Django ERROR (EXTERNAL IP): Invalid HTTP_HOST header: '*.domain.com'

Question

I've create a Django (1.7) web application with a Nginx, Gunicorn, Django stack and recently I've started to get a number of errors:

[Django] ERROR (EXTERNAL IP): Invalid HTTP_HOST header: '*.domain.com'. The domain name provided is not valid according to RFC 1034/1035.

After searching around, I've found several response that suggest putting the wildcard as the allowed hosts, i.e.

ALLOWED_HOSTS = ['*']

However I'm still getting this error.

Here is the full error message:

Request repr(): 
<WSGIRequest
path:/,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{},
META:{'HTTP_ACCEPT_ENCODING': 'none',
'HTTP_CONNECTION': 'close',
'HTTP_HOST': '*.domain.com',
'HTTP_USER_AGENT': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)',
'HTTP_X_FORWARDED_FOR': '11.111.111.11',
'HTTP_X_FORWARDED_HOST': 'subdomain.domain.com',
'HTTP_X_REAL_IP': '11.111.111.11',
'PATH_INFO': u'/',
'QUERY_STRING': '',
'RAW_URI': '/',
'REMOTE_ADDR': '127.0.0.1',
'REMOTE_PORT': '51349',
'REQUEST_METHOD': 'GET',
'SCRIPT_NAME': u'',
'SERVER_NAME': '127.0.0.1',
'SERVER_PORT': '9000',
'SERVER_PROTOCOL': 'HTTP/1.0',
'SERVER_SOFTWARE': 'gunicorn/19.1.1',
'gunicorn.socket': <socket._socketobject object at 0x3877fa0>,
'wsgi.errors': <gunicorn.http.wsgi.WSGIErrorsWraper object at 0x37e6050>,
'wsgi.file_wrapper': <class 'gunicorn.http.wsgi.FileWrapper'>,
'wsgi.input': <gunicorn.http.body.Body object at 0x396cc50>,
'wsgi.multiprocess': False,
'wsgi.multithread': False,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}>

Is this something I should be concerned about? Am I missing something here? I thought by putting the wildcard in the allowed hosts, I would eliminate this issue, but that doesn't seem to be the case.

Any help would be much appreciated.

Answer 1

ISSUE: gunicorn (your Django App server) is getting an invalid host name.

when a request is made to the server (NginX) and the HTTP Host (or user agent) is empty, nginx sets the HTTP host to the gunicorn sock.

---

Solution: Add/update a directive in your nginx conf (nginx.conf or sites-enabled/<your-site>.conf) from:

proxy_set_header Host $http_host;

to (if you don't have it set, just add the following),

proxy_set_header Host $host;

---

Can put it inside the location, above the proxy_pass directive:

server {
    listen 8000;
    server_name 0.0.0.0;

    location / {
            proxy_set_header Host $host;
            include proxy_params;
            proxy_pass http://unix:/<your-path>/yourproject.sock;  

    }
}

Answer 2

The client that is making a request to your server has sent the following HTTP Host header:

Host: *.domain.com

This is invalid as per the HTTP specification - * is not allowed in the header - hence Django responds with a HTTP 400 response and logs the error.

This is not related to what you put in your ALLOWED_HOSTS setting, where * is permitted and tells Django to accept requests for any (valid) hostname (it will still reject invalid hostnames like *.domain.com).

As others have pointed out in the comments however, you should really configure nginx only to accept connections for specific hosts (server_name) so that such requests don't even reach Django.