Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should server IP address be in ALLOWED_HOSTS django setting?

Tags:

django

Since upgrading to django 1.5 my logs show several SuspiciousOperation exceptions with the text:

Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): <my server's ip>

Is this genuinely a 'suspicious' request, or should I always be including my server's IP address in the ALLOWED_HOSTS setting in addition to my domain name? Any idea what would be making requests with HTTP_HOST = "ip address" rather than HTTP_HOST = "domain name"?

Here is the request environment:

{'HTTP_ACCEPT_ENCODING': "'identity'",  'HTTP_CONNECTION': "'close'",  'HTTP_HOST': "'168.62.208.14'",  'HTTP_X_FORWARDED_PROTOCOL': "'https'",  'HTTP_X_REAL_IP': "'176.10.35.241'",  'HTTP_X_SCHEME': "'https'",  'PATH_INFO': "u'/'",  'QUERY_STRING': "''",  'RAW_URI': "'/'",  'REMOTE_ADDR': "'127.0.0.1'",  'REMOTE_PORT': "'45068'",  'REQUEST_METHOD': "'GET'",  'SCRIPT_NAME': "u''",  'SERVER_NAME': "'168.62.208.14'",  'SERVER_PORT': "'80'",  'SERVER_PROTOCOL': "'HTTP/1.0'",  'SERVER_SOFTWARE': "'gunicorn/0.14.6'",  'gunicorn.socket': "'<socket._socketobject object at 0x7ab3b40>'",  'wsgi.errors': '"<open file \'<stderr>\', mode \'w\' at 0x7f0c94810270>"',  'wsgi.file_wrapper': "'<class gunicorn.http.wsgi.FileWrapper at 0x34eec80>'",  'wsgi.input': "'<gunicorn.http.body.Body object at 0x2a0bf10>'",  'wsgi.multiprocess': 'False',  'wsgi.multithread': 'False',  'wsgi.run_once': 'False',  'wsgi.url_scheme': "'http'",  'wsgi.version': '[1, 0]'}
like image 900
Nathan Jhaveri Avatar asked May 21 '13 17:05

Nathan Jhaveri

1 Answers

NO, IT SHOULDN'T.

Usually it's not a secure way to configure your Django server. Sometimes, e.g., when testing your application, you may access it via direct IP address, but in there's no reason to disable log warnings.

My old answer was wrong, thanks to Max Malysh for pointing that out.

Old answer (INSECURE):

Short answer is: YES (according to provided headers).

Long answer: According to documentation:

If the Host header (or X-Forwarded-Host if USE_X_FORWARDED_HOST is enabled) does not match any value in this list, the django.http.HttpRequest.get_host() method will raise SuspiciousOperation.

In other words: if your requests pass your server ip address as Host header (and apparently they do), and you think it's okay, then YES, you should add server ip to ALLOWED_HOSTS.

Also, ip address could be in HTTP_HOST for many reasons, also someone could directly ask for ip address.

like image 64
folex Avatar answered Sep 21 '22 21:09

folex
Sign in to Comment

Related questions

How would I package and sell a Django app?
Django ModelForm override widget
Django 1.7 migrations won't recreate a dropped table, why?
How to delete old image when update ImageField?
How to modify Django admin filter's title
TypeError: login() takes 1 positional argument but 2 were given
django can't find new sqlite version? (SQLite 3.8.3 or later is required (found 3.7.17))
How to stop celery worker process
Serving gzipped content from django
Django "Remember Me" with built-in login view and authentication form
Return results from multiple models with Django REST Framework
Plug in django-allauth as endpoint in django-rest-framework
Difference between different ways to create celery task
Project design / FS layout for large django projects [closed]
Django Rest Framework update field
Django multiple and dynamic databases
django-rest-framework http put failing with 415 on django 1.5
How do I change the range of the x-axis with datetimes in matplotlib?
django 1.7 migrations -- how do I clear all migrations and start over from scratch?
How to render .rst files in a markdown or html format? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!