Django的SuspiciousOperation无效的HTTP_HOST标头
Django的SuspiciousOperation无效的HTTP_HOST标头
提问于 2013-03-06 11:35:27
在升级到Django 1.5之后,我开始收到这样的错误:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 92, in get_response
response = middleware_method(request)
File "/usr/local/lib/python2.7/dist-packages/django/middleware/common.py", line 57, in process_request
host = request.get_host()
File "/usr/local/lib/python2.7/dist-packages/django/http/request.py", line 72, in get_host
"Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host)
SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): www.google.com
<WSGIRequest
path:/,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{},
META:{'CONTENT_LENGTH': '',
'CONTENT_TYPE': '',
'DOCUMENT_ROOT': '/etc/nginx/html',
'HTTP_ACCEPT': 'text/html',
'HTTP_HOST': 'www.google.com',
'HTTP_PROXY_CONNECTION': 'close',
'HTTP_USER_AGENT': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'PATH_INFO': u'/',
'QUERY_STRING': '',
'REMOTE_ADDR': '210.245.91.104',
'REMOTE_PORT': '49347',
'REQUEST_METHOD': 'GET',
'REQUEST_URI': '/',
u'SCRIPT_NAME': u'',
'SERVER_NAME': 'www.derekkwok.net',
'SERVER_PORT': '80',
'SERVER_PROTOCOL': 'HTTP/1.0',
'uwsgi.node': 'derekkwok',
'uwsgi.version': '1.4.4',
'wsgi.errors': <open file 'wsgi_errors', mode 'w' at 0xb6d99c28>,
'wsgi.file_wrapper': <built-in function uwsgi_sendfile>,
'wsgi.input': <uwsgi._Input object at 0x953e698>,
'wsgi.multiprocess': True,
'wsgi.multithread': False,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}>我已经在settings.py文件中设置了ALLOWED_HOSTS = ['.derekkwok.net']。
这里发生什么事情?是不是有人冒充谷歌访问我的网站?或者是有人错误地设置了HTTP_HOST报头的良性情况?
回答 4
Stack Overflow用户
回答已采纳
发布于 2013-03-20 23:14:33
如果您的ALLOWED_HOSTS设置正确,则可能是有人通过欺骗报头来探测您的站点的漏洞。
Django开发人员现在正在讨论将其从500内部服务器错误更改为400响应。参见this ticket。
Stack Overflow用户
发布于 2013-07-05 04:00:45
如果您正在使用Nginx将请求转发到在Gunicorn/Apache/uWSGI上运行的Django,您可以使用以下方法来阻止不良请求。感谢@PaulM的建议。
upstream app_server {
server unix:/tmp/gunicorn_mydomain.com.sock fail_timeout=0;
}
server {
...
## Deny illegal Host headers
if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
return 444;
}
location / {
proxy_pass http://app_server;
...
}
}Stack Overflow用户
发布于 2013-10-31 18:17:05
当使用Nginx时,你可以设置你的服务器,在某种程度上,只请求你想要到达Django的主机。这样就不会再出现SuspiciousOperation错误了。
server {
# default server
listen 80;
server_name _ default;
return 444;
}
server {
# redirects
listen 80;
server_name example.com old.stuff.example.com;
return 301 http://www.example.com$request_uri;
}
server {
# app
listen 80;
server_name www.example.com; # only hosts in ALLOWED_HOSTS here
location / {
# ...
}
# ... your config/proxy stuff
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/15238506
复制相关文章
相似问题