How to disable Django's invalid HTTP_HOST erro

2020-02-02 04:14发布

站内问答 / Django
1218 10 5

Ever since I deployed a site running Django 1.7 alpha (checked out from Git), I've been occasionally receiving error messages with titles like:

"Invalid HTTP_HOST header: 'xxx.xxx.com'"

I realize that this is due to the Host: HTTP header being set to a hostname not listed in ALLOWED_HOSTS. However, I have no control over when and how often someone sends a request to the server with a forged hostname. Therefore I do not need a bunch of error emails letting me know that someone else is attempting to do something fishy.

Is there any way to disable this error message? The logging settings for the project look like this:

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'filters': {
        'require_debug_false': {
            '()': 'django.utils.log.RequireDebugFalse'
        }
    },
    'handlers': {
        'mail_admins': {
            'level': 'ERROR',
            'filters': ['require_debug_false'],
            'class': 'django.utils.log.AdminEmailHandler'
        }
    },
    'loggers': {
        'django.request': {
            'handlers': ['mail_admins'],
            'level': 'ERROR',
            'propagate': True,
        },
    }
}

10条回答
啃猪蹄的小仙女
2楼-- · 2020-02-02 04:40

for multiple valid hosts you can:

SetEnvIfNoCase Host example\.com VALID_HOST
SetEnvIfNoCase Host example2\.com VALID_HOST
SetEnvIfNoCase Host example3\.com VALID_HOST
Require env VALID_HOST
查看更多
0人赞 添加讨论(0) 举报
唯我独甜
3楼-- · 2020-02-02 04:43

You can add this to the loggers section of your logging configuration:

    'django.security.DisallowedHost': {
        'handlers': ['mail_admins'],
        'level': 'CRITICAL',
        'propagate': False,
    },

This sets the logging threshold to above the ERROR level that Django uses when a SuspiciousOperation is detected.

Alternatively, you can use e.g. a FileHandler to log these events without emailing them to you. For example, to use a dedicated file just for these specific events, you could add this to the handlers section:

    'spoof_logfile': {
        'level': 'ERROR',
        'class': 'logging.FileHandler',
        'filename': '/path/to/spoofed_requests.log',
    },

and then use this in the loggers section:

    'django.security.DisallowedHost': {
        'handlers': ['spoof_logfile'],
        'level': 'ERROR',
        'propagate': False,
    },

Note that the suggestion made in the Django docs, to use

    'django.security.DisallowedHost': {
        'handlers': ['null'],
        'propagate': False,
    },

depends on you running Python 2.7 or later - on 2.6, logging doesn't have a NullHandler.

查看更多
0人赞 添加讨论(0) 举报
你好瞎i
4楼-- · 2020-02-02 04:47

In setting.py set:

ALLOWED_HOSTS = ['yourweb.com']
查看更多
0人赞 添加讨论(0) 举报
走好不送
5楼-- · 2020-02-02 04:48

you could silence that particular SuspiciousOperation with something like

'loggers': {
    'django.security.DisallowedHost': {
        'handlers': ['null'],
        'propagate': False,
   },

see this for more reference https://docs.djangoproject.com/en/dev/topics/logging/#django-security

EDIT

you also need to add a 'null' handler:

'handlers': {
    'null': {
        'level': 'DEBUG',
        'class': 'logging.NullHandler',
    },
}

probably you only need to add this and modify the level of error (replacing DEBUG with 'ERROR').

as always refer to the the documentation for the complete syntax and semantic.

查看更多
0人赞 添加讨论(0) 举报
兄弟一词,经得起流年.
6楼-- · 2020-02-02 04:49

The other answers on this page are correct if you're simply looking to hide or disable the warning. If you're intentionally allowing every hostname the special value of * can be used as the ALLOWED_HOSTS setting.

To prevent hostname checking entirely, add the following line to your settings.py:

ALLOWED_HOSTS = ['*']

Source: https://github.com/django/django/blob/master/django/http/request.py#L544-L563

def validate_host(host, allowed_hosts):
    """
    Validate the given host for this site.
    Check that the host looks valid and matches a host or host pattern in the
    given list of ``allowed_hosts``. Any pattern beginning with a period
    matches a domain and all its subdomains (e.g. ``.example.com`` matches
    ``example.com`` and any subdomain), ``*`` matches anything, and anything
    else must match exactly.
    Note: This function assumes that the given host is lower-cased and has
    already had the port, if any, stripped off.
    Return ``True`` for a valid host, ``False`` otherwise.
    """
    for pattern in allowed_hosts:
        if pattern == '*' or is_same_domain(host, pattern):
            return True

    return False
查看更多
0人赞 添加讨论(0) 举报
爷的心禁止访问
7楼-- · 2020-02-02 04:51

Here's NGINX example that should prevent your django from receiving rubbish requests.

server {
    listen 80 default_server;
    server_name _;
    return 418;
}


server {
    listen 80;
    # This will keep Django from receiving request with invalid host
    server_name <SERVER_IP> your.domain.com;
    ...
查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)