Invalid http_host header

Question

I am trying to develop a website using Django framework and launched using DigitalOcean.com and deployed the necessary files into django-project.

I had to include static files into Django-project and After collecting static files, I tried to refresh my ip

I am including the tutorials which I have used to create the website. https://www.pythonprogramming.net/django-web-server-publish-tutorial/

I am getting the following error :

DisallowedHost at / Invalid HTTP_HOST header: '198.211.99.20'. You may need to add u'198.211.99.20' to ALLOWED_HOSTS.

Can somebody help me to fix this ? This is my first website using Django framework.

That may also be your Floating IP address on DigitalOcean. – Bicameral Mind Oct 10 '18 at 17:04 — Bicameral Mind, Oct 10 '18 at 17:04
Can I use my external IP for starting the server? – Samar Pratap Singh Sep 17 '20 at 08:36 — Samar Pratap Singh, Sep 17 '20 at 08:36

score 281 · Accepted Answer · edited Jun 10 '18 at 05:52

281

The error log is straightforward. As it suggested,You need to add 198.211.99.20 to your ALLOWED_HOSTS setting.

In your project settings.py file,set ALLOWED_HOSTS like this :

ALLOWED_HOSTS = ['198.211.99.20', 'localhost', '127.0.0.1']

For further reading read from here.

edited Jun 10 '18 at 05:52

M.javid

6,387
3
41
56

answered Nov 14 '16 at 05:41

Prakhar Trivedi

8,218
3
28
35

Now getting the following error Request URL: 198.211.99.20 Exception Type:TemplateDoesNotExist Exception Value: personal/home.html Exception Location: /usr/local/lib/python2.7/dist-packages/django/temp‌late/loader.py in get_template, line 25 I have my templates in the following folder /home/django/django_project/personal/templates/personal – Kathiravan Natarajan Nov 14 '16 at 06:49
@Kathir There are many examples of that error.Just google it and if the problem still continues,then please ask it as a separate question,comments are not very descriptive. – Prakhar Trivedi Nov 14 '16 at 06:52
3

This definitely works but is bad practice as you should always use a .env file – Abhishek J Mar 07 '17 at 17:38
@AbhishekJebaraj could you please explain a little more or share a link with more explanation? – Jesus Almaral - Hackaprende Oct 31 '17 at 06:22
@JesusAlmaral Here you go https://docs.djangoproject.com/en/1.11/topics/settings/#designating-the-settings :) – Prakhar Trivedi Oct 31 '17 at 10:10
2

@JesusAlmaral A .env file is a local file containing passwords and other sensitive information. If you put all this sensitive information inside your code itself then it could get compromised. Thus we use this local file .env and everyone stores with their own passwords etc locally – Abhishek J Nov 01 '17 at 04:57
The problem is that I suspect these events induced by various bots I think. I don't want to pollute my settings.py with all kind of bot's IPs, especially they can vary. I rather want to suppress this message all together – Csaba Toth Jan 02 '18 at 21:02
@CsabaToth If you go to the provided link, you can see that you can suppress the warning by adding ALLOWED_HOSTS = [] so, please read the whole answer before downvoting. – Prakhar Trivedi Jan 03 '18 at 08:40
I don't want to empty the ALLOWED_HOSTS either, but I'll remove the downvote – Csaba Toth Jan 03 '18 at 18:15
I run my project using AWS Elastic Beanstalk and have multiple server instances. I get these errors as well. I can't just add the IPs to fix the problem because they change constantly. I would be updating it everyday. – James Parker Apr 11 '19 at 13:44
I used dotenv to store the values locally, and then also include them as environment variables on production: https://www.npmjs.com/package/dotenv Like this: ALLOWED_HOSTS = [ 'localhost', 'app.mysite.com', os.environ.get('SERVER_IP') ] – Dan Aug 03 '21 at 01:01
1

FWIW, in our case, all accesses by the naked IP address are dubious. Our solution was to configure the web server to reject all `Host` headers not matching the ones Django accepts. – Torsten Bronger Jun 01 '22 at 06:30

George Poliovei · Answer 2 · 2021-12-03T00:13:19.120

7

settings.py

ALLOWED_HOSTS = ['*'] // if you are in dev or docker

Edited

Ok guys, dont do this in production if you are not using docker, just put the IP addr.

Grettings

edited Dec 03 '21 at 00:13

answered May 23 '18 at 17:01

George Poliovei

1,009
10
12

4

As pydanny said "...don't leave it as such once you get this figured out. The reason is that makes Django potentially vulnerable to HTTP_HOST header attacks. And automated scripts scour the internet to check if sites have this vulnerability." https://github.com/pydanny/cookiecutter-django/issues/914#issuecomment-263614761 – pyjavo May 24 '18 at 01:21
7

Lol, that is for development env. in production only need set DEBUG=False. – George Poliovei May 30 '18 at 15:10
13

You do not want to use '*' for production. This completely bypasses the reason and security of the allowed hosts. – Andy Poquette Jun 08 '18 at 15:17
1

@AndyPoquette generally you're right, but using docker (and not exposing the backend's port, but using a reverse proxy like nginx) it's OK to use '*' even for production. – artem Nov 03 '21 at 20:38
1

Never, NEVER do this! Allowed * is a primary security error. Only do this in development mode! – Fernando Valente Dec 01 '21 at 19:30

Darwin · Answer 3 · 2020-11-01T07:20:01.350

2

In your project settings.py file,set ALLOWED_HOSTS like this :

ALLOWED_HOSTS = ['62.63.141.41', 'namjoosadr.com']

and then restart your apache. in ubuntu:

/etc/init.d/apache2 restart

edited Nov 01 '20 at 07:20

answered Oct 28 '20 at 09:14

Darwin

1,695
1
19
29

score 0 · Answer 4 · answered Feb 03 '23 at 21:02

if no other answer work you can try modifying manage.py and add this three lines

from django.utils.regex_helper import _lazy_re_compile
import django.http.request
django.http.request.host_validation_re = _lazy_re_compile(r"[a-zA-z0-9.:]*")

to end up having something like this:

import os
import sys

from django.utils.regex_helper import _lazy_re_compile
import django.http.request    
django.http.request.host_validation_re = _lazy_re_compile(r"[a-zA-z0-9.:]*")

def main():
    """Run administrative tasks."""
    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'project01.settings')
    try:
        from django.core.management import execute_from_command_line
    except ImportError as exc:
        raise ImportError(
            "Couldn't import Django. Are you sure it's installed and "
            "available on your PYTHONPATH environment variable? Did you "
            "forget to activate a virtual environment?"
        ) from exc
    execute_from_command_line(sys.argv)


if __name__ == '__main__':
    main()

as it is explained in this post: How to Solve "The domain name provided is not valid according to RFC 1034/1035" in Django during Development

score 0 · Answer 5 · edited Aug 16 '23 at 18:33

0

You can add ALLOWED_HOSTS to your settings file or env file:

ALLOWED_HOST = [".localhost", "127.0.0.1", "[::1]"]

edited Aug 16 '23 at 18:33

Dov Benyomin Sohacheski

7,133
7
38
64

answered Aug 11 '23 at 21:15

Paul Munyao

49
6

Invalid http_host header

5 Answers5

Linked