0

I am getting this request (more than 2000 per day) from different countries.

Invalid HTTP_HOST header: ‘awssgp0-files.fds.api.xiaomi.com’. You may need to add u'awssgp0-files.fds.api.xiaomi.com' to ALLOWED_HOSTS.

Report at /yimotiondetection/2018/10/23/168333/DJVLPPMM81DCHLPN111A_1540282131_0.jpg Invalid HTTP_HOST header: ‘awssgp0-files.fds.api.xiaomi.com’. You may need to add u'awssgp0-files.fds.api.xiaomi.com' to ALLOWED_HOSTS.

Request Method: PUT Request URL: http://awssgp0-files.fds.api.xiaomi.com/yimotiondetection/2018/10/23/168333/DJVLPPMM81DCHLPN111A_1540282131_0.jpg?GalaxyAccessKeyId=5661733440758&Expires=1540283933264&Signature=z9QvtfFxrlvtKiMiNiRGmMj2u/0= "

I am using elasticbeanstalk .

How to block these requests?

Community
  • 1
  • 1
Prabhat
  • 71
  • 1
  • 4

1 Answers1

0

For HTTP_HOST header attacks By adding allowed host in settings.py file will solve this issue.

ALLOWED_HOSTS = ['your ip address here']

example 

ALLOWED_HOSTS = ['198.211.99.20', 'localhost']

Note: Don't make '*' to ALLOWED_HOSTS IF IT'S IN PRODUCTION.

For more reference Read Django website about ALLOWED_HOSTS https://docs.djangoproject.com/en/1.10/ref/settings/#allowed-hosts

jagamts1
  • 223
  • 2
  • 6
  • dear jagamts1 please read the problem .. I have already done this . Now i am able to block request in app level .. need to block request as server side level ... – Prabhat Oct 23 '18 at 09:40
  • Yep you can do that by editing the nginx config and adding server_name.by default elasticbeanstalk using nginx as load balancer. 1.To change in nginx config file check following solution. https://stackoverflow.com/a/19703735/6345474 2.to check how to edit nginx in elasticbeanstalk https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/nodejs-platform-proxy.html https://medium.com/@marilu597/getting-to-know-and-love-aws-elastic-beanstalk-configuration-files-ebextensions-9a4502a26e3c https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/java-se-nginx.html – jagamts1 Oct 23 '18 at 10:43
  • by default i am using apache2.4 I added files: "/etc/httpd/conf.d/ssl_rewrite.conf": mode: "000644" owner: root group: root content: | RewriteEngine On RewriteCond %{REQUEST_METHOD} PUT RewriteCond %{HTTP_HOST} .*(awssgp0-files\.fds\.api\.xiaomi\.com).* [NC] RewriteRule .* - [F,L] .. but no help – Prabhat Oct 23 '18 at 11:12
  • don't change ssl_rewirte.conf file that has been used for http to https redirect even client didn't add https in his ip.check this link how edit apache.config to fix this error.http://blog.gabrielsaldana.org/avoid-djangos-invalid-http_host-error-message/ – jagamts1 Oct 23 '18 at 11:49
  • sorry actually it files: "/etc/httpd/conf.d/block_urls.conf": mode: "000644" owner: root group: root content: | RewriteEngine On RewriteCond %{HTTP_HOST} .*\.xiaomi\.* [NC] RewriteRule .* - [F,L] – Prabhat Oct 23 '18 at 13:05