Django ALLOWED_HOSTS to accept local IPs through Apache

Question

I'm serving a Django app with Apache. In Django's settings.py I have DEBUG = False, therefore I had to allow some hosts, like: ALLOWED_HOSTS = ['.dyndns.org', 'localhost']. This works fine, however I would like to have the server accessible on the local network via its internal IP address as well, like: 192.168.0.x, or 127.0.0.1, etc. How could I define 192.* or 127.* in ALLOWED_HOSTS, if I'd like to avoid opening up the access entirely by ALLOWED_HOSTS = ['*']?

You may need to write a custom middleware to handle parsing those IPs. — rnevius, Mar 25 '16 at 12:58
Thanks for the tip @rnevius! I've never written a custom middleware, but I'll investigate in this direction. — Zorgmorduk, Mar 25 '16 at 13:50

score 9 · Accepted Answer · edited May 23 '17 at 12:16

Following the recommendation from @rnevius, and based on the guidelines from @AlvaroAV in how to setup custom middleware in django, I've managed to solve with this middleware:

from django.http import HttpResponseForbidden

class FilterHostMiddleware(object):

    def process_request(self, request):

        allowed_hosts = ['127.0.0.1', 'localhost']  # specify complete host names here
        host = request.META.get('HTTP_HOST')

        if host[len(host)-10:] == 'dyndns.org':  # if the host ends with dyndns.org then add to the allowed hosts
            allowed_hosts.append(host)
        elif host[:7] == '192.168':  # if the host starts with 192.168 then add to the allowed hosts
            allowed_hosts.append(host)

        if host not in allowed_hosts:
            raise HttpResponseForbidden

        return None

and setting ALLOWED_HOSTS = ['*'] in settings.py no longer opens up for all hosts in an uncontrolled way.

Thanks guys! :)

Nice work! Thanks for sharing your solution. Just a heads up that this middleware should be listed at the top of your `MIDDLEWARE_CLASSES` in this case (the other answer you linked to puts the custom middleware at the end of the list). This is mentioned in the docs here: https://docs.djangoproject.com/en/1.9/ref/settings/#allowed-hosts — rnevius, Mar 25 '16 at 16:31
Well, I've left as the last one in the list of `MIDDLEWARE_CLASSES`, and it works fine. I'd guess that the _first_ in the docs from the sentence 'this middleware must be listed _first_ in MIDDLEWARE_CLASSES' does not relate to the sequence of the list. — Zorgmorduk, Mar 25 '16 at 16:58

score 2 · Answer 2 · edited Oct 16 '19 at 16:14

For those wondering what this should be in Django 2.0.dev (In line with @Zorgmorduk's answer)

You need to make the object callable: django middleware docs

Create a folder named middleware in yourproject/yourapp/
Create an empty file __init__.py inside yourproject/yourapp/middleware folder.
Create another file, in this case filter_host_middleware.py

Add this code inside filter_host_middleware.py:

from django.http import HttpResponseForbidden
class FilterHostMiddleware(object):
    def __init__(self, process_request):
        self.process_request = process_request
    def __call__(self, request):
        response = self.process_request(request)
        return response
    def process_request(self, request):`
        # use the same process_request definition as in @Zorgmorduk's answer

add yourapp.middleware.filter_host_middleware.FilterHostMiddleware to your MIDDLEWARE in yourproject's settings.py; additionally change ALLOWED_HOSTS=['*']

You are all set!

Django ALLOWED_HOSTS to accept local IPs through Apache

2 Answers2

Linked