Since upgrading to django 1.5 my logs show several SuspiciousOperation
exceptions with the text:
Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): <my server's ip>
Is this genuinely a 'suspicious' request, or should I always be including my server's IP address in the ALLOWED_HOSTS
setting in addition to my domain name? Any idea what would be making requests with HTTP_HOST = "ip address"
rather than HTTP_HOST = "domain name"
?
Here is the request environment:
{'HTTP_ACCEPT_ENCODING': "'identity'", 'HTTP_CONNECTION': "'close'", 'HTTP_HOST': "'168.62.208.14'", 'HTTP_X_FORWARDED_PROTOCOL': "'https'", 'HTTP_X_REAL_IP': "'176.10.35.241'", 'HTTP_X_SCHEME': "'https'", 'PATH_INFO': "u'/'", 'QUERY_STRING': "''", 'RAW_URI': "'/'", 'REMOTE_ADDR': "'127.0.0.1'", 'REMOTE_PORT': "'45068'", 'REQUEST_METHOD': "'GET'", 'SCRIPT_NAME': "u''", 'SERVER_NAME': "'168.62.208.14'", 'SERVER_PORT': "'80'", 'SERVER_PROTOCOL': "'HTTP/1.0'", 'SERVER_SOFTWARE': "'gunicorn/0.14.6'", 'gunicorn.socket': "'<socket._socketobject object at 0x7ab3b40>'", 'wsgi.errors': '"<open file \'<stderr>\', mode \'w\' at 0x7f0c94810270>"', 'wsgi.file_wrapper': "'<class gunicorn.http.wsgi.FileWrapper at 0x34eec80>'", 'wsgi.input': "'<gunicorn.http.body.Body object at 0x2a0bf10>'", 'wsgi.multiprocess': 'False', 'wsgi.multithread': 'False', 'wsgi.run_once': 'False', 'wsgi.url_scheme': "'http'", 'wsgi.version': '[1, 0]'}
NO, IT SHOULDN'T.
Usually it's not a secure way to configure your Django server. Sometimes, e.g., when testing your application, you may access it via direct IP address, but in there's no reason to disable log warnings.
My old answer was wrong, thanks to Max Malysh for pointing that out.
Old answer (INSECURE):
Short answer is: YES (according to provided headers).
Long answer: According to documentation:
If the Host header (or X-Forwarded-Host if USE_X_FORWARDED_HOST is enabled) does not match any value in this list, the django.http.HttpRequest.get_host() method will raise SuspiciousOperation.
In other words: if your requests pass your server ip address as Host header (and apparently they do), and you think it's okay, then YES, you should add server ip to ALLOWED_HOSTS.
Also, ip address could be in HTTP_HOST for many reasons, also someone could directly ask for ip address.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With