)
  • 2021-02-05 00:56

    NO, IT SHOULDN'T.

    Usually it's not a secure way to configure your Django server. Sometimes, e.g., when testing your application, you may access it via direct IP address, but in there's no reason to disable log warnings.

    My old answer was wrong, thanks to Max Malysh for pointing that out.

    Old answer (INSECURE):

    Short answer is: YES (according to provided headers).

    Long answer: According to documentation:

    If the Host header (or X-Forwarded-Host if USE_X_FORWARDED_HOST is enabled) does not match any value in this list, the django.http.HttpRequest.get_host() method will raise SuspiciousOperation.

    In other words: if your requests pass your server ip address as Host header (and apparently they do), and you think it's okay, then YES, you should add server ip to ALLOWED_HOSTS.

    Also, ip address could be in HTTP_HOST for many reasons, also someone could directly ask for ip address.

    0 讨论(0)
  • 2021-02-05 01:10

    In practice, just edit the file MyProjectName/settings.py and add the host IP (IP address to the machine in which you're running Django) to the list ALLOWED_HOSTS, which by default is empty.

    So, in your, case we would have before the changes:

    ...
    ALLOWED_HOSTS = []
    ...
    

    After changes:

    ...
    ALLOWED_HOSTS = ['168.62.208.14'] #Make sure your host IP is a string
    ...
    

    Run the server again and you should be good. Here's an example using the port 8000:

    python manage.py runserver 168.62.208.14:8000

    . Now if you go to your browser and enter the address http://168.62.208.14:8000, you should find yourself in the page "Congratulations on your first Django-powered page".

    0 讨论(0)
提交回复
热议问题