2

Question 1

As I know, django has ALLOWED_HOSTS option in settings.py to prevent from spoofing attacks.

However, I don't know which one is the most proper value for ALLOWED_HOSTS among case 1~3. (Or all of them make same result?)

Case 1 : ALLOWED_HOSTS = ['.mydomain.com']

Case 2 : ALLOWED_HOSTS = ['myipaddress']

Case 3 : ALLOWED_HOSTS = ['.mydomain.com', 'myipaddress']

This question is quite related with previous([1], [2], [3]) questions, but I couldn't make a decision clearly.

Question 2

According to Brent's answer, editing nginx's configuration could yield same result. (See following codes)

upstream app_server {
    server unix:/tmp/gunicorn_mydomain.com.sock fail_timeout=0;
}

server {

    ...

    ## Deny illegal Host headers
    if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
        return 444;
    }

    location  / {
        proxy_pass               http://app_server;
        ...
    }

}

Like similar logic first question, what would be the best value to replace mydomain.com|www.mydomain.com ?

Community
  • 1
  • 1
Chemical Programmer
  • 4,352
  • 4
  • 37
  • 51

1 Answers1

1

This kinds of problem seems to be only occurred under django version 1.5 which is deprecated.

If I set the server_name(e.g. mydomain.com) in nginx configuration correctly, then nginx would consider direct accessing with IP address as invalid request.

If I didn't include IP address in ALLOWED_HOSTS, django would report to admin accounts when user access at IP address. On the contrary to this, django would not report when I include IP address in ALLOWED_HOSTS.

Following is a sum-up of my thought.

(1) Only include 'domain.com' in ALLOWED_HOSTS

(2) Set default server and server_name correctly from nginx side

(3) If you don't want to send error mail in this case, edit logging part in settings.py

alecxe
  • 462,703
  • 120
  • 1,088
  • 1,195
Chemical Programmer
  • 4,352
  • 4
  • 37
  • 51