Django Invalid HTTP_HOST header on Apache - fix using Require?

Question

A couple weeks ago, I had a wonderful time setting up an Apache and Django configuration to work while forcing SSL and operating behind an AWS load balancer.

Now that it is all working nicely, I'm still constantly receiving the common "Invalid HTTP_HOST header" error, and trying to figure out the right way to go about fixing it.

Searching has brought me to the following answer regarding the Apache configuration:

How to disable Django's invalid HTTP_HOST error?

Which recommends placing the following settings inside the <Directory></Directory> block in the VirtualHost file:

SetEnvIfNoCase Host .+ VALID_HOST
Order Deny,Allow
Deny from All
Allow from env=VALID_HOST}

This works, but according to Apache (https://httpd.apache.org/docs/2.4/howto/access.html) this method is deprecated.

I've read through the Apache docs but when I tried using the following code it just shut down access to the site and gave me a "Not Authorized" error.

<RequireAll>
    Require host example.org
</RequireAll>

Not entirely sure what I'm missing. I know I can solve the problem using the first answer, just trying to figure out the "right" way using code that isn't deprecated. Site is using WSGIDaemonProcess to run the Django App and has the following set to force the SSL through AWS

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTP:X-Forwarded-For} !=""
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}

score 8 · Answer 1 · answered Apr 10 '17 at 12:13

8

No need to use mod_setenvif as HTTP_HOST is already a variable and you can evaluate it directly.

<Directory /var/www/html/>
    Require expr %{HTTP_HOST} == "example.com"
    Options
</Directory>

answered Apr 10 '17 at 12:13

liquidki

1,234
16
16

score 6 · Accepted Answer · edited May 23 '17 at 12:17

So, after messing with this for a long time I figured out that the problem I was dealing with may have something to do with the hostname reverse DNS lookup failing, since the IP address was pointing to an AWS EC2 instance instead of my domain.

After finally giving up on getting it right I returned to the post on how to disable the log error, and tried using the env variable, which seems to be working.

Apparently the correct format for Require is:

<Directory /var/www/html/>
    SetEnvIfNoCase Host example\.com VALID_HOST
    Require env VALID_HOST
    Options
</Directory>

These guys had it right, just need to update it for the current "Require" directive.

How to disable Django's invalid HTTP_HOST error?

What goes before this code in the .ebextensions/.config file? — bones225, Aug 04 '19 at 20:47

Django Invalid HTTP_HOST header on Apache - fix using Require?

2 Answers2

Linked