What's should Django ALLOWED_HOSTS be when using a unix socket?

Question

I'm using a unix socket instead of a TCP port for gunicorn to serve my Django app from. However, when debug is off I get a 400 response unless I set ALLOWED_HOSTS = ['*']. What is a safer option than '*' in this scenario?

Here's my Gunicorn startup script(/opt/example.com/bin/gunicorn_start):

#!/bin/bash

NAME="myapp"                                      # Name of the application
DJANGODIR=/opt/example.com/myapp                  # Django project directory
SOCKFILE=/opt/example.com/run/gunicorn.sock       # we will communicate using this unix socket
USER= myuser                                      # the user to run as
GROUP=mygroup                                     # the group to run as
NUM_WORKERS=3                                     # how many worker processes should Gunicorn spawn
DJANGO_SETTINGS_MODULE=myapp.settings             # which settings file should Django use
DJANGO_WSGI_MODULE=myapp.wsgi                     # WSGI module name

echo "Starting $NAME as `whoami`"

# Activate the virtual environment
cd $DJANGODIR
source ../bin/activate
export DJANGO_SETTINGS_MODULE=$DJANGO_SETTINGS_MODULE
export PYTHONPATH=$DJANGODIR:$PYTHONPATH

# Create the run directory if it doesn't exist
RUNDIR=$(dirname $SOCKFILE)
test -d $RUNDIR || mkdir -p $RUNDIR

# Start your Django Unicorn
# Programs meant to be run under supervisor should not daemonize themselves (do not use --daemon)
exec ../bin/gunicorn ${DJANGO_WSGI_MODULE}:application \
  --name $NAME \
  --workers $NUM_WORKERS \
  --user=$USER --group=$GROUP \
  --log-level=debug \
  --bind=unix:$SOCKFILE

Answer 1

Turns out I just needed to add my server's hostname. I had been using ['localhost', '127.0.0.1'] but since I added the following nginx config too, the app needed to allow the website's URL.

upstream blog_app_server {
  # fail_timeout=0 means we always retry an upstream even if it failed
  # to return a good HTTP response (in case the Unicorn master nukes a
  # single worker for timing out).

  server unix:/opt/example.com/run/gunicorn.sock fail_timeout=0;
}

server {
    listen       80;
    server_name  www.example.com example.com;
    server_tokens off;
    access_log /opt/example.com/logs/nginx-access.log;
    error_log /opt/example.com/logs/nginx-error.log;

    location /static/ {
        alias /opt/example.com/static/;
    }

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        if (!-f $request_filename) {
            proxy_pass http://blog_app_server;
            break;
        }
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

Specifically I think it was the line proxy_set_header Host $http_host; that meant I needed to add the site's name to ALLOWED_HOSTS.