发表新帖
发表新帖

How to disable Django's invalid HTTP_HOST error?

前端 未结
关注
11 910
日久生厌
日久生厌 2020-12-04 10:12

Ever since I deployed a site running Django 1.7 alpha (checked out from Git), I\'ve been occasionally receiving error messages with titles like:

\"Inv

相关标签:
11条回答
  • 既然无缘
    2020-12-04 10:49

    You shouldn't be ignoring this error. Instead you should be denying the request before it reaches your Django backend. To deny requests with no HOST set you can use

    SetEnvIfNoCase Host .+ VALID_HOST
Order Deny,Allow
Deny from All
Allow from env=VALID_HOST

    or force the match to a particular domain (example.com)

    SetEnvIfNoCase Host example\.com VALID_HOST
Order Deny,Allow
Deny from All
Allow from env=VALID_HOST
    0 讨论(0)
  • 孤街浪徒
    2020-12-04 10:49

    I can't comment yet, but since Order Deny, Allow is deprecated, the way to do this in a virtual host with the current Require directive is:

    <Directory /var/www/html/>
    SetEnvIfNoCase Host example\.com VALID_HOST
    Require env VALID_HOST
    Options
</Directory>
    0 讨论(0)
  • 时光说笑
    2020-12-04 10:51

    You can add this to the loggers section of your logging configuration:

        'django.security.DisallowedHost': {
        'handlers': ['mail_admins'],
        'level': 'CRITICAL',
        'propagate': False,
    },

    This sets the logging threshold to above the ERROR level that Django uses when a SuspiciousOperation is detected.

    Alternatively, you can use e.g. a FileHandler to log these events without emailing them to you. For example, to use a dedicated file just for these specific events, you could add this to the handlers section:

        'spoof_logfile': {
        'level': 'ERROR',
        'class': 'logging.FileHandler',
        'filename': '/path/to/spoofed_requests.log',
    },

    and then use this in the loggers section:

        'django.security.DisallowedHost': {
        'handlers': ['spoof_logfile'],
        'level': 'ERROR',
        'propagate': False,
    },

    Note that the suggestion made in the Django docs, to use

        'django.security.DisallowedHost': {
        'handlers': ['null'],
        'propagate': False,
    },

    depends on you running Python 2.7 or later - on 2.6, logging doesn't have a NullHandler.

    0 讨论(0)
  • 南方客
    2020-12-04 10:57

    The other answers on this page are correct if you're simply looking to hide or disable the warning. If you're intentionally allowing every hostname the special value of * can be used as the ALLOWED_HOSTS setting.

    Note: This may introduce security vulnerabilities.

    Django uses the Host header provided by the client to construct URLs in certain cases. While these values are sanitized to prevent Cross Site Scripting attacks, a fake Host value can be used for Cross-Site Request Forgery, cache poisoning attacks, and poisoning links in emails.

    Because even seemingly-secure web server configurations are susceptible to fake Host headers, Django validates Host headers against the ALLOWED_HOSTS setting in the django.http.HttpRequest.get_host() method.

    To prevent hostname checking entirely, add the following line to your settings.py:

    ALLOWED_HOSTS = ['*']

    Source: https://github.com/django/django/blob/33c365781abbcc1b21a31b31d95d344a174df0d5/django/http/request.py#L653-L668

    def validate_host(host, allowed_hosts):
    """
    Validate the given host for this site.

    Check that the host looks valid and matches a host or host pattern in the
    given list of ``allowed_hosts``. Any pattern beginning with a period
    matches a domain and all its subdomains (e.g. ``.example.com`` matches
    ``example.com`` and any subdomain), ``*`` matches anything, and anything
    else must match exactly.

    Note: This function assumes that the given host is lowercased and has
    already had the port, if any, stripped off.

    Return ``True`` for a valid host, ``False`` otherwise.
    """
    return any(pattern == '*' or is_same_domain(host, pattern) for pattern in allowed_hosts)
    0 讨论(0)
  • 心在旅途
    2020-12-04 10:59

    for multiple valid hosts you can:

    SetEnvIfNoCase Host example\.com VALID_HOST
SetEnvIfNoCase Host example2\.com VALID_HOST
SetEnvIfNoCase Host example3\.com VALID_HOST
Require env VALID_HOST
    0 讨论(0)
  • 长发绾君心
    2020-12-04 11:06

    you could silence that particular SuspiciousOperation with something like

    'loggers': {
    'django.security.DisallowedHost': {
        'handlers': ['null'],
        'propagate': False,
   },

    see this for more reference https://docs.djangoproject.com/en/dev/topics/logging/#django-security

    EDIT

    you also need to add a 'null' handler:

    'handlers': {
    'null': {
        'level': 'DEBUG',
        'class': 'logging.NullHandler',
    },
}

    probably you only need to add this and modify the level of error (replacing DEBUG with 'ERROR').

    as always refer to the the documentation for the complete syntax and semantic.

    0 讨论(0)
 看不清?
提交回复
热议问题