Django's SuspiciousOperation Invalid HTTP_HOST header

Question

After upgrading to Django 1.5, I started getting errors like this:

Traceback (most recent call last):  File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 92, in get_response response = middleware_method(request)  File "/usr/local/lib/python2.7/dist-packages/django/middleware/common.py", line 57, in process_request host = request.get_host()  File "/usr/local/lib/python2.7/dist-packages/django/http/request.py", line 72, in get_host "Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host)  SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): www.google.com  <WSGIRequest path:/, GET:<QueryDict: {}>, POST:<QueryDict: {}>, COOKIES:{}, META:{'CONTENT_LENGTH': '', 'CONTENT_TYPE': '', 'DOCUMENT_ROOT': '/etc/nginx/html', 'HTTP_ACCEPT': 'text/html', 'HTTP_HOST': 'www.google.com', 'HTTP_PROXY_CONNECTION': 'close', 'HTTP_USER_AGENT': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)', 'PATH_INFO': u'/', 'QUERY_STRING': '', 'REMOTE_ADDR': '210.245.91.104', 'REMOTE_PORT': '49347', 'REQUEST_METHOD': 'GET', 'REQUEST_URI': '/', u'SCRIPT_NAME': u'', 'SERVER_NAME': 'www.derekkwok.net', 'SERVER_PORT': '80', 'SERVER_PROTOCOL': 'HTTP/1.0', 'uwsgi.node': 'derekkwok', 'uwsgi.version': '1.4.4', 'wsgi.errors': <open file 'wsgi_errors', mode 'w' at 0xb6d99c28>, 'wsgi.file_wrapper': <built-in function uwsgi_sendfile>, 'wsgi.input': <uwsgi._Input object at 0x953e698>, 'wsgi.multiprocess': True, 'wsgi.multithread': False, 'wsgi.run_once': False, 'wsgi.url_scheme': 'http', 'wsgi.version': (1, 0)}> 

I've set ALLOWED_HOSTS = ['.derekkwok.net'] in my settings.py file.

What is going on here? It someone pretending to be Google and accessing my site? Or is it a benign case of someone setting their HTTP_HOST header incorrectly?

Answer 1

If you're using Nginx to forward requests to Django running on Gunicorn/Apache/uWSGI, you can use the following to block bad requests. Thanks to @PaulM for the suggestion.

upstream app_server {     server unix:/tmp/gunicorn_mydomain.com.sock fail_timeout=0; }  server {      ...      ## Deny illegal Host headers     if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {         return 444;     }      location  / {         proxy_pass               http://app_server;         ...     }  }