Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Invalid HTTP_HOST header in Django 1.6.2

I am receiving a lot of Invalid HTTP_HOST header messages from my Django web application-

[Django] ERROR: Invalid HTTP_HOST header: 'www.bing.com'.You may need to add u'www.bing.com' to ALLOWED_HOSTS

It comes from known websites (like bing.com, google.com) as well as very random websites (www2t.biglobe.ne.jp, proxy.me5b.ru).

The message in the emails is:

No stack trace available

Request repr() unavailable.

I have read other questions about this on other SO questions, like this and this and a nice blog post like this.

But they all seem to indicate that this problem should have been solved in Django 1.6. However, I am running Django 1.6.2 and am still seeing this error. I am using Apache WSGI and the application is hosted on AWS Elasticbeanstalk.

I can probably suppress these alert messages, but should I be expecting them in the first place?

like image 310
Devang Avatar asked Mar 14 '14 21:03

Devang


3 Answers

The problem isn't in django or the django application, Its in the user's side.

Your django application are configured to take requests on example.com only (ALLOWED_HOSTS), and then, if any other domain are pointing the same ip and any user requests that webithe then django will raise that exception.

Obviously bing.con isn't pointing to your IP address (unless you are a microsoft's employee and you are migrating bing to django :-O).

I have some hypotesis:

  • An user or bot is doing some unauthorized tests on your website.
  • A private DNS server owned by an ISP, company or home's DNS were hacked or miscunfigured and have wrong entries
  • A malware has added some entries in the "hosts" file of the user's operating system pointing to your ip.
  • Or any other reason why bing.com is pointing to your website

Don't pay attention at this error (I'm ignoring this on my websites) because django is thinking correctly:

I'm not configured to serve this domain, sorry, I'll not serve any content to you.

like image 129
Darwin Avatar answered Sep 29 '22 17:09

Darwin


Here is a complete logging config that can be cut and pasted into a Django 1.6 settings file if LOGGING isn't already defined. This is a follow up to the snippet that @Devang posted as a comment above.

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'handlers': {
        'null': {
            'class': 'django.utils.log.NullHandler',
        },
    },
    'loggers': {
        'django.security.DisallowedHost': {
            'handlers': ['null'],
            'propagate': False,
        },
    }
}
like image 40
Ben Konrath Avatar answered Sep 29 '22 17:09

Ben Konrath


Updated for Django 1.9, per the docs.

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'handlers': {
        'null': {
            'class': 'logging.NullHandler',
        },
    },
    'loggers': {
        'django.security.DisallowedHost': {
            'handlers': ['null'],
            'propagate': False,
        },
    },
}
like image 21
mcastle Avatar answered Sep 29 '22 18:09

mcastle