69

I am setting up my own Django server using this Digital Ocean tutorial. I created the Django framework following each step, and ran the server using this command:

./manage.py runserver 0.0.0.0:8000

When I tried to visit the IP at port 8000, the following error was shown:

DisallowedHost at /
Invalid HTTP_HOST header: 'XXX.XXX.XXX.XXX:8000'. You may need to add u'XXX.XXX.XXX.XXX' to ALLOWED_HOSTS.

(IP substituted with X's)

Why is this happening?

Alex Willison
  • 257
  • 7
  • 20
alukin
  • 803
  • 1
  • 7
  • 6

6 Answers6

110

In your settings.py, there is a list called ALLOWED_HOSTS. You need to add the IP address you see in the error to that list:

ALLOWED_HOSTS = ['XX.XX.XX.XX']

Note: only add the IP address, and not the port (e.g., 127.0.0.1 and not 127.0.0.1:8000)

Explanation:

Django checks the Host header of the HTTP request for a url/ip address that is within the allowed hosts.

From the django website:

This is a security measure to prevent HTTP Host header attacks, which are possible even under many seemingly-safe web server configurations.

https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts

Rob Bednark
  • 25,981
  • 23
  • 80
  • 125
randyr
  • 1,679
  • 1
  • 11
  • 17
  • Thanks so much! What if I want other IP's to make API calls to my server, do those also need to be allowed hosts? – alukin Nov 18 '16 at 01:01
  • @alukin you can use wildcards or even allow all hosts (may or may not be a good idea :) ) – Aditya Nov 18 '16 at 03:55
  • 10
    @alukin I disagree with Aditya. In your situation where other IP's are making API calls, you do not need to add them. ALLOWED_HOSTS is the list of hostnames your server should respond for, not to – Foon Mar 23 '17 at 20:43
  • @Foon You're absolutely right. People confuse that property all the time. – Greg Schmit Apr 01 '17 at 03:01
  • 1
    Is there any way to automate this, assuming requests come from the same instance that is running Django? If I have to spin up a new server (with a new IP) it would be nice to avoid manually adding that new IP to the settings file. – Gabriel May 21 '17 at 06:49
  • @Gabriel If all the servers operate under one domain, simply adding that domain to the list will do. – randyr May 21 '17 at 08:07
  • Do you, perchance, know if this has been added since Django 1.9? I had a project working fine with an empty `Allowed Host` list, but while moving it to Django 1.9 I had to use your suggestion. – MadPhysicist May 21 '17 at 22:21
  • You can add python code in settings.py that adds your EC2s' IP address to the allowed hosts. See here https://stackoverflow.com/questions/35858040/django-allowed-hosts-for-amazon-elb – Maria Stoica Aug 09 '17 at 06:10
14

For development, you can use the * wildcard to allow all hosts in settings.py:

ALLOWED_HOSTS = ['*']

Important

Modify this configuration when you deploy your app in production environment.

Rob Bednark
  • 25,981
  • 23
  • 80
  • 125
kapoc
  • 159
  • 1
  • 4
3

Include both ('www.name.com', 'ip.ip.ip.ip') Set Debug = True, then retry the IP & URL Address.

Go to the Traceback section, find the message [ raise DisallowedHost(msg) ] click -> ▼ Local vars

It will show the incoming domain name and the settings for allowed hosts:

*Variable       Value
*allowed_hosts  ['ip.ip.ip.ip', 'name.com']
*domain          'something.com'
*

Copy the incoming value into your settings.py. If the you see old settings restart the server\nginx

Alien
  • 15,141
  • 6
  • 37
  • 57
chad
  • 31
  • 1
  • I would upvote this one a thousand times. I swore I DID have allowed_hosts set correctly. This helped me track down exactly why I got the error anyway. – Benjamin Johnson Jul 20 '23 at 18:39
1

Sometimes is not enough to just add it to the host as a frustratedly tried over and over. Sometimes is stuck in cache and you're getting the same error even if you did everything right. In that case what worked for me is change the port, from 8081 and cache problem was over.

I ran it like this:

python3 manage.py runserver 127.0.0.1:8081
Allex Radu
  • 1,257
  • 13
  • 24
0

For Run Django Project on localhost with free hosting by "ngrok"

run ngrok http 8000

(before run this in your project make sure your project are required to run on localhost like- python manage.py runserver)

http://563ae936.ngrok.io -> http://localhost:8000

Edit Setting.py

ALLOWED_HOSTS = ['563ae936.ngrok.io', 'localhost', '127.0.0.1', 'testserver']

Here "563ae936.ngrok.io" Replace your Host name with removing http:// or https://

Vaibhav Savaliya
  • 1
  • 1
  • Where does that `.io` domain name come from? – Brian61354270 Apr 12 '20 at 14:19
  • open " https://dashboard.ngrok.com/get-started " and download ngrok for your OS. After that paste their extracted " ngrok.exe " file to same directory your project folder where manage.py are available. after that run "run ngrok http 8000" this will show .io domain name. – Vaibhav Savaliya Apr 13 '20 at 15:34
-4

Go to setting.py

ALLOWED_HOSTS = ['*']

Abhijeet Singh
  • 5
  • This was already answered back in Nov 2018 by `randyr`. Please refer from posting dublicated answers. – Björn Apr 13 '20 at 13:57