Since upgrading to django 1.5 my logs show several SuspiciousOperation
exceptions with the text:
Invalid HTTP_HOST header (you may need to set ALLOW
By default, there are no reasons why IP address should be accepted as a valid HOST header. This message is a sign of a misconfigured production environment: such requests shouldn't reach the back-end.
Here's a post on security.stackexchange.com on Host header poisoning & ALLOWED_HOSTS.
Filter out all requests with an invalid HOST header before they reach django back-end.
Most likely you're using nginx
as a reverse proxy in front of django. If you don't use any reverse proxy at all (or you're using runserver
), you have to (otherwise you're risking your security).
Add a default server block returning 444
at the top of your configuration. It should be the first server block in the configuration:
# File: /etc/nginx/sites-available/domain.com
upstream django_server {
server 127.0.0.1:8000;
}
# Catch all requests with an invalid HOST header
server {
server_name "";
listen 80;
return 444;
}
# Your config goes there
server {
server_name domain.com;
listen 80;
location / {
proxy_pass http://django_server;
}
}
NO, IT SHOULDN'T.
Usually it's not a secure way to configure your Django server. Sometimes, e.g., when testing your application, you may access it via direct IP address, but in there's no reason to disable log warnings.
My old answer was wrong, thanks to Max Malysh for pointing that out.
Old answer (INSECURE):
Short answer is: YES (according to provided headers).
Long answer: According to documentation:
If the Host header (or X-Forwarded-Host if USE_X_FORWARDED_HOST is enabled) does not match any value in this list, the django.http.HttpRequest.get_host() method will raise SuspiciousOperation.
In other words: if your requests pass your server ip address as Host header (and apparently they do), and you think it's okay, then YES, you should add server ip to ALLOWED_HOSTS.
Also, ip address could be in HTTP_HOST for many reasons, also someone could directly ask for ip address.
In practice, just edit the file MyProjectName/settings.py
and add the host IP (IP address to the machine in which you're running Django) to the list ALLOWED_HOSTS
, which by default is empty.
So, in your, case we would have before the changes:
...
ALLOWED_HOSTS = []
...
After changes:
...
ALLOWED_HOSTS = ['168.62.208.14'] #Make sure your host IP is a string
...
Run the server again and you should be good. Here's an example using the port 8000:
python manage.py runserver 168.62.208.14:8000
. Now if you go to your browser and enter the address http://168.62.208.14:8000, you should find yourself in the page "Congratulations on your first Django-powered page".